Skip to main content

Activate Single Sign-On (SSO)

Updated today

📖 Table of contents

Introduction

SSO subscription

SSO configuration

1. Access security settings

2. Add and verify domains

3. Configure your Identity Provider (IdP)

4. Test the SSO connection

5. Activate SSO for your organization

SSO editing and deactivation

Edit SSO configuration or update certificate

Deactivate SSO

Get help

FAQ

Introduction

Single Sign-On (SSO) lets your users sign in to Yousign using your company identity provider. Access is faster and more secure, and you can centralize access control, reduce password management, and align with your organization’s security policies.

SSO subscription

To use SSO, your organization must have the SSO add-on activated. If you haven’t subscribed yet, contact your account representative to enable SSO.

You must be on a PRO or SCALE plan to activate the SSO Add-on.

Once the add-on is activated on your account, the Owner and Account Administrators will receive an email to complete the SSO configuration.

SSO configuration

Follow these steps carefully to configure SSO successfully:

  1. Go to Access security settings

  2. Add and verify your domains

  3. Configure your identity provider (IdP)

  4. Test SSO

  5. Activate SSO for your organization

You must be an Owner or Admin to configure SSO.

1. Access security settings

Once the SSO add-on is activated, go to:

Settings > Access security > Single Sign-On (SSO)

2. Add and verify domains

Tip: Add all corporate domains used by your users’ email addresses to ensure a consistent login experience.

  1. Click Manage domains in SSO settings.

  2. Click Add new domain and enter the domain (e.g., yourcompany.com). Repeat for each domain you want to include.

  3. Copy the TXT record and add it to your DNS provider to verify domain ownership.

  4. Click Verify for each domain after the TXT record is added.

Please note: DNS propagation can take up to 24–48 hours, depending on your provider.

Domain verification statuses:

Status

Meaning

Next steps

Pending

Domain verification is not yet complete

Complete steps 3 and 4

In review

Potential conflict with another organization using this domain

Yousign support will contact you. You can continue steps 3–4 while review is ongoing

Verified

Domain successfully verified

Proceed to configure your Identity Provider

At least one domain must be verified before you can configure your Identity Provider.

3. Configure your Identity Provider (IdP)

  1. Click Configure SSO and read the introduction before starting with your provider.

  2. Select your IdP:

    • Google, Okta, or Microsoft Entra ID: use OIDC (OpenID Connect)

    • Custom SAML: for any SAML-based provider (e.g., Shibboleth, Okta, Google, Entra ID SAML)

  3. Follow the step-by-step instructions for your provider. You’ll need to configure both Yousign and your IdP.

4. Test the SSO connection

We strongly recommend completing this test, as it can identify critical configuration issues before activation.

  1. Click Test SSO on the Yousign SSO configuration page.

  2. Authenticate using your IdP as a test user.

  3. Review the results. If issues are reported, resolve them and retest.

Troubleshooting:

  • "Unable to verify the certificate": occurs with Custom SAML auto-configuration.

    Solution:

    1. Check the certificate and issue a new one if needed.

    2. Switch to Manual configuration.

    3. Upload only the .PEM certificate (not full metadata).

    4. Retest.

5. Activate SSO for your organization

  1. Click Enable connection to activate SSO for your verified domains.

  2. Users automatically receive an email with login instructions. Notify users beforehand for smooth adoption.

  3. If issues arise, contact Yousign support.

SSO editing and deactivation

Edit SSO configuration or update certificate

  1. Check certificate expiration in SSO settings.

  2. Upload the updated configuration before expiry to prevent disruptions.

You will be warned 30 days before certificate expiration so you have time to plan the configuration update.

3. Always use Test SSO after changes (certificate rotation, claim updates).

Deactivate SSO

  1. Go to Settings > Organization settings > Access Security > Single Sign-On (SSO).

  2. Click Deactivate SSO.

  3. Confirm the action.

  4. Users will revert to email/password login until SSO is re-enabled.

Get help

Contact your account representative at any time if you have questions or need guidance during setup.

FAQ

Which identity providers are supported?

Any OIDC provider (Google, Okta, Entra ID) or SAML provider via Custom SAML.

Who can configure SSO?

Organization Owners and Admins.

What if SSO goes down?

Owners and Admins can still sign in with email/password. Communicate to users and re-enable SSO once your IdP is back.

Cannot verify domain?

Check TXT record name/value, extra spaces/quotes, DNS propagation. Then click Verify again.

SSO test fails – common causes?

NameID/email claim mismatch, outdated certificate or metadata, misconfigured ACS URL/Entity ID. Update and retest.

Can I add multiple domains?

Up to 20 domains. Contact your account representative for more.

Can a domain be used in multiple Yousign orgs?

No. Coordinate if subsidiaries share a domain.

Do users have to use SSO?

Yes, for verified domains.

Related Articles
Sign documents
Sign documents with the Qualified Electronic Signature (QES)
Is Yousign’s Electronic Signature Valid Worldwide? Understanding Yousign’s Global Reach
Set up the integration in your HubSpot account
Switch from Google Sign-In to email and password Login
Did this answer your question?