Introduction
Requirements:
You'll need admin access to the GetAccept entity and your Microsoft Entra ID environment to set up SSO.
When you integrate GetAccept with Microsoft Entra ID, you can:
Control who has access to GetAccept from your Active Directory.
Enable users to be automatically signed in to GetAccept with their Microsoft account belonging to the Active Directory.
Manage your accounts in one central location - the Microsoft Entra ID portal.
Before setting up the integration it is good to understand:
Each GetAccept entity requires a unique Enterprise application in your Microsoft Entra ID environment. A GetAccept entity can only communicate with one application at a time.
The login page app.getaccept.com is not supported for SSO, additional domain name configuration is required, read more about it in Step 10.
To short-link directly to the SSO login, you can either use the unique SAML login URL presented in the SAML Authorization modal
https://app.getaccept.com/auth/saml/{entityId}/sso
, or the Enterprise application you've created for the Apps Dashboard also known as My Apps.SSO is not supported with the use of subdomains, for example, yourdomain.getaccept.com because the Microsoft endpoint expects the SAML requests to come from app.getaccept.com.
For SCIM Provisioning with Microsoft Entra ID, please read this help article.
How To Setup SAML
Step 1: Adding GetAccept to your Enterprise applications
Sign in to the Microsoft Entra ID portal using either a work or school account or a personal Microsoft account.
On the left navigation panel, select the service Microsoft Entra ID.
Select Enterprise applications and click New application at the top.
Click Create your own application at the top.
In the field "What's the name of your app?", enter GetAccept, or GetAccept [Entity Name] if you have multiple entities it's easier to keep track of them in your Enterprise applications list.
Select the option Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
Step 2: Prepare GetAccept SAML Configuration
Navigate to the SAML configuration in GetAccept.
Login to GetAccept.
Go to Settings.
Select Integrations.
Look for Provisioning and SSO.
Click the Settings button on the SAML Authentication connector.
Keep this browser tab open for easy access to settings in later steps.
Make sure that you are logged in to GetAccept using app.getaccept.com and not a subdomain, for example, companyx.getaccept.com
Step 3: Configure Entra ID SSO
Follow these steps to enable SAML in the Microsoft Entra ID portal.
Go to Enterprise applications and select the "GetAccept" application you've created.
Find the Manage section and select Single sign-on.
On the Select a single sign-on method page, select SAML.
Click Edit (pencil icon) on Basic SAML Configuration to edit the settings.
Copy and paste the values from the SAML Authentication modal in GetAccept, the one you opened in Step 2, and follow the mapping below.
Click Save at the top and choose to validate later.
Step 4: Configure GetAccept SSO
Important note: Before connecting SAML in GetAccept, we recommend opening a new app.getaccept.com session in incognito mode. You can use that tab to test the connection at the end of this guide, that way you can easily disconnect the SAML connector if you run into any error codes when testing.
Where to apply SAML
GetAccept platfrom
This will apply the SAML connection to our Core App only.
API or integration
This will apply the SAML connection both on our external API, integrations and our Core App.
Enable SAML for all entities
If you have an organisation, meaning you have sub entities to this master entity and you choose to check this box. Then the connection will apply to the whole organisation.
After saving the Basic SAML Configuration you should return to the Single sign-on page in your application, we recommend hard refreshing the page before continuing further in the guide.
Next, you'll have to save the Certificate (Base64), look for SAML Certificates, click the Download button next to Certificate (Base64), and open the downloaded certificate file in a text editor.
Copy the Base64 file content and paste it into the GetAccept SAML modal under Public X.509 Certificate. ⚠️ Make sure that the certificate starts with MIIC8, if it doesn't hard refresh the page and try to download it again.
Lastly, copy, and paste the rest of the fields from the last step in your application's Single sign-on configuration into the GetAccept SAML modal, the step is called Set up GetAccept, follow the mapping below.
Once you have added all of the values in the GetAccept SAML modal, click Save button in GetAccept and make sure the integration says Connected 🎉
Step 5: Create User Roles and Assign Users
The next step is also a preparation for the SCIM Provisioning setup.
In the Microsoft Entra ID portal, go to Enterprise applications, and select the "GetAccept" application you've created in previous steps.
Look for the Manage section on the left menu and select Users and groups.
Click Application Registration.
Now it's time to create or modify your current appRoles of the application you've created. You're going to ensure that you have 3 appRoles in the application, one for administrators, managers, and users. Here are the roles you need in the application:
Display name: User
Description: Users can create, send, and view documents
Allowed member types: Users/Groups
Value: user
Display name: Manager
Description: Managers can manage teams and their documents
Allowed member types: Users/Groups
Value: manager
Display name: Administrator
Description: Administrators can manage entity settings and users
Allowed member types: Users/Groups
Value: admin
Once the roles are created, you can go back to Users and groups, add yourself with the appRole Administrator, and proceed with the guide.
Step 6: Validate and Save
Verify that your Microsoft Entra ID Active Directory users match the GetAccept user's email address. You can modify additional Attributes & Claims if needed, we recommend turning to Microsoft help articles, by default GetAccept uses the user.mail
as the identifier for SSO.
To test and validate the SAML configuration, go to the application you've created, look for Manage on the left side, and select Single sign-on.
Click the Test button at the bottom of the page.
A new modal will appear on the right-hand side, click the Test sign in button to initiate the test on the current user.
Another tab should open in a few seconds, login with your Microsoft account and verify that you're logged in as the correct user on the correct entity at GetAccept in your upper right corner. If everything is working, then you're done with the SAML configuration for now 🎉
If you are running into an error, check the error message in the "Resolving errors" dialogue and take a closer look at the Troubleshoot section below. We also recommend double-checking the guide in case a step was missed or if an error was made.
Step 7: Add the GetAccept Logo
We recommend that you enable the application to all users and also upload the GetAccept logo.
Download the GetAccept logo below by right-clicking and saving the logo.
In the app's overview page, find the Manage section and select Properties.
Upload the PNG file under Logo.
Click Save at the top.
Step 8: Test SSO
We also recommend testing and verifying that your SSO works with the incognito session mentioned in Step 4, that way you can remove the SAML Authentication in GetAccept if you run into any errors, also read the Troubleshooting section below if you run into any error messages.
You can also test your Microsoft Entra ID Single sign-on configuration using the Apps Dashboard, also known as My Apps. When you click the GetAccept tile in your Apps Dashboard, you'll be automatically signed in to the GetAccept entity for which you have set up the SSO.
For more information about My Apps, visit their support article Sign in and start apps from the My Apps portal.
Step 9: [Optional] Redirect to a specific page after SSO
If you want to redirect a user to a specific page or document behind a secure login you can use a custom "go" parameter in the SSO URL. This is powerful if you use an external system to generate the document and receive the sent document URL or document URL for editing before sending it out.
Example of how to redirect and open a document for editing before sending:
In the GetAccept integration settings page, you can find the entity-specific Login URL. Combine this login URL with the document URL you want to redirect the user to:
https://app.getaccept.com/auth/saml/abcd1234/sso?go=/document/edit/xyz1234abc
This will create an SSO request for the entity abcd1234, authenticating and logging in the user, then redirecting the user to edit the document xyz1234abc.
Step 10: [Optional] Sign in with SSO on app.getaccept.com
You can set up domain name-based authorization on the login page app.getaccept.com. This will act as a bridge between the login page, your entity, and its SAML configuration. If you want to utilize app.getaccept.com as the main login page for your users, you can add a unique domain name to your entity.
If you have multiple entities you can have one unique domain name per entity, for example, domain1.com on one entity, and domain2.com on the other entity, this will connect you to the entity in question and route to the unique SAML configuration of the application you've created and connected to GetAccept.
You can also use a master entity where all of your GetAccept user accounts exist, this will be your main SSO controller entity. If your domain is mydomain.com, and you've created an Enterprise application in Microsoft Entra ID with the Single sign-on connected to the entity, all of your users would successfully login with mydomain.com specified in the Sign in with SSO option on the login page, they can easily switch entities in GetAccept once they are logged in.
The configuration of the domain name is quite simple,
Login to GetAccept.
Go to Settings.
Select Entity information.
Add your unique domain in the Domain name field.
You can now use the domain, for example, mydomain.com as the identifier on app.getaccept.com when selecting Sign in with SSO.
Once you click Log in, we'll connect to the entity with a matching domain name you've entered, and then we'll route the SAML request to your Microsoft Entra ID endpoint. The action is similar to using your unique SAML login URL or clicking the GetAccept application you've created in MyApps.
Troubleshooting
Authentication Error / WindowsIntegrated
For the error AADSTS750:
AADSTS750: Authentication method “WindowsIntegrated, MultiFactor” by which the user authenticated with the service doesn’t match requested authentication method “Password, ProtectedTransport”
or AADSTS75011:
AADSTS75011: Authentication method “X509, MultiFactor” by which the user authenticated with the service doesn’t match requested authentication method “Password, ProtectedTransport”. Contact GetAccept application owner.
We have seen that omitting RequestedAuthnContext
value in the request is a workable solution. You can change this by specifying the following attribute in your GetAccept SAML configuration under Optional Attributes (JSON):
{
'authnContextClassRef' : false
}
Login to GetAccept.
Go to Settings.
Select Integrations.
Look for Provisioning and SSO.
Click the Settings button on the SAML Authentication connector.
Add the attribute above under Optional Attributes (JSON).
Signature Validation Failed
For the error:
"Signature validation failed. SAML Response rejected"
This means that the signature validation process failed. In this case, the X.509 certificate added to the GetAccept SAML connector is incorrect.
Make sure that it contains the BEGIN CERTIFICATE and END CERTIFICATE tags. If you copy and paste the certificate using for instance the chat in Microsoft Teams, it might remove some of the dashes. Please make sure that there are 5 dashes before and after the BEGIN CERTIFICATE and END CERTIFICATE, for example:
-----BEGIN CERTIFICATE-----
MIIC8/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
[truncated]
VW3N0PYgJtw5yBsS74QTGD4=
-----END CERTIFICATE-----
We have seen unique cases where the certificate generated in the Microsoft Entra ID application was incorrect, thus being rejected when redirecting to your endpoint. You have to make sure that the certificate starts with MIIC8, in Step 4 we recommended hard refreshing the page before downloading the certificate. Try to download the Certificate (Base64) again within the Single sign-on under the SAML Certificates section of your application and verify that it starts with MIIC8, we recommend turning to Microsoft forums if unresolved.
Application not found in directory
For the error AADSTS700016:
AADSTS700016: Application with identifier
'https://companyx.getaccept.com/auth/saml/xyz123/metadata.xml'
was not found in the directory 'xxxx'
This means that the Microsoft Entra ID application has been set up using the incorrect URL:s to the application, note that it shouldn't be set up while logged in to GetAccept using a subdomain. Make sure that you are logged into https://app.getaccept.com, go to Settings, Integrations, Provisioning and SSO, and SAML Authentication, and make sure to copy the correct values to the Azure application configuration. You can take a closer look at Step 3 in the configuration guide.
For the error AADSTS50105:
AADSTS50105: Your administrator has configured the application GetAccept ('c1ad664b-207f-4ac8-9e43-871d2b121178') to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'name@domain.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
This means that the user doesn't have access to your application, make sure that the user or group is listed as a member in Users and groups with the correct role assigned. We have also seen cases where either:
For the error AADSTS750054 AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding. This could occur when you are signing out and have added a URL for the field Logout Post URL / SLO Endpoint (Optional). This is the logout URL you add to ensure that users are also logged out of Microsoft when you choose to log out of GetAccept.
Ensure that you have added the correct URL and also check if there is a need for additional configuration in your Microsoft environment.
|
Need help?
We are here to help you if you get stuck at any step in setting up the integration.
Use the chat icon to the right to start a conversation with our support team or send an email to support@getaccept.com 🧡