How do I enable Single Sign-On (SSO) for my company?

Plan Availability:
  • Personal
  • Small Biz
  • Enterprise

First, you must have this feature enabled in your account. Please contact your sales rep.

1. Here are the instructions for Creation Authoring Tool SSO (scroll below for Wrap Viewer SSO for your internal end-users):

Feature:  Authoring Single Sign On (SSO) 

Description

Wrap supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider rather than obtaining and using a separate username and password handled by Wrap.

Under the SSO setup, Wrap can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

 

Use Cases this enables

  • Allow companies to authenticate using their IDP instead of Wrap provided login credentials
  • Easily revoke access for users who no longer are with the organization

 

Setup instructions

You can set up SSO for Wrap using the following simple steps. 

 

  • Configure Wrap as a Service Provider in your IDP - Login to IDP and setup the following information:
    • Wrap Entity ID - unique string to identify Wrap as the SP
      • https://sso.wrap.co/api/saml/authoring/metadata
    • Wrap Assertion Consumer Service URL – URL to which the IDP will post back the SAML response
    • Custom Attributes - co uses the following custom attributes and they must be configured by the IDP, these have been detailed in the SAML metadata available at https://wrapi.wrap.co/api/saml/metadata
      • name = joe smith
      • first_name = joe
      • last_name = smith
      • email = joe@company.com
      • external_id = 1234 (id used by the IDP to uniquely identify a user)
    • Session Expiration - The IDP can also configure the SessionNotOnOrAfter attribute within the saml:AuthnStatement, this attribute is used by wrap.co to maintain sessions.If this attribute is not configured we default to 7 days.

 

  • Enabling SAML SSO in your Wrap account
    • Login to your Wrap domain as a super-admin and go to Account & SettingsAccount Info.
    • Click on the Enable button under AUTHORING (SSO) and enter the required fields -
      • Issuer URL: Type the Identity Provider's URL.
      • 509 Certificate: Copy the x.509 certificate contents from your IDP and paste them in the text area.
      • Remote sign-in URL: Fill-in the IDP URL endpoint. This is the URL where Wrap will redirect your users for signing-in.
      • Remote sign-out URL: Fill-in the remote sign-out URL of your IdP. This is the URL that Wrap will redirect your users when they sign-out.
    • Once you have all the information, click on the SAVE button to activate SSO for your account.

 

 

 

  • User Provisioning
    • Once authenticated, users will then we authorized against the list of users in the Wrap account based on the email. The number of users is limited by the number of Wrap seat.
    • To add someone to your Wrap account, login to your Wrap domain as a super-admin and go to Account & Settings → Account Info → My Team
    • Click on ‘Manage' next to the Team Name you want to add the new user and click on enter the email of the user you want to invite.
    • After confirming the role, click on Invite to add the user to your account
    • The invited user will now need to login using IDP credentials
    • The admin will continue to be able to login using username/password

 

 

2. Here are the instructions for Wrap Viewer SSO:

Feature:  Wrap Single Sign On (SSO)

 

Description

Wrap supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider so that only authorized viewer can view the Wrap. This allows companies to share information privately with their employees.

Under the SSO setup, Wrap can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your Wraps.

 

Use Cases this enables

  • Allow companies to share sensitive information privately with employees

 

Setup instructions

You can set up SSO for Wrap using the following simple steps.  

 

  • Configure Wrap as a Service Provider in your IDP - Login to IDP and setup the following information:
    • Wrap Entity ID - unique string to identify Wrap as the SP
      • https://wrapi.wrap.co/api/saml/metadata
    • Wrap Assertion Consumer Service URL – URL to which the IDP will post back the SAML response
    • Custom Attributes - wrap.co uses the following custom attributes and they must be configured by the IDP, these have been detailed in the SAML metadata available at https://wrapi.wrap.co/api/saml/metadata
      • name = joe smith
      • first_name = joe
      • last_name = smith
      • email = joe@company.com
      • external_id = 1234 (id used by the IDP to uniquely identify a user)
    • Session Expiration - the IDP must also configure the SessionNotOnOrAfter attribute within the saml:AuthnStatement, this attribute is used by wrap.co to maintain sessions.

 

  • Enabling SAML SSO in your Wrap account
    • Login to your Wrap domain as a super-admin and go to Account & Settings → Account Info.
    • Click on the Enable button under WRAP (SSO) and enter the required fields -
      • Issuer URL: Type the Identity Provider's URL.
      • x.509 Certificate: Copy the x.509 certificate contents from your IDP and paste them in the text area.
      • Remote sign-in URL: Fill-in the IDP URL endpoint. This is the URL where Wrap will redirect your users for signing-in.
      • Remote sign-out URL: Fill-in the remote sign-out URL of your IdP. This is the URL that Wrap will redirect your users when they sign-out.
    • Once you have all the information, click on the SAVE button to activate SSO for your account.

 

 

  • User Provisioning
    • As long as the users are authenticated by your IDP, they will be able to view the Wrap.

 

Have more questions? Submit a request