This page contains information to help you configure and manage Security Assertion Markup Language (SAML) single sign-on (SSO) authentication with iManage, and update your configuration when Identity Provider (IdP) certificates are nearing expiration and need to be refreshed.

Configuring SAML SSO for your iManage environment offloads the authentication of iManage users to your IdP and provides the following benefits:

  • Simplifies the authentication experience.

  • Reduces the cost of administering iManage user accounts, such as managing and resetting passwords.

iManage supports Service Provider-initiated SAML SSO, where iManage is the service provider. When a user attempts to sign in, an SAML Authentication Request is sent to the IdP to authenticate the user.

Who should use this?

  • New customers who are adopting iManage Work at cloudimanage.com and want to implement SAML SSO authentication for their users.

  • iManage Work at cloudimanage.com customers who aren't currently using SAML SSO and want to transition to SAML SSO authentication for their users.

  • iManage Work at cloudimanage.com customers who are currently using SAML SSO authentication as configured and managed by iManage, and want to manage their SAML SSO authentication directly using iManage Control Center.

  • iManage Work at cloudimanage.com customers who manage their SAML SSO authentication using iManage Control Center and who need to update their IdP certificate.

On this page:

Before you begin

Before you configure SAML SSO in your iManage environment:

  • Confirm that at least one administrative account with the Account type of Virtual is created at the global user level in iManage Control Center. Use this account to configure SAML SSO in the following sections on this page.
    When set to Virtual, these accounts use explicit sign-in to authenticate to iManage. That is, they use the user email and password as defined in iManage Control Center and don't authenticate using SAML SSO.
    Refer to the steps below to confirm the Account type of an iManage user. Confirm that these administrative users can sign in to iManage Work.

CAUTION: If you don't configure at least one virtual administrative account at the global user level in iManage Control Center, and your SSO authentication is improperly configured, or your IdP certificate expires, all users will be blocked from signing in to iManage.

  • Confirm that all other iManage user accounts used for authenticating iManage services (such as the account used for iManage Directory Synchronization Service, iManage Refile Service, or Workspace Generator) or third-party integrations are configured with the Account type of Virtual.

  • We recommend that all other iManage user accounts be defined with the Account type of Enterprise. This enforces SAML SSO authentication for these users, and prevents them from signing in using explicit sign-in.

To confirm the Account type of a user:

  1. In iManage Control Center, browse to Access > Users.

  2. Select Global Management from the menu at the top of the page.

  3. Select any user account.

  4. In the Platform Details section of the user account, view the Account type field.

To change the Account type for an individual user so that they are configured to authenticate using SSO:

  1. In the Platform Details section of the user account, select Edit. The Edit Platform Details dialog opens.

  2. Select Enterprise.

  3. Select Save.

If you require assistance updating a large number of users, contact iManage Cloud Support

Steps to configure SAML SSO

What iManage expects from the Identity Provider

After you complete the steps in Configure your Identity Provider SSO, your IdP will provide you with an XML file. This file contains information about your federation service that's used to create trusts and identify token-signing certificates. Importing this file to Control Center, as described in Enable SAML SSO, assigns values to the following SAML SSO configuration fields:

  • Identity provider SSO URL: The URL of the SAML SSO Identity Provider.

  • Logout URL: The URL used to redirect a user's browser window to a sign-out endpoint to end their authentication session and sign them out.

  • Certification expiration date: The expiration date of your Identity Provider signing certificate.

Configure your Identity Provider SSO

To configure your Identity Provider to provide SAML SSO authentication, refer to the following instructions for your IdP:  

For all other Identity Providers, refer to General IdP configuration for SAML SSO.

After you've configured your IdP and downloaded the Federation XML metadata file from your IdP, continue to Enable SAML SSO.

Enable SAML SSO

The following steps describe how to import the Federation XML metadata file and enable SAML SSO for your iManage users in Control Center.

TIP: To avoid disruption due to a misconfiguration, we recommend that you perform these steps during a maintenance window or when very few people are using iManage Work.

  1. Sign in to iManage Work using the administrative Virtual account, as described in Before you begin, using the following URL:
    https://cloudimanage.com

  2. In the iManage Work user profile menu, select Control Center to open iManage Control Center.

    Accessing iManage Control Center.png

  3. Browse to Network & Security > Single Sign-On (SSO).

NOTE: To perform operations on the Single Sign-On (SSO) page, the user signed in to iManage Control Center must be assigned to a Global Management role, which has the Settings Management privilege. For more information, refer to Global privilege descriptions. Modifications to the settings on this page may take up to four hours to take effect.

  1. In the Authentication section, select Edit. The following dialog opens:

  2. In Single Sign-On (SSO), select Enabled.

  3. In SSO Authentication Protocol, select SAML.

  4. Select Next. The Setup SAML Single Sign-On (SSO) dialog opens, and displays information for your iManage environment. Confirm that the service provider settings are correct.

    Setup SAML Single Sign-On v1.png

  5. Select Next. The Setup SAML Single Sign-On (SSO) dialog displays the Configure SAML SSO section.

  6. In the Configure SAML SSO section, select Import XML file.

  7. When prompted, locate the metadata XML file that you downloaded from your IdP in Configure your Identity Provider SSO, and then select Open.

    The file is imported into Control Center and the values for Identity Provider SSO URL, Logout URL, and Certification expiration date are displayed based on the information in the metadata XML file. 

  8. In Response Binding Type, select a binding type from the following options:

    1. POST (recommended): (default value) Use HTTP POST binding and transmit SAML messages as Base64-encoded HTML form parameters.

    2. REDIRECT: Use HTTP Redirect as the transport mechanism and encode SAML messages as HTTP URL parameters.

    3. ARTIFACT: Transmit SAML responses by reference using an artifact, which is exchanged for the actual protocol message through a synchronous binding method such as SAML SOAP.

    4. ARTIFACT(ADFS): Use Artifact binding without a response signature.

  9. Before continuing, confirm that the Certification expiration date displayed in the dialog matches what you configured in your IdP and that it isn't expired. Having an expired or improperly loaded certificate will prevent iManage users from signing in successfully using SSO.

  10. Select Next. The Setup SAML Single Sign-On (SSO) dialog displays a warning message and configuration settings. Read the warning message and confirm the settings.

  11. Select Save.
    SAML SSO is now configured in your iManage Cloud environment. Continue to Validate that users can sign in to iManage Work.

NOTE: If you encounter an error when importing the metadata XML file, refer to the FAQ section for possible causes.

Validate that users can sign in to iManage Work

After SAML SSO is configured and enabled in iManage Control Center, users can begin signing in to iManage Work. Depending on the Identity Provider you are using, this may take several minutes to become active.

If users aren't able to sign in successfully, refer to Troubleshooting.

Update your IdP certificate

After configuring SAML SSO, you must monitor the expiration of your IdP certificate. When the certificate is nearing expiration, you must generate a new Federation metadata XML file from your IdP and import it into iManage Control Center. This file includes the new certificate.

To view the expiration date of your current signing certificate in iManage Control Center, browse to Network & Security > Single Sign-On (SSO) and view the Certification expiration date field.

iManage Control Center displays a message if the certificate is expiring within the next 45 days, or has already expired.

Warning Figure 6.png

IMPORTANT: It's your responsibility to follow these steps whenever the certificate has changed within your IdP, or if it's set to expire soon. If your SAML Signing Certificate changes or expires without importing it into iManage Control Center, users will be unable to sign in to iManage. If this occurs, only users with Account type set to Virtual will be able to sign in using explicit sign-in.

To update your IdP signing certificate:

  1. In your IdP, download the new Federation metadata XML file for your SSO configuration. If needed, upload the updated signing certificate into your IdP SSO configuration before downloading the Federation metadata XML file.

  2. In iManage Control Center, browse to Network & Security > Single Sign-On (SSO).

  3. In the Configure SAML SSO section, select Edit. The following dialog opens:

  4. Select Import XML file.

  5. When prompted, locate the metadata XML file that you downloaded from your IdP that contains your new certificate, then select Open.

    The file is imported into Control Center, and ‌details such as Certification expiration date are displayed. Confirm that the Certification expiration date field displays the new date.

  6. Select Save.

Troubleshooting

If users receive ‌the "404-Error On the Following Database Message: GetSingleItem requestid..." error message when attempting to sign in to iManage Work, the most likely reasons are:

  • The expiration of the SAML certificate: To resolve the issue, follow the steps in Update your IdP certificate to generate a new certificate and update the certificate in iManage Control Center.

  • The user doesn't exist in the library: For more information about library user management, refer to Users.

For other failed sign-in attempts, perform the following steps to investigate and resolve the issue:

  1. Confirm that your Identity Provider service is available. If it is offline, contact your Identity Provider directly.

  2. Verify your SSO configuration in your IdP. Review the detailed instructions on the following IdP configuration pages:

  3. Confirm that your iManage Control Center SAML SSO settings match your IdP SSO configuration. Mismatched settings can result in failed sign-in attempts.

  4. If you're unable to determine the cause of the issue, you can temporarily disable Single Sign-On. Refer to Rolling back your configuration.
    When your users can sign in again after rolling back your configuration, contact iManage Cloud Support if you need assistance troubleshooting your SAML SSO configuration.

  5. For any other issues, contact iManage Cloud Support.

Rolling back your configuration

If, after enabling SAML SSO, your users aren't able to sign in, you can disable Single Sign-On.

NOTE: When Single Sign-On is disabled:

  • Only users with an Account Type of Virtual can sign in (and are required to sign in to each iManage application using their user email and password configured in iManage Work).

  • All previously-configured settings on the Single Sign-On (SSO) page are preserved.

  1. In iManage Control Center, browse to Network & Security > Single Sign-On (SSO).

  2. In the Authentication section, select Edit. The Edit Authentication Settings dialog opens.

  3. In Single Sign-On (SSO), select Disabled.

  4. Select Save.

  5. Select Revert to confirm this operation.

  6. Verify that users are now able to sign in to iManage Work using their iManage user name and password.

If users are still unable to sign in, contact iManage Cloud Support for assistance.

FAQ

Q: How will I know when my certificate is about to expire?

A: Your certificate's expiration date is shown in the Certification expiration date field on the Single Sign-On (SSO) page in Control Center. iManage Control Center also includes a warning message when the certification expiration date is within 45 days, or if it is expired. For more information, refer to Update your IdP certificate.

Q: How does SAML SSO affect iManage users who are defined with Account type = Virtual in iManage Control Center?

A: Users configured as virtual users must use their user email and password defined in iManage Work.
      If you have service accounts which are set to Account type = Enterprise, set these to Account type = Virtual before enabling SAML SSO.

Q: I just enabled SAML SSO and now my administrative users aren't able to sign in using their user email and password as defined in iManage Control Center.

A: Confirm that these users are set with Account type of Virtual in their user profile in iManage Control Center. For more information, refer to Before you begin.

Q: I received an error, as in the following figure, when importing the metadata XML file:

A: Possible causes for this error include:

  • An invalid tag is detected in the XML file.

  • The certificate tag (<ds:X509Certificate>) is missing from the XML file.

  • The certificate tag (<ds:X509Certificate>) isn't a base-64-encoded string.

To resolve this issue, examine the XML file and recreate it following the steps in Configure your Identity Provider SSO, if needed.