Im Menüpunkt Meine Gesellschaft verwaltest du alle grundlegenden Einstellungen deiner Gesellschaft.
Name
Hier kannst du den Namen ändern, welcher oben links in Candis angezeigt wird.
Standardmäßig verwenden hier wir den vollständigen, offiziellen Namen deiner Gesellschaft. Solltet ihr intern Abkürzungen verwenden, kannst du also den Namen gerne anpassen.
Wichtig: Die Änderung des Namens führt nicht zu einer Änderung der E-Mail Import Adresse, sowie der URL, welche angezeigt wird.
Inhaber:in
Das ist der Hauptkontakt für diese Gesellschaft, welcher von Candis bezüglich wichtiger Anliegen, wie z.B. Änderungen von AGB´s oder Sicherheitsfragen kontaktiert wird.
Sprache
Beim Export eines Dokuments wird eine Zusammenfassung mit den aktuellen Belegdaten und der Änderungshistorie an das Dokument angehängt (das Prozessprotokoll).
Die Sprache dieses Protokolls kann hier geändert werden.
Bitte beachte, dass zusätzlich jedes Mitglied seine eigene Sprache für Candis im Nutzerprofil konfigurieren kann. Es ist also möglich, dass die Sprache des Prozessprotokolls z.B. Englisch ist, der Benutzer, jedoch Candis auf Deutsch nutzt.
Steuerliche Aspekte
Der Eintrag der USt-IdNr., sowie der Steuernummer deines Unternehmens, verbessert die Geschäftspartnererkennung und verhindert, dass eigene Werte aus einem Dokument als Geschäftspartnerdaten fehlerhaft erkannt werden.
Bankkonten
Unabhängig davon, ob du die Candis Zahlungsliste nutzt oder über andere Programme deinen Zahllauf durchführst, hilft das Eintragen deiner eigenen Bankkonten Candis dabei, die korrekten Bankdaten deines Lieferanten auszulesen.
Somit vermeidest du, dass fälschlicher Weise deine eigene IBAN als die des Lieferanten erkannt wird.
Single Sign-on
Diese Option steht dir ab dem MAX Paket zur Verfügung. Um das ganze zu konfigurieren, musst du in Candis als ADMIN eingeladen sein. Die Buchhalter-Rolle reicht dafür nicht aus.
Hier geht es zur Anleitung, wie du den Single Sign-on konfigurierst:
Hinweis:
Der weitere Artikel ist ausschließlich in Englischer Sprache verfasst. Dies hat den Hintergrund, dass die meisten Konfigurationseinstellungen in Microsoft oder Google auch ausschließlich in Englisch verfügbar sind. Übersetzungen könnten hier zu Unklarheiten führen.
How to configure SSO in Candis using SAML 2.0 protocol, using Intra ID (Azure)
as Idp
Prerequisites
➔ The user responsible for managing SSO configurations must be an admin in all Candis organisations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organisation, please contact Candis support to request access to the SSO configuration
panel.
Note:
The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that
configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated
with the SSO configuration, such as updating a signing certificate.
Create SSO configuration
Go to the Single sign on menu
In Candis go to Settings → My Company → Single sing-on Create new
Setting up the SSO SAML configuration in Candis
SP entity provider ID: Candis service provider(SP) ID.
ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
Note: ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID of
the current organization
Go to your Azure portal and navigate to Intra ID
Always create a new “Enterprise Application
Enterprise Applications ➔ New Application ➔ Create your own application > Give your application a name ➔ Select “Integrate any other
application you don't find in the gallery (Non-gallery)” Select point 2 ➔ “Set up single sign on” ➔ In the next step select “SAML”.
Now you enter the “Set up Single Sign-On with SAML” area.
Identity provider entity ID = Microsoft Entra Identifier from Intra ID Provider details (under point 4 in the Azure set up form)
Single sign-on service URL = LOGIN URL from Intra ID Provider details
Configure Azure Intra ID IDP with Candis SP values
Take the SP-relevant values from Candis (we described above in step 2) and enter them into the Service provider details on the configuration of the SAML application.
The form in Intra ID should look like this:
Add Candis required mappers
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Intra ID (Azure portal) and click save. This will complete the initial setup of the SAML application in Intra ID.
Note: You have to open and edit every single claim (manage claim). Please also delete the content in the “Namespace” field
This is how the editing view looks like (when the correct “Name” and “Source attribute” are added and the “Namespace” field is cleared:
Afterwards, it should look like this (correct attributes and claims)
Enter your certificate in the Candis set up form
In the Azure Intra ID platform, go to the SAML area and open the Federation Metadata XML in your browser. Copy the X509 certificate.
And Please make sure you copy the whole value!
Go back to Candis and finish the configuration
Always make sure, to keep the “NameID policy format” on “Persistant”.
Select the “HTTP-POST binding for AuthnRequest” AND “HTTP-POST binding response” as well as “Validate signatures” toggle.
The setup form should look similar to this:
Check if everything is set up correctly
Once you have saved the configuration in Candis, a new link “Service provider metadata endpoint” will appear in the Candis form.
You can open this link in your browser to check that everything is set up correctly.
If everything is set up correctly, save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the drop-down list.
Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login.
Candis will detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.
Remember: You can not test it yourself, since the creator of the SSO set up will always log in with credentials and cant use SSO login.
Assign the configuration to all Candis companies, that should use this configuration
In every Candis organisation, you can use an already configured SSO configuration or simply create a new one.
How to configure SSO in Candis using SAML protocol and Google:
Prerequisites
➔ The user responsible for managing SSO configurations must be an admin in all Candis Organizations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organization, please contact Candis support to request access to the SSO configuration
panel.
Note: The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated with the SSO configuration, such as updating a signing certificate.
Create SSO configuration
Go to the Single sign on menu
In Candis go to Settings ➔ My Company ➔ Create new
It opens the SSO SAML configuration
The configuration form shows the relevant SP values to start the IDP configuration. In the case of google SAML applications, we get first the Google Identity Provider details before entering the SP details.
Therefore let’s jump directly to step 3.
The showed SP values are explained here just for reference.
SP entity provider ID:
Candis service provider(SP) ID. Please copy this value
ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
Note: that ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID
of the current organization
Create the SAML Identity Provider application in Google Admin Console
In Google Admin console, go to Menu ➔ Apps ➔ Web and mobile apps ➔ Add app ➔ Add custom SAML app.
Check the Google help article to create SAML applications for more references.
The configuration wizard’s first step will ask for an application name. Enter a name and hit continue,
From step number 2 in Google: Google Identity Provider details
Take the following values to fill up the Candis setup form.
SSO URL ➔ https://accounts.google.com/o/saml2/idp?idpid=some-id-from-google-to-your-idp
Entity ID ➔ https://accounts.google.com/o/saml2?idpid=some-id-from-google-to-your-idp
Certificate ➔ Your IDP Google certificate.
Single sign-on service URL = SSO URL from Google Identity Provider details.
Identity provider entity ID = Entity ID from Google Identity Provider details
X509 certificates = Certificate
The setup form should look similar to this:
Configure Google IDP with Candis SP values
Take the SP-relevant values we described above in step 2 and enter them into the Service provider details on the configuration of the SAML application.
The form in Google should look like this:
let the rest of the default values for now and hit continue on Google side.
Add Candis required mappers
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Google and click save.
This will complete the initial setup of the SAML application in Google.
Assign the SSO configuration to the organization
Save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the
drop-down list.
Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login. Candis will
detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.
Additional Information
Complementary SSO features
Some features are still not covered in the SSO configuration form.
Please contact Candis support if need or want to configure the following
features.
Allow registration via SSO It is possible to add email domains for your IDP and allow automatic registration for users that SSO login via
your IDP, this eliminates the need to invite users to each organization.
Role mapping We allow organizations using SSO to define the authorization on their IDP, so role management does not happen anymore
in the Candis application. Please contact candis in this case and we will assist you with the mappers from your IDP to Candis roles.
Avoid SSO redirection for some users in your organization
Sometimes organizations need to invite users who are not part of the
organization and are not part of the IDP, e.g. consultants or auditors. Please contact Candis in this case and we will make those users non-
SSO users.