In My company you can manage all the basic settings for your company.
Name
Here you can change the name of your Candis account / organization that is displayed at the top left of Candis.
By default, we use the full, official name of your company. If you use abbreviations internally, you are welcome to change the name.
Important: Changing the name does not change the e-mail import address or the URL that is displayed.
Language
When a document is exported, a summary with the current document data and the change history is attached to the document (the process log).
The language of this log can be changed here.
Please note that each member can also configure their own language for Candis in the user profile. It is therefore possible that the language of the process log is English, for example, but the user uses Candis in German.
Owner
This is the main contact for this company, who will be contacted by Candis regarding important matters such as changes to terms and conditions or security issues.
The owner role can only be assigned to another team member by the owner themselves.
Tax aspects
Entering your company's VAT ID and tax number improves contact recognition and prevents your own values from a document being incorrectly recognized in the contacts data.
Bank Accounts
Regardless of whether you use the Candis SEPA payment list or manage your payment run using other programs, entering your own bank accounts helps Candis to read out the correct bank details of your supplier.
This prevents your own IBAN from being mistakenly recognized as the supplier's IBAN.
Single Sign-on
Single Sign-on is exclusively available in our MAX Package.
Hinweis:
Der weitere Artikel ist ausschließlich in Englischer Sprache verfasst. Dies hat den Hintergrund, dass die meisten Konfigurationseinstellungen in Microsoft oder Google auch ausschließlich in Englisch verfügbar sind. Übersetzungen könnten hier zu Unklarheiten führen.
How to configure SSO in Candis using SAML 2.0 protocol, using Intra ID (Azure) as Idp
Prerequisites
➔ The user responsible for managing SSO configurations must be an admin in all Candis organisations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organisation, please contact Candis support to request access to the SSO configuration
panel.
Note:
The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that
configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated
with the SSO configuration, such as updating a signing certificate.
Create SSO configuration
Go to the Single sign on menu
In Candis go to Settings → My Company → Single sing-on Create new
Setting up the SSO SAML configuration in Candis
SP entity provider ID: Candis service provider(SP) ID.
ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
Note: ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID of
the current organization
Go to your Azure portal and navigate to Intra ID
Always create a new “Enterprise Application
Enterprise Applications ➔ New Application ➔ Create your own application > Give your application a name ➔ Select “Integrate any other
application you don't find in the gallery (Non-gallery)” Select point 2 ➔ “Set up single sign on” ➔ In the next step select “SAML”.
Now you enter the “Set up Single Sign-On with SAML” area.
Identity provider entity ID = Microsoft Entra Identifier from Intra ID Provider details (under point 4 in the Azure set up form)
Single sign-on service URL = LOGIN URL from Intra ID Provider details
Configure Azure Intra ID IDP with Candis SP values
Take the SP-relevant values from Candis (we described above in step 2) and enter them into the Service provider details on the configuration of the SAML application.
The form in Intra ID should look like this:
Add Candis required mappers
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Intra ID (Azure portal) and click save. This will complete the initial setup of the SAML application in Intra ID.
Note: You have to open and edit every single claim (manage claim). Please also delete the content in the “Namespace” field
This is how the editing view looks like (when the correct “Name” and “Source attribute” are added and the “Namespace” field is cleared:
Afterwards, it should look like this (correct attributes and claims)
Enter your certificate in the Candis set up form
In the Azure Intra ID platform, go to the SAML area and open the Federation Metadata XML in your browser. Copy the X509 certificate.
And Please make sure you copy the whole value!
Go back to Candis and finish the configuration
Always make sure, to keep the “NameID policy format” on “Persistant”.
Select the “HTTP-POST binding for AuthnRequest” AND “HTTP-POST binding response” as well as “Validate signatures” toggle.
The setup form should look similar to this:
Check if everything is set up correctly
Once you have saved the configuration in Candis, a new link “Service provider metadata endpoint” will appear in the Candis form.
You can open this link in your browser to check that everything is set up correctly.
If everything is set up correctly, save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the drop-down list.
Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login.
Candis will detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.
Remember: You can not test it yourself, since the creator of the SSO set up will always log in with credentials and cant use SSO login.
Assign the configuration to all Candis companies, that should use this configuration
In every Candis organisation, you can use an already configured SSO configuration or simply create a new one.
How to configure SSO in Candis using SAML protocol and Google:
Prerequisites
➔ The user responsible for managing SSO configurations must be an admin in all Candis Organizations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organization, please contact Candis support to request access to the SSO configuration
panel.
Note: The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated with the SSO configuration, such as updating a signing certificate.
Create SSO configuration
Go to the Single sign on menu
In Candis go to Settings ➔ My Company ➔ Create new
It opens the SSO SAML configuration
The configuration form shows the relevant SP values to start the IDP configuration. In the case of google SAML applications, we get first the Google Identity Provider details before entering the SP details.
Therefore let’s jump directly to step 3.
The showed SP values are explained here just for reference.
SP entity provider ID:
Candis service provider(SP) ID. Please copy this value
ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
Note: that ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID
of the current organization
Create the SAML Identity Provider application in Google Admin Console
In Google Admin console, go to Menu ➔ Apps ➔ Web and mobile apps ➔ Add app ➔ Add custom SAML app.
Check the Google help article to create SAML applications for more references.
The configuration wizard’s first step will ask for an application name. Enter a name and hit continue,
From step number 2 in Google: Google Identity Provider details
Take the following values to fill up the Candis setup form.
SSO URL ➔ https://accounts.google.com/o/saml2/idp?idpid=some-id-from-google-to-your-idp
Entity ID ➔ https://accounts.google.com/o/saml2?idpid=some-id-from-google-to-your-idp
Certificate ➔ Your IDP Google certificate.
Single sign-on service URL = SSO URL from Google Identity Provider details.
Identity provider entity ID = Entity ID from Google Identity Provider details
X509 certificates = Certificate
The setup form should look similar to this:
Configure Google IDP with Candis SP values
Take the SP-relevant values we described above in step 2 and enter them into the Service provider details on the configuration of the SAML application.
The form in Google should look like this:
let the rest of the default values for now and hit continue on Google side.
Add Candis required mappers
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Google and click save.
This will complete the initial setup of the SAML application in Google.
Assign the SSO configuration to the organization
Save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the
drop-down list.
Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login. Candis will
detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.
Additional Information
Complementary SSO features
Some features are still not covered in the SSO configuration form.
Please contact Candis support if need or want to configure the following
features.
Allow registration via SSO It is possible to add email domains for your IDP and allow automatic registration for users that SSO login via
your IDP, this eliminates the need to invite users to each organization.
Role mapping We allow organizations using SSO to define the authorization on their IDP, so role management does not happen anymore
in the Candis application. Please contact candis in this case and we will assist you with the mappers from your IDP to Candis roles.
Avoid SSO redirection for some users in your organization
Sometimes organizations need to invite users who are not part of the
organization and are not part of the IDP, e.g. consultants or auditors. Please contact Candis in this case and we will make those users non-
SSO users.