In My company you can manage all the basic settings for your company.

Here you can change the name of your Candis account / organization that is displayed at the top left of Candis.

By default, we use the full, official name of your company. If you use abbreviations internally, you are welcome to change the name.

Important: Changing the name does not change the e-mail import address or the URL that is displayed.

When a document is exported, a summary with the current document data and the change history is attached to the document (the process log).

The language of this log can be changed here.

Please note that each member can also configure their own language for Candis in the user profile. It is therefore possible that the language of the process log is English, for example, but the user uses Candis in German.

This is the main contact for this company, who will be contacted by Candis regarding important matters such as changes to terms and conditions or security issues.

The owner role can only be assigned to another team member by the owner themselves.

Entering your company's VAT ID and tax number improves contact recognition and prevents your own values from a document being incorrectly recognized in the contacts data.

Regardless of whether you use the Candis SEPA payment list or manage your payment run using other programs, entering your own bank accounts helps Candis to read out the correct bank details of your supplier.

This prevents your own IBAN from being mistakenly recognized as the supplier's IBAN.

Single Sign-on is exclusively available in our MAX Package.

➔ The user responsible for managing SSO configurations must be an admin in all Candis organisations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organisation, please contact Candis support to request access to the SSO configuration
panel.
​
Note:
The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that
configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated
with the SSO configuration, such as updating a signing certificate.

In Candis go to Settings → My Company → Single sing-on Create new

​

SP entity provider ID: Candis service provider(SP) ID.
​

ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
​
​Note: ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID of
the current organization

Always create a new “Enterprise Application
​
Enterprise Applications ➔ New Application ➔ Create your own application > Give your application a name ➔ Select “Integrate any other
application you don't find in the gallery (Non-gallery)” Select point 2 ➔ “Set up single sign on” ➔ In the next step select “SAML”.
​
Now you enter the “Set up Single Sign-On with SAML” area.
​
​Identity provider entity ID = Microsoft Entra Identifier from Intra ID Provider details (under point 4 in the Azure set up form)
​
​Single sign-on service URL = LOGIN URL from Intra ID Provider details

Take the SP-relevant values from Candis (we described above in step 2) and enter them into the Service provider details on the configuration of the SAML application.

The form in Intra ID should look like this:

By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Intra ID (Azure portal) and click save. This will complete the initial setup of the SAML application in Intra ID.
​
​Note: You have to open and edit every single claim (manage claim). Please also delete the content in the “Namespace” field

This is how the editing view looks like (when the correct “Name” and “Source attribute” are added and the “Namespace” field is cleared:

Afterwards, it should look like this (correct attributes and claims)
​

In the Azure Intra ID platform, go to the SAML area and open the Federation Metadata XML in your browser. Copy the X509 certificate.

And Please make sure you copy the whole value!

Always make sure, to keep the “NameID policy format” on “Persistant”.

Select the “HTTP-POST binding for AuthnRequest” AND “HTTP-POST binding response” as well as “Validate signatures” toggle.
​
The setup form should look similar to this:

​
Once you have saved the configuration in Candis, a new link “Service provider metadata endpoint” will appear in the Candis form.
You can open this link in your browser to check that everything is set up correctly.
​
If everything is set up correctly, save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the drop-down list.

Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login.

Candis will detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.

Remember: You can not test it yourself, since the creator of the SSO set up will always log in with credentials and cant use SSO login.

​
In every Candis organisation, you can use an already configured SSO configuration or simply create a new one.

➔ The user responsible for managing SSO configurations must be an admin in all Candis Organizations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organization, please contact Candis support to request access to the SSO configuration
panel.
​
​Note: The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated with the SSO configuration, such as updating a signing certificate.

In Candis go to Settings ➔ My Company ➔ Create new

The configuration form shows the relevant SP values to start the IDP configuration. In the case of google SAML applications, we get first the Google Identity Provider details before entering the SP details.

Therefore let’s jump directly to step 3.

The showed SP values are explained here just for reference.
​
​SP entity provider ID:
Candis service provider(SP) ID. Please copy this value
​ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
​
Note: that ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID
of the current organization

​
In Google Admin console, go to Menu ➔ Apps ➔ Web and mobile apps ➔ Add app ➔ Add custom SAML app.
Check the Google help article to create SAML applications for more references.
The configuration wizard’s first step will ask for an application name. Enter a name and hit continue,
From step number 2 in Google: Google Identity Provider details
Take the following values to fill up the Candis setup form.
​
​SSO URL ➔ https://accounts.google.com/o/saml2/idp?idpid=some-id-from-google-to-your-idp
​Entity ID ➔ https://accounts.google.com/o/saml2?idpid=some-id-from-google-to-your-idp
​Certificate ➔ Your IDP Google certificate.
​
​Single sign-on service URL = SSO URL from Google Identity Provider details.
​Identity provider entity ID = Entity ID from Google Identity Provider details

X509 certificates = Certificate
​
The setup form should look similar to this:

​
Take the SP-relevant values we described above in step 2 and enter them into the Service provider details on the configuration of the SAML application.

The form in Google should look like this:
​

let the rest of the default values for now and hit continue on Google side.

​
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Google and click save.

This will complete the initial setup of the SAML application in Google.

Save the SSO configuration in the Candis application.

Go back to the organization setting and select the created SSO configuration from the
drop-down list.

Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login. Candis will
detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.

Some features are still not covered in the SSO configuration form.

Please contact Candis support if need or want to configure the following
features.
​
​Allow registration via SSO It is possible to add email domains for your IDP and allow automatic registration for users that SSO login via
your IDP, this eliminates the need to invite users to each organization.

​Role mapping We allow organizations using SSO to define the authorization on their IDP, so role management does not happen anymore
in the Candis application. Please contact candis in this case and we will assist you with the mappers from your IDP to Candis roles.

Avoid SSO redirection for some users in your organization
Sometimes organizations need to invite users who are not part of the
organization and are not part of the IDP, e.g. consultants or auditors. Please contact Candis in this case and we will make those users non-
SSO users.