SSO With SAML: Implementation Guide
Account owners can enable SSO for the account.
Enterprise users can access Quality clouds with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their account. Single sign-on (SSO) is the general term for the various techniques that allows a user to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Quality clouds supports as a service provider (SP). No actual passwords are transferred to or from Quality clouds during the authorization. Instead, Quality clouds receives a SAML assertion of the user identity, which is valid for a limited time and digitally signed.
Benefits of using single sign-on
- Scalable user management for large organizations. With just-in-time user provisioning, you can save time normally spent setting up your Enterprise account and management methods. Quality clouds can create a user profile in your account every time a new user from your directory logs into Quality clouds via SSO — no extra invitations required. Employees who are removed from your corporate directory will lose access to the company's Quality clouds subscription automatically, but their tasks and historical activity records stay intact.
- Unified username format. User identity is managed from one central location, which means that usernames in Quality clouds match the names in your directory.
- Compliance with internal security guidelines. Your IT administrators get more control over authentication. Users aren't able to change their name or email address on their own. Any security policies you have adopted internally will also be in effect for Quality clouds.
- Reduced password fatigue for users. Once someone logs in to the corporate network, they can open Quality clouds without having to enter another set of login credentials.
- The ease of access offered by SSO is a driver of seamless Quality clouds adoption. You may also be able to monitor login activity and use the collected SSO metrics to track Quality clouds adoption.
Limitations of single sign-on
Once SSO/SAML integration is enabled, users included in SSO won’t be able to:
- Edit their names in Quality clouds. First and last names are attributed by your identity provider.
- Have two or more Quality clouds accounts linked to one email address. If you have users who are members of several Quality clouds accounts, they'll need to use a different email address to access other Quality clouds accounts, or merge their personal account into the main corporate account.
- Make changes to their email address from their Quality clouds profile. This includes adding additional addresses. However, a Quality clouds admin can do this for them.
- Enable two-step verification through Quality clouds. If you’d like to protect your account with this security feature, it must be configured with your identity provider.
- Log in to Quality clouds using a Quality clouds password. As a general rule, they'll be redirected to the login page managed by your identity provider when trying to access Quality clouds in their browser. Some integrated tools don’t have native support for SSO (e.g., the Backup Tool and legacy API-v2 apps). SSO users will need to generate one-time passwords to authorize these tools. Please note that login with Microsoft credentials or Google credentials will also not be possible.
Scope of single sign-on
SSO can be enabled for users based on their email domain.
Preconditions: Before you enable single sign-on
Before enabling SSO it’s important to confirm that:
- The email address associated with each user's Quality clouds account matches their email in the company directory.
- Users have only one account associated with their company email.
Choose a workspace name
We need to provide a Unique identifier for saml enabled customers. You can use your corporate name, as long as it complies with the URI generic syntax.
Setup IDP With Azure
- Add Enterprise Application to Azure AD, find "Azure SAML Toolkit", rename it according to your preference.
- Set SSO fields and send us values described in next section
You can also download a certificate by selecting the SAML Signing Certificate heading's Edit icon (a pencil), which displays the SAML Signing Certificate page. Select the ellipsis (...) next to the certificate you want to download, and then choose PEM certificate format.
- Assign users
Setup IDP With OKTA
- Add the App
- Set SAML Assertion Consumer Service URL (Single Sign on url) with:
- Use same value for destination
- Set SP Entity ID:
- Go to Sign on tab and click View Setup Instructions
- Send Quality Clouds the values as described in the next section
- Assign users who can access the application
Enable single sign-on
To enable SSO please contact Quality clouds support so that we can enable SSO in the customer account. We will request you the following fields from your IDP
- Identity Provider (IdP) Entity Id
- IdP Consumer URL
- Public x509 certificate of the IdP in privacy-enhanced mail (PEM) format
SSO With SAML: User Guide
To login you need to go to:
and follow the login procedures of your corporate identity provider.