Because not all our customers choose to use SSO functionality, the feature settings are hidden until enabled by Qualio. Work with either your Customer Onboarding Manager or Qualio Support to request and enable this feature. Be sure to tell them which environment you wish to configure, either your sandbox or production.
If you would like SSO enabled in both sandbox and production environments, the SSO domain must be unique. Two instances cannot have the same domain active at one time.
Once enabled, any Quality User in your organization will be able to access the SSO settings. Go to Organization Settings, then select SSO/SAML on the left side menu.
You will now need to configure SSO in your Azure Portal. Browse to your Azure Admin Panel (https://portal.azure.com).
Select Enterprise applications, then find and select the application you want to set up for single sign-on.
Click + New Application from the top of the page - this will launch the process of adding a new SSO connection for Qualio.
Click + Create your own application from the top of the next page.
Select the third radio button (Integrate any other application you don’t find in the gallery) as shown in the screen shot.
Enter a display name for your new application. Example: Qualio Login
On the next screen select Set up single sign-on (highlighted in screenshot below)
On the next screen select SAML(highlighted in screenshot below)
A page will then display important information required to connect Azure and Qualio. From the Qualio SSO/SAML setting page (Step 2) copy the Service Provider Entity ID and paste into the Azure Identifier [Entity ID] field in the first panel, titled Basic SAML Configuration. (See screenshot below.)
Similarly, from the Qualio SSO/SAML setting page (Step 2) copy the ACS URL and paste into the Reply URL. Hint: Use the copy/clipboard icon on the right to copy vs. CTRL+C as this will copy the correct value.
In Qualio, click the Configure SSO/SAML Integration button. You’ll now gather information from Azure to populate in Qualio.
From Azure, copy the Azure AD Identifier and paste into the Entity ID field in Qualio. Note: include the entire value starting with “https://sts…”
From Azure, copy the Login URL and paste into the SSO URL field in Qualio.
Hint: Use the copy/clipboard icon on the right to copy vs. CTRL+C as this will copy the correct value.
From Azure, download the Certificate (Base64). NOTE: this file must be saved as a .PEM file which is not the Azure default. Then upload the file to Qualio from the SSO/SAML setting page using the Choose File button.
(Optional) Check the box to Disable password login if you want users to ONLY login with SSO. Selecting this option applies to all users, including yourself and your Qualio Onboarding Manager. ALERT: Please do NOT disable password login till AFTER Onboarding is complete in order to avoid disruptions to Onboarding and migration activities.
You can now configure the user attributes that will be transferred from Azure to Qualio when a new user is added. This is done in Azure and starts with clicking the Edit button in the Attributes & Claims section. (See screenshot below.)
The final step is to test the connection by simply clicking the Test Sign In button. This should present a Qualio login screen where you can login with your credentials.
NOTE: it is very important that these attribute values be identical to what is listed in the Attributes field on the Qualio SSO/SAML settings page. Also, XLS namespaces cannot be used here or SSO will not work.
Optionally add the Role attribute. This assigns a Qualio role to the new user when they first sign in. The possible values for the role attribute are ‘basic’, ‘normal’, or ‘quality’. If this attribute is not set, all new users will be added as Basic users.
If the user is active AND the role is not sent from the IdP to Qualio, then the role won’t be affected on login.
When a user logs in for the first time using SSO and does not have a Qualio account, a new account will be created/provisioned and the designated role will be applied to the user.
IMPORTANT NOTE ABOUT PASSWORDS Upon the first time logging in, each user will still need to set up their Qualio password for the purpose of logging that user’s digital signature. This password should be different from the user’s SSO password (for security purposes). This password will allow users to log into the application as well (without using SSO) unless the optional checkbox to disable password login is checked. |