How to Enable Single Sign-On to Qualio, with Azure/O365
We start by enabling it for the customer, within the Qualio software itself. So first:
- Customer needs to login, and go to their Company page [as per screenshot]
- Select SSO Enabled
- Fill SSO domain (with data from Customer) - this will be the email domain you use to sign in [NOT any alias you might have configured]
- Click ‘Save changes’
Integration with Azure (for Quality users):
- Within Qualio; Go to Organization settings -> SSO/SAML
- Click on the blue 'Configure SSO/SAML Integration' button - the button transforms into the box you see at the top of the screen [in the shot below].
Note: You can easily copy (or download as a file) those values by clicking on the buttons on the right.
Click on Configure SSO/SAML Integration, within Organization Settings
Now we need key information from the customer and their Azure Account. I would think anyone wanting to use SSO will know what these things are - but we detail them here for completeness.
The customer should now go to the Azure admin panel (https://portal.azure.com)
Within Azure Portal, you want to add a new Application. This will become your “Connect to Qualio with SSO” program.
- In the Azure portal, select Enterprise applications. Then find and select the application you want to set up for single sign-on.
- You need to select '+ New Application' from the top of the page - this will begin the process of adding a new SSO connection for Qualio.
- Select '+ Create your own application' from the top of the next page [as per left-hand side of this screenshot]
- You will get to the page like the screenshot we have below - add a new for your new application [Use a name like 'Qualio Login' for example]
- You will then get to a page as you see below. Select 'Set up single sign-on' as highlighted in the screenshot below.
- In the next screen, you get sent to, select SAML, as per the screenshot below.
- You will get a screen along the lines like those below. This page contains important information that you will need to make the connection.
You need data from the Qualio SSO page, and this Azure SAML page - and get the information from them in sync.
- First, get 'Service Provider Entity Id' from the Qualio SSO page - and paste that into the 'Identifier [Entity ID]' box in Azure
- Second in Qualio, get 'ACS URL' setting, and copy that into 'Relay URL' inside Azure
Now let's start getting details from Azure, and putting them into Qualio
- Go to the Azure portal page [as per the final screenshot above]. Get the 'Azure AD Identifier' and copy that, and into the blank 'Entity ID' box within Qualio.
- Now get the 'Login URL' from Azure page, and copy that into the 'SSO URL' box in Qualio.
Download Certificate from Microsoft and upload to field ‘X.509 certificate’ in the Qualio admin panel - use the ‘Choose file’ button (Step 2.)
(Optional) Select disable password login if you only want your users to be able to login with SSO & Click ‘Save’
- TO BE CLEAR: Selecting this means that no one [including yourself] will be able to login with a username and password.
The final key configuration item is inside Azure, and the user attributes.
This step is important because it allows synchronizing data from Azure to Qualio. Your settings [inside your Azure portal] must be identical to those inside the screenshot above.
- As a small technical / troubleshooting tip, you cannot or must not use XLS namespaces here. If XML namespaces have been used, SSO will not work.
There is an optional attribute you can add called role. This assigns a Qualio role to a new user signing is as SSO. If you do not set this, all new SSO logins will be Basic users. The possible value for the role attribute is “basic”, “normal” or “quality”.
- If someone already has a Qualio account, this setting does nothing and is not required.
- When the user logs in for the first time using SSO [and does not have a Qualio account already]. A new account will be created/provisioned. The user’s role will be defaulted to basic.
Each account in Qualio still will require having its own password for a digital signature. This password will allow users to log in to the application as well (without using SSO).