We start by enabling it for the customer, within the Qualio software itself. So first:
- Qualio staff member needs to ensure that the SSO checkbox is enabled in the customer account.
- Fill SSO domain (with data from Customer) - 99 times out of 100, this is the customer's email domain, after the @ [ie, for Qualio is is 'qualio.com]
- Click ‘Save changes
Integration with GSuite (for Quality users):
Go to Organization settings -> SSO/SAML
Click on Configure SSO/SAML Integration
Now we need key information from the customer and their GSuite account. I would think anyone wanting to use SSO will know what these things are - but we detail them here for completeness.
So they need to go to GSuite admin panel (https://admin.google.com/)
Click SAML apps
Add new app by clicking button ‘+’
Click on “Setup My Own Custom App”
Copy SSO URL and paste it to the field ‘SSO Url’ in the Qualio admin panel (Step 2.)
Copy Entity Id and paste it to field ‘Entity Id’ in the Qualio admin panel (Step 2.)
Download Certificate from Google and upload to field ‘X.509 certificate’ in the Qualio admin panel - use the ‘Choose file’ button (Step 2.)
(Optional) Select disable password login if it must be only possible with SSO.
Go back to GSuite app configuration and click Next (it should be step 3.)
Fill Name, Description and Icon (up to Customer to Choose)
Click next, step 4
Copy ACS Url from Qualio admin Panel (Use the icon on right to copy) and paste in Field ACS URL.
Copy Service Provider Id from Qualio admin Panel (Use the icon on right to copy) and paste in Entity ID.
Select Signed Response.
Select Name ID Format to be EMAIL
Click ‘Add New Mapping’
Enter attribute name firstName, select category ‘Basic Information’, the select field ‘First Name’
Click ‘Add New Mapping’ and enter attribute name lastName, select category ‘Basic Information’, the select field ‘Last Name’
Click Finish and then OK.
You need to turn on the application. Click on Edit Service
Select option ‘ON for Everyone’
Click Save. Note, you may restrict access to certain users or groups. To do that you can change options in Groups or Organizational Units tab.
To log in, click on the button and scroll down to the newly added app. After clicking that, the user should be automatically logged in Qualio.
- When the user logs in for the first time using SSO, a new account will be created / provisioned (if the user had not been invited earlier). The user’s role will be defaulted to basic.
- It is possible to change/setup user roles using Attribute Mapping. You can use Attribute Mapping with virtually every Identity Provider. We require an attribute called ‘role’. The possible value for this attribute is “basic”, “normal” or “quality”. You should be aware that this role will be updated once the user logs in Qualio using SSO. This behavior also applies for new users (provisioned). If role attribute mapping is in place, the user will be created with a certain role.
- Each account in Qualio still will require having its own password for a digital signature. This password will allow users to log in to the application as well (without using SSO). To enforce users log in only with SSO, select option “Disable Password Login” in the Qualio SSO/SAML panel.
- NOTE: Please verify if SSO works before selecting this option