Because not all our customers choose to use SSO functionality, the feature settings are hidden until enabled by Qualio. Work with either your Customer Onboarding Manager or Qualio Support to request and enable this feature. Be sure to tell them which environment you wish to configure, either your sandbox or production.
If you would like SSO enabled in both sandbox and production environments, the SSO domain must be unique. Two instances cannot have the same domain active at one time.
Once enabled, any Quality User in your organization will be able to access the SSO settings. Go to Organization Settings, then select SSO/SAML on the left side menu.
Service Provider Information will be displayed to assist with the configuration later in this process. Values can be easily copied/pasted or downloaded as a file using the buttons on the right.
Integration with GSuite (for Quality users):
Go to Organization settings -> SSO/SAML
Click on Configure SSO/SAML Integration
Now we need key information from the customer and their GSuite account. I would think anyone wanting to use SSO will know what these things are - but we detail them here for completeness.
So they need to go to GSuite admin panel (https://admin.google.com/)
Click SAML apps
Add new app by clicking button ‘+’
Click on “Setup My Own Custom App”
Copy SSO URL and paste it to the field ‘SSO Url’ in the Qualio admin panel (Step 2.)
Copy Entity Id and paste it to field ‘Entity Id’ in the Qualio admin panel (Step 2.)
Download Certificate from Google and upload to field ‘X.509 certificate’ in the Qualio admin panel - use the ‘Choose file’ button (Step 2.)
(Optional) Check the box to Disable password login if you want users to ONLY login with SSO. Selecting this option applies to all users, including yourself and your Qualio Onboarding Manager. ALERT: Please do NOT disable password login till AFTER Onboarding is complete in order to avoid disruptions to Onboarding and migration activities.
Go back to GSuite app configuration and click Next (it should be step 3.)
Fill Name, Description and Icon (up to Customer to Choose)
Click next, step 4
Copy ACS Url from Qualio admin Panel (Use the icon on right to copy) and paste in Field ACS URL.
Copy Service Provider Id from Qualio admin Panel (Use the icon on right to copy) and paste in Entity ID.
Select Signed Response.
Select Name ID Format to be EMAIL
Click ‘Add New Mapping’
Enter attribute name firstName, select category ‘Basic Information’, the select field ‘First Name’
Click ‘Add New Mapping’ and enter attribute name lastName, select category ‘Basic Information’, the select field ‘Last Name’
Click Finish and then OK.
You need to turn on the application. Click on Edit Service
Select option ‘ON for Everyone’
Click Save. Note, you may restrict access to certain users or groups. To do that you can change options in Groups or Organizational Units tab.
To log in, click on the button and scroll down to the newly added app. After clicking that, the user should be automatically logged in Qualio.
When the user logs in for the first time using SSO, a new account will be created / provisioned (if the user had not been invited earlier). The user’s role will be defaulted to basic.
It is possible to change/setup user roles using Attribute Mapping. You can use Attribute Mapping with virtually every Identity Provider. We require an attribute called ‘role’. The possible value for this attribute is “basic”, “normal” or “quality”. You should be aware that this role will be updated once the user logs in Qualio using SSO. This behavior also applies for new users (provisioned). If role attribute mapping is in place, the user will be created with a certain role.
Each account in Qualio still will require having its own password for a digital signature. This password will allow users to log in to the application as well (without using SSO). To enforce users log in only with SSO, select option “Disable Password Login” in the Qualio SSO/SAML panel.
Please verify if SSO works before selecting this option