Qualio is not an Identity Provider. Qualio supports Single Sign-On [hereafter known as SSO] as the client delivering a solution that allows you to automatically log in and create users who are authorized by Identity Provider Service. So in order to use SSO in Qualio, you must already have an ID service, in this case, OKTA!
The SSO function is not turned on by default. To enable it, please contact Qualio support for information on how to enable it. The required element is information about the email domain of qualio users [99% of the time, this is the bit after the @ sign - for us its Qualio.com]. When the service is enabled, a special configuration panel will be made available where you can establish a connection with your identity provider.
1. Open SSO configuration page
- click on
then select Organization Settings, after loading the setting page, click on SSO/SAML.
- or hit URL https://app.qualio.com/manage/idp when you are logged in to Qualio.
The initial configuration panel should look like this:
Note: this page will be accessible only for Quality users when the SSO feature is turned on for you.
2. Add a new configuration for SSO/SAML integration
Click on Configure SSO/SAML Configuration. The following panel should appear:
3. Get your local OKTA Administrator to create the application integration. You want to add an application, like in the screenshot below.
It needs to be a SAML2 sign-on method.
4. Configure Integration in the Qualio admin panel
During a configuration new application (SAML 2.0), OKTA will deliver data that needs to put on the client-side (Qualio). They should be named in a similar way. Integrating with Qualio requires passing 3 values:
- You need to go into Qualio Organisational Settings and enter the Entity Id
- Sign in to the Okta Admin Dashboard to generate this variable. Within Okta it is called 'Identity Provider Issuer'
Once you have it, this value needs to be copied to this field in the Qualio administration panel:
- Next, you need the SSO url
- Sign in to the Okta Admin Dashboard to generate this variable. Within Okta it is called 'Identity Provider Single Sign-On URL'
This value needs to be copied to this field in the Qualio administration panel:
- X.509 certificate (Ensure it is a saved file in PEM Text Format - : Sign into the Okta Admin Dashboard to get it)
NOTE: If you download the certificate from OKTA, you may have to rename the downloaded file extension into filename.PEM [as on some systems we have seen it download as filename.cert].
Download the file (Again, it will have the extension *.pem) then upload using the following form:
After filling those, click Save!
5. Configure Integration in the Identity Provider admin panel
- during a configuration new application (SAML 2.0), OKTA will require data from the client (Qualio). Use the following fields to achieve that:
For the SSO URL [in your OKTA] use the ACS URL from above.
For your OKTA entity URL, use the Service Provider Entity id from above.
Note: You can easily copy (or download as a file) those values by clicking on the buttons on the right.
6. Configure Attribute Mapping in the Identity Provider admin panel
- The last part is setting up attribute mapping. This step is important because it allows synchronizing data from Identity Provider to Qualio.
* This step is marked as optional in OKTA; but your connection to Qualio will not work without the 4 attributes below
We need you to set up and configure [please also use these names in this exact format]:
an identity field
The value of the identity field MUST be an e-mail.
Post Setup Work:
Once the configuration is complete, you can test the SSO login operation. The first option to use the SSO application panel. You must log in as any user from your organization. So go to https://app.qualio.com/login, click on the button for Sign In with SSO/SAML, enter an email from someone in your company who should have access, and sign in.
If an error pops up when you try to log in, you may have a configuration error. If you are unable to fix the configuration using the information provided in the error, please contact Qualio support.
If the user is logging in for the first time using SSO, a new account will be created (if the user was not invited earlier). In this situation, the user’s role will be a basic user.
Each account in Qualio still will require having its own password for a digital signature [or for when that user completes training, for example]. This password will allow users to log in to the application as well (without using IDP). To enforce users to log in only with SSO, select that checkbox in the Qualio SSO configuration screen, Please verify if SSO works before selecting this option - In the worst scenario - please contact Qualio Support.