Qualio is not an Identity Provider. Qualio supports Single Sign-On (hereafter known as SSO) as the client delivering a solution that allows you to automatically login and create users who are authorized by Identity Provider Service. Therefore, in order to use SSO in Qualio, you must already have an ID service such as OKTA.
Step 1: Enable SSO in Qualio
Because not all our customers choose to use SSO functionality, the feature settings are hidden until enabled by Qualio. Work with either your Customer Onboarding Manager or Qualio Support to request and enable this feature. Be sure to tell them which environment you wish to configure, either your sandbox or production, and your company domain. (Example: If your email is happyfeet@example.com, then the domain is "example.com")
Once enabled, any Quality User in your organization will be able to access the SSO settings. Go to Organization Settings, then select SSO/SAML on the left side menu.
Service Provider Information will be displayed to assist with the configuration later in this process. Values can be easily copied/pasted or downloaded as a file using the buttons on the right.
Step 2: Create Application Integration in OKTA Portal
A local OKTA Administrator will need to create the application integration within the OKTA Admin Console.
In the Admin Console, go to Applications > Applications.
Click Create App Integration.
Select SAML 2.0 as the Sign-on method.
Click Next.
Configure general settings
App name (example: Qualio Login)
App logo (optional)
App visibility
Click Next.
A page will then display important information required to connect OKTA and Qualio (Step 3).
Step 3: Configure SSO Provider in Qualio
A SAML 2.0 configuration requires a combination of information from both the Identity Provider (OKTA) and the client (Qualio).
In Qualio > Org Settings > SSO/SAML click the Configure SSO/SAML Integration button.
From the OKTA portal, copy data from the following fields into the similarly named fields in Qualio.
Single sign-on URL (OKTA) to SSO url (Qualio): The location to send the SAML assertion using a POST operation. This URL is required and serves as the default Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.
Audience URI (OKTA) to Entity ID (Qualio): The intended audience of the SAML assertion. This is usually the Entity ID of your application. Note: copy the entire value provided.
SAML Certificate: After you create the SAML app integration, the SAML Signing Certificates section appears on the Sign On tab. Perform the following steps to obtain the necessary settings to provide for your SAML app:
Set the Status for the certificate that you want to be Active.
If it isn’t active, select Activate in the Actions menu for another certificate, or click Generate new certificate and activate the new certificate.Under SAML Setup, click View SAML setup instructions.
Copy the IdP settings and download the certificate
Upload the certificate in Qualio on the SAML/SSO configuration page.
NOTE: Ensure it is saved in PEM text format. If you download the certificate from OKTA, you may have to rename the downloaded file extension into ‘filename.PEM’. We have seen some systems download as ‘filename.cert’.
(Optional) Check the box to Disable password login if you want users to ONLY login with SSO. Selecting this option applies to all users, including yourself and your Qualio Onboarding Manager. ALERT: Please do NOT disable password login till AFTER Onboarding is complete in order to avoid disruptions to Onboarding and migration activities.
Click save.
Step 4: Configure Integration in the Identity Provider admin panel
OKTA will require data from Qualio as well. Using the data found on the SSO/SAML page in Qualio, copy/paste and upload data to required fields.
For OKTA’s SSO URL, use the ACS URL found in Qualio’s SSO Service Provider Information.
For OKTA’s entity URL, use the Service Provider Entity id found in Qualio’s SSO service Provider Information.
Note: You can easily copy (or download as a file) those values by clicking on the buttons on the right.
Step 5: Configure Attribute Mapping
The last step is setting up attribute mapping. This step is important because it allows synchronizing data from Identity Provider to Qualio. This step is marked as optional in OKTA, but your connection to Qualio will not work without the 4 attributes and exact formatting below:
Choose one of the following; does not require both:
firstName and lastName
fullName
an identity field: MUST be an e-mail
Once the configuration is complete you can test the SSO login operation. You must login as any user from your organization. Go to https://app.qualio.com/login, click on the button to Sign In with SSO/SAML. Enter your email with your service provider and sign in.
If an error occurs when you try to log in you may have a configuration error. If you are unable to fix the configuration using the information provided in the error please contact Qualio support.
IMPORTANT NOTE ABOUT PASSWORDS Upon the first time logging in, each user will still need to set up their Qualio password for the purpose of logging that user’s digital signature. This password should be different from the user’s SSO password (for security purposes). This password will allow users to log into the application as well (without using SSO) unless the optional checkbox to disable password login is checked. |