SSO Overview and Management

Protect your account with SSO

Crysta Huszai avatar
Written by Crysta Huszai
Updated this week

Qualio has the ability to connect with select SSO providers. However, SSO integrations are not included in every price plan. Customers can verify if their price package includes SSO by reviewing their contract or consult with their Customer Success Manager if they have questions or are interested in adding SSO to their contract.

Currently, Qualio officially supports an SSO integration with the providers listed below. If you use a different Identity Provider (IdP) that can support an integration using SAML 2.0, please feel welcome to reach out to our Support team and we’ll help as much as we can.

SSO still requires a unique Qualio Password

Even if SSO is enabled and configured for your organization, users will still need to create a unique Qualio password for workflow actions like approving a document, or completing a training. This means that during initial login, new users will be prompted to create a new Qualio password.

This may also mean that users will be prompted to change their Qualio password if Password expiry is enabled. If you are getting a notification in Qualio to change your password, like the image below, it is referring to your Qualio password, not your SSO password, which is used to login to multiple other web applications. Click the button below for details on how to change your Qualio password.

SSO can also provision and update users

SSO configuration can create new user accounts as well as help users login. This would be applicable to new users and a time savings for Qualio Administrators. If configured, when a new user logs into Qualio for the first time, a new Qualio user account will be created with the identity information provided by the customer’s SSO provider. The new user will have a Basic user role which will allow them to read effective documents and complete training.

This is the default configuration when using the set up instructions on our Help Center. Modifying this configuration must be done from the customer’s SSO portal exclusively; it cannot be disabled or enabled from Qualio. Consult with your SSO provider for more information.

CAUTION! If SSO is configured to provision new user accounts on first login, IdP Administrators will need to be mindful when changing a user’s email address. See the details below on how to avoid creating duplicate accounts.

Updating User Emails with SSO Enabled

Email addresses are the unique identifier for each Qualio User. But sometimes, email addresses need to be updated either because of an individual name change or an entire organization was rebranded or acquired. When an email address change is made in IdP, we recommend a specific order of operations for the change and next-user-login to avoid creating “duplicate” accounts.

  1. (For email domain changes only. This step is not necessary if the user name portion of an email address needs to be updated.) Notify Qualio Support of the change in email domain. A backend edit will need to be made to update the domain. (We strongly recommend coordinating this change with IT and communicating dates/times with existing Qualio users to avoid failed logins.)

  2. Edit the email address(s) in Qualio. Qualio Admin users can edit user records by browsing to the user record from the Admin panel. The Name and Email fields are editable.

  3. Edit the email address(s) in IdP. (It technically doesn’t matter if this is done first. What does matter is that users do not login before all changes have been made.)

  4. Users log into Qualio using the SSO login button and their new email address. The Qualio login process will query the IdP for the new email address, get confirmation that the user exists and login the user.

If IdP is updated AND the user logs in before the email address is changed in Qualio, this will result in a new user account being created because Qualio will not recognize the new email address. This means the new user would have no training history and need to complete training again. Also any document or event tasks would still be assigned to the original user…basically you’d have a mess. But if this happens, it can be corrected. Let’s use an example of the company rebranding. Jane’s email address is updated in the SSO IdP to the companyB email address prior to updating the email in Qualio, and she logs into Qualio using her new email address. So now we have two users, one with companyA and one with companyB user IDs, and a frustrated Jane because she can’t access her original user account.

Original user ID: jane.doe@companyA.com

New user ID: jane.doe@companyB.com

  1. A Qualio Admin must first edit the new user (companyB) by updating the email address to something that will not be used, like jane.doe_donotuse@companyB.com.

  2. Then, edit the original user (companyA) to the correct new email address that matches the SSO IdP, jane.doe@companyB.com.

  3. Remove the extra user (jane.doeunused@companyB.com).

  4. Lastly, confirm that Jane logs into Qualio successfully using jane.doe@companyB.com.

ALERT! If SSO is configured to share the user’s Name using attribute mapping, and a user is manually changing their name in Qualio without updating the name in IdP, the Name field will be overwritten with each login to reflect the name in IdP.

Integration Limits

Please be aware that there are some current limitations to a SSO integration with Qualio. Below are the three that are most commonly requested.

Can’t Add Multiple Domains

We are beginning to see more complex implementations with customers who may have users in multiple domains, all requiring access to Qualio. This is often a requirement when a customer has:

  • Multiple physical locations or multiple LLCs/businesses under 1 umbrella requiring separate IT resources

  • Contractors who are not in the customer’s IdP, but are required to sign off on training within Qualio

A Qualio SSO integration can only support 1 domain.

Can’t Bypass Login Screen

SSO portals often include a page of linked applications for the user’s convenience. They can bookmark that page and use it to easily launch and immediately login to the application, bypassing the apps login screen.

Qualio SSO integration cannot bypass the login screen. Users will be directed to our login page.

Can’t delete users

If an employee is terminated and removed from the IdP, it will only prevent the user from logging into Qualio with their SSO credentials. The user can still login with their Qualio password.

Qualio Administrators will need to manually remove users from Qualio.

SSO FAQ

  • Can a contractor or auditor login to Qualio if their email address domain does not match the SSO domain?

    • Yes, but only if the Disable password login is unchecked (SSO/SAML setup page). Qualio Admins can manually create user accounts for external employees, and the external employees would need to login to Qualio using their Qualio password.

  • If I change my SSO password, does that change my Qualio password too?

    • No; your Qualio password is stored safely and independently on Qualio servers, whereas SSO password is saved and stored with your SSO provider. Changing one will not affect the other.

  • If a terminated employee’s record is updated in IdP and access to SSO web applications is shut down, can they still access their Qualio account?

    • If the Disable Password Login checkbox is checked, then the terminated employee would not be able to login with their Qualio password.

    • If the Disable Password Login checkbox is NOT checked, then yes, the terminated employee would be able to access Qualio with their Qualio password. That is why we recommend Qualio be added to an Admin’s Termination checklist.

  • If we have user accounts setup in Qualio prior to setting up SSO, what will happen when those existing employees login through SSO for the first time? Will duplicate accounts be created?

    • No; as long as the existing users have matching emails in Qualio and IdP, a new account will not be created.

  • Should SSO be configured and tested in a sandbox before configuring in Production?

    • That’s your call. We recommend testing the SSO connection after setup, before inviting all your users to login, but there is no technical reason to setup SSO twice. It is simply a matter of your organization’s risk management preference.

    • If you choose to test SSO configuration in a sandbox first, you will need to disable the connection in your sandbox before configuring in your production account. Your Onboarding Manager can assist if needed to point your domain to the correct, singular Qualio account.

    • Also, while testing, we recommend:

      • Confirming that you can login with your SSO credentials

      • Confirming that only one account is generated for a new user

      • And confirm that a user account was NOT created for an existing user.

  • Does Qualio support MFA (multi-factor authentication)?

  • I log in using SSO and when I export a document, timestamps are not displayed. Why is this happening?

    • When users log in for the first time via SSO, their timezone is not automatically set. Set your time zone via Your Account Settings.

Did this answer your question?