Set up single sign-on (SSO) for your Qualifio account

Tabata Vossen -

Qualifio can be integrated with your organisation’s existing login system instead of (or in addition to) Qualifio’s own mechanism to manage user authentication. By using an existing identity provider, your team members will sign into Qualifio using the same single sign-on (SSO) credentials they use with other internal applications.

SSO is only available to users of Qualifio Gold and Qualifio Platinum. Check with your Qualifio Account Manager to see if SSO is available for your license.

What's on this page:

What is single sign-on?
Advantages of SSO
Types of SSO configurations
How to implement SSO
FAQs
Troubleshooting SSO

What is single sign-on?

Single sign-on (SSO) is an authentication method that enables users to use just one set of credentials — for example, an email and password — to access multiple applications.

Great! But why would anyone bother with this?

Advantages of SSO

  • The biggest advantage of using SSO is that it enables users to create, manage and remember fewer sets of credentials for each application or service.
  • This, in turn, makes the process of getting access to your applications much faster and more convenient — no need to reenter passwords.
  • It cuts down on the amount of time wasted on password- and login-related assistance requests for your helpdesk.
  • You can centrally control policies like strong passwords and multi-factor authentication, adding one more security level to your applications.

In short, SSO can increase your employee efficiency and business productivity.

Types of SSO configurations

The following single sign-on protocols and identity providers are supported:

  • Social SSO provided by Google (G Suite)
  • Microsoft’s Azure Active Directory (Azure AD)
  • OAuth (specifically OAuth 2.0 nowadays)
  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)

Can't find your IDP? Contact us.

How to implement SSO

High-level instructions

Enabling SSO requires some changes in your Identity Provider (IDP) and in Qualifio. There are five stages:

  1. You send a request to your contact at Qualifio.
  2. You configure your IDP to enable SSO for Qualifio.
  3. We configure Qualifio to authenticate your users via SSO, using the email domains you sent us.
  4. You test your SSO connection to verify whether the configuration works.
  5. Once the test has been completed successfully, we enable SSO for your users.
💡 Tip
By default, Qualifio supports a mixed authentication scenario where users can authenticate by using SSO or by using their Qualifio username and password credentials. Alternatively, we support an SSO-only mode. This means that you can require users to log in to Qualifio using their SSO credentials.

Prerequisites

The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specifics are, you need to make sure you send us your email domains.

Here are more detailed instructions for each Identity Provider (IDP):

Azure AD

If you are a user integrating an Azure SSO with Qualifio, upon your first login, you might be asked to trust Qualifio for your organisation.

OAuth and OpenID Connect (OIDC)

With OAuth 2.0 and OICD:

  • Authorisation URL
  • Token URL
  • Client ID
  • Client Secret
  • Issuer
  • Token validation (JWKS URL or Public Key)

The above are all essential to complete the configuration correctly and test SSO. Alternatively, you may provide an auto-configuration URL or file (JSON).

FAQs

Can I use multiple identity providers?

Yes, you can configure more than one SSO method. If you choose to do this, you will need to provide different email addresses/domains for each Identity Provider (IDP) and define the association between email domains and IDPs.

For example: you could define the domain exampleone.com to match one IDP and then define exampletwo.com to be paired with another IDP. This would cause email addresses that end with @exampleone.com to use a different IDP than email addresses that end with @exampletwo.com.

Note: Please note that this doesn’t apply to Google nor Azure. With those two, you can set up a multi-provider SSO, i.e. users can either log in with the same email address using your SAML/OpenID/oAuth SSO or Google/Azure. For example: when configuring both Azure AD and a SAML identity provider, email addresses that end with @example.com could be used with both IDPs.

Is provisioning and deprovisioning of SSO users automatic?

Only users provisioned in Qualifio are able to authenticate via your selected IDP. If you need to add Qualifio access for users, you’ll need to provision them at your IDP and at Qualifio.

If SSO-only mode is enabled, when you remove someone from your IdP, they will automatically lose access to your Qualifio account.

I changed my email domain. Will I still be able to log in via SSO?

If you change your email domain, you won’t be able to log in via SSO authentication. You’re welcome to reach out to us and request any necessary changes. If you are still using both domains during a transition period, we can keep both domains.

How to reset or change an SSO user's password?

You must reset the SSO password with your IDP. If an SSO-enabled user clicks on the “Forgot your password?” link on the Qualifio login page, they will be sent an email with a link to reset their password. However, this will only reset the password for Qualifio’s own authentication mechanism.

If I need to use my Qualifio credentials, will my password remain what it was before SSO was enabled?

The password will remain the same as before SSO was enabled. Take note that if the previous password has expired during the time you were using SSO, then a password reset might be needed.

Troubleshooting SSO

In case you run into problems or have any other questions, do not hesitate to contact us.