Qualifio can be integrated with your organisation’s existing login system instead of (or in addition to) Qualifio’s own mechanism to manage user authentication. By using an existing identity provider, your team members will sign into Qualifio using the same single sign-on (SSO) credentials they use with other internal applications.
What's on this page:
What is single sign-on?
Single sign-on (SSO) is an authentication method that enables users to use just one set of credentials — for example, an email and password — to access multiple applications.
Great! But why would anyone bother with this?
Advantages of SSO
- The biggest advantage of using SSO is that it enables users to create, manage and remember fewer sets of credentials for each application or service.
- This, in turn, makes the process of getting access to your applications much faster and more convenient — no need to reenter passwords.
- It cuts down on the amount of time wasted on password- and login-related assistance requests for your helpdesk.
- You can centrally control policies like strong passwords and multi-factor authentication, adding one more security level to your applications.
In short, SSO can increase your employee efficiency and business productivity.
Types of SSO configurations
The following single sign-on protocols and identity providers are supported:
- Social SSO provided by Google (G Suite)
- Microsoft’s Azure Active Directory (Azure AD)
- OAuth (specifically OAuth 2.0 nowadays)
- OpenID Connect (OIDC)
- Security Assertion Markup Language (SAML)
Can't find your IDP? Contact us.
How to implement SSO
Enabling SSO requires some changes in your Identity Provider (IDP) and in Qualifio. There are five stages:
- You send a request to your contact at Qualifio.
- You configure your IDP to enable SSO for Qualifio.
- We configure Qualifio to authenticate your users via SSO, using the email domains you sent us.
- You test your SSO connection to verify whether the configuration works.
- Once the test has been completed successfully, we enable SSO for your users.
By default, Qualifio supports a mixed authentication scenario where users can authenticate by using SSO or by using their Qualifio username and password credentials. Alternatively, we support an SSO-only mode. This means that you can require users to log in to Qualifio using their SSO credentials.
The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specifics are, you need to make sure you send us your email domains.
Here are more detailed instructions for each Identity Provider (IDP):
If you are a user integrating an Azure SSO with Qualifio, upon your first login, you might be asked to trust Qualifio for your organisation.
OAuth and OpenID Connect (OIDC)
With OAuth 2.0 and OICD:
- Authorisation URL
- Token URL
- Client ID
- Client Secret
- Token validation (JWKS URL or Public Key)
The above are all essential to complete the configuration correctly and test SSO. Alternatively, you may provide an auto-configuration URL or file (JSON).
Can I use multiple identity providers?
Yes, you can configure more than one SSO method. If you choose to do this, you will need to provide different email addresses/domains for each Identity Provider (IDP) and define the association between email domains and IDPs.
For example: you could define the domain exampleone.com to match one IDP and then define exampletwo.com to be paired with another IDP. This would cause email addresses that end with @exampleone.com to use a different IDP than email addresses that end with @exampletwo.com.
Note: Please note that this doesn’t apply to Google nor Azure. With those two, you can set up a multi-provider SSO, i.e. users can either log in with the same email address using your SAML/OpenID/oAuth SSO or Google/Azure. For example: when configuring both Azure AD and a SAML identity provider, email addresses that end with @example.com could be used with both IDPs.
Is provisioning and deprovisioning of SSO users automatic?
Only users provisioned in Qualifio are able to authenticate via your selected IDP. If you need to add Qualifio access for users, you’ll need to provision them at your IDP and at Qualifio.
If SSO-only mode is enabled, when you remove someone from your IdP, they will automatically lose access to your Qualifio account.
I changed my email domain. Will I still be able to log in via SSO?
If you change your email domain, you won’t be able to log in via SSO authentication. You’re welcome to reach out to us and request any necessary changes. If you are still using both domains during a transition period, we can keep both domains.
How to reset or change an SSO user's password?
You must reset the SSO password with your IDP. If an SSO-enabled user clicks on the “Forgot your password?” link on the Qualifio login page, they will be sent an email with a link to reset their password. However, this will only reset the password for Qualifio’s own authentication mechanism.
If I need to use my Qualifio credentials, will my password remain what it was before SSO was enabled?
The password will remain the same as before SSO was enabled. Take note that if the previous password has expired during the time you were using SSO, then a password reset might be needed.
In case you run into problems or have any other questions, do not hesitate to contact us.