Single sign-on based on OAuth 2.0

Qualifio provides a standard OAuth 2.0 integration for most SSO services using the OAuth 2.0 authorisation protocol. This integration allows you to connect your Qualifio campaigns with your identity provider (IdP) database. In this article, we’ll take a little deeper look at this OAuth 2.0. standard integration.

Note: This built-in integration supports the standard OAuth 2.0 protocol (Authorisation Code grant). Additionally, Qualifio can provide SSO integrations for any other protocols or services. Contact your Qualifio representative directly for this type of request.

In this topic:

What is OAuth?

OAuth is a technical standard and one of the most common methods used to pass authorisation from an SSO service to another application. In other words, it enables a third-party application (such as Qualifio) to securely obtain limited access to user accounts.

We will go through a practical example. Suppose Allan wants to take part in one of your campaigns. By enabling SSO, you’re allowing Qualifio to access his online account, so that Allan can participate with the credentials he already knows. The OAuth protocol is used behind the scenes to enable Qualifio to access the necessary data from your SSO.

Read an article about SSO integrations to learn more.

How to configure SSO with OAuth 2.0?

Prerequisites

Before you can set up an OAuth 2.0 SSO, you must:

Have an OAuth 2.0 IdP offering user accounts.
Use the standard OAuth 2.0 protocol (Authorisation Code grant).
Have a login page allowing users to access their accounts.

Let's start!

Enabling OAuth 2.0 SSO in Qualifio

Click on Integrations under Settings in the top menu and filter on “SSO” to find the OAuth 2.0 integration. As an admin of your Qualifio account, you’ll see the OAuth integration if you have the SSO using OAuth 2.0 integration enabled (contact your Customer Success Manager if you do not).

Configuring OAuth 2.0

Here, you'll configure your SSO integration as you will be presented with the following fields that you’ll need to fill with the information you get from the IdP side:

Note: In order to generate a client ID and client secret for Qualifio, you might have to whitelist this URL: https://player.qualifio.com/oauth/callback

Client Id* (as generated by IdP)
Client secret* (as generated by IdP)
Authorisation endpoint* (URL that participants will be redirected to for login)
Token endpoint* (URL that will be used to fetch participant info)
Token scope (optional – defines the information Qualifio will be able to access within a profile in the IdP database)
Use PKCE* (by default on "No" - to be used if you want to use the PKCE protocol)
Client authentication method* (by default on 'Client secret sent as post', but can be changed to 'Client secret sent as basic auth' depending on the authentication method your server supports)

*Indicates required fields

Permission required to configure OAuth 2.0 in Qualifio
You must have a Qualifio account with the "Administrator" role in order to configure OAuth 2.0 SSO in Qualifio.

Capture d’écran 2023-09-29 à 11.31.11.png

Customising the SSO profile mapping

Finally, once you’ve installed your configuration, a specific mapping needs to be implemented in order to match Qualifio fields to the fields of your SSO service. This will enable prefilling for campaign forms and provide participants with an SSO experience.

❗️You cannot manage the mapping yourself, but you can enable our developers to configure it based on your needs. To do so, send the mapping information to Qualifio in the form of a table (we have a template you can use now) listing all fields to be pulled from your IdP. For everyone who is not familiar with SSO: you'll get the mapping information from your internal IT services.

That's it!

Your integration is now configured to provide SSO to your participants, who may take part in your campaigns with their user account stored in your OAuth 2.0 IdP.

Frequently asked questions

Does Qualifio integrate with other SSO providers & authorisation protocols?

Currently, OAuth 2.0 is the only authorisation protocol supported through the standard OAuth 2.0 SSO integration. However, Qualifio integrates with a variety of SSO providers using other protocols to build authorisation flows, and also offers customisations as a service. Contact us to talk to an expert about how you can easily start using yours.

Does this integration update user profiles (pushback)?

Not in standalone mode. Using our standard OAuth 2.0 integration allows authenticating the participant and prefilling the form based on the data pulled from your IdP database. But user profile updates are not being pushed back to the SSO application.

However, it is possible to use a webhook to update the user profile. In that case, it is a good practice to create form fields that are shown even when prefilled so that the participant sees the information pulled from your IdP database and can update their profile if needed.

With the webhook enabled, Qualifio can push user profile updates to the receiving URL set up in your account. From there, your IT staff should be able to develop custom business rules in order to update the user’s record in your IdP database.

Alternatively, if you have a custom SSO integration with us, updates to user profiles may be pushed to your IdP database. Contact us to talk to an expert.

Troubleshooting SSO based on OAuth 2.0

We’re always here to help! If you need further assistance, you can reach out to Qualifio Support and we can quickly escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, etc.)