This article covers the steps required to set up Single Sign-On (SSO) with our QA Self-Paced Learning Platform. This feature is available to Enterprise accounts and you must be an Admin to access the screen in the application where you perform this procedure. When you set up SSO, users at your company can use their regular credentials to sign in to our Platform and mobile app. You can configure SSO with whichever Identity Provider your company uses, such as OneLogin, Okta, Delinea, or Azure AD.
Notes:
- You will need access to the configuration information from your Identity Provider (IdP). If you don’t have this information, we recommend that you contact your internal IT or Technical teams to gather this information.
- This article contains different URLs to use in your configuration, choose the URL that relates to the type of account you are using.
- Our Platform uses SAML 2.0 and currently supports only SP-initiated workflows. (Service Provider initiated workflows.)
- From 3 September 2024, the platform domain is platform.qa.com
How to Set Up Single Sign-on
Step 1: Create a SAML application on your Identity Provider (IdP)
Create the SSO SAML application as per your IdP instructions. Perform this step first before continuing to configure the integration. The steps vary depending on which IdP you use, please refer to your Identity Provider for bespoke guidelines.
Tip: If you are not sure of the details required to perform this step, we recommend that you contact your internal IT or technical teams to gather this information before starting Step 2.
Step 2: Complete the SSO settings on the Integrations-SSO screen on the Platform
Once you have an account and admin access, navigate to the Integrations-SSO screen, you will see a message with information to start configuring SSO.
Tip: Your Customer Success representative will help you to set up an account and admin access to complete these settings.
Click Start Configuring to open the configurations screen. The image below shows an example of the General Settings section.
-
SSO URL (Location): The endpoint for handling SAML transactions. You can get this value from your IdP.
-
Certificate: An X.509 certificate helps identify secure connections. You can get this value from your IdP.
The image below is an example of SAML attributes mapping, Security Settings, and Extra Settings section of the window. Complete the fields with the information from the SAML application created by your IdP.
SAML Attributes Mapping
-
Permanent User ID: Enter the name of the field that holds the ID your Identity Provider uses to identify your users.
Tip: Avoid using an email address as an ID so the user can still log into their account even when their email address within the company changes.
- First Name: Enter the IdP field that contains the user's first name. If you are integrating with Microsoft Active Directory, this value is a URI.
- Last Name: Enter the IdP field that contains the user's last name. If you are integrating with Microsoft Active Directory, this value is a URI.
- E-mail: Enter the IdP field that contains the user's email address. E.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you are integrating with Microsoft Active Directory, this value is a URI.
Security Settings
- Authentication Requests Signed? Indicates whether your configuration requires authentication requests to be signed for security. Select this check box to set this value to True.
Extra Settings
- Logout URL: The landing page URL where users go after logging out. This is an optional field.
- 'Send email to all members to inform them that they can now log in with SSO': Select this check box if you want to send an invitation email to all members in your organization.
Click Save and Test. The below window will appear (values have been hidden in this example).
Step 3: Configure Your IdP manually or Using the XML File
Use the information on the Set up Your Service Provider Information window to complete your service provider information fields. When you're done, return to the window above and click the Continue button to start testing.
A test window below will appear. Click Test SSO Connection to start the test.
If the configuration has problems, an error window appears with information to help you identify the issues. Update your configuration and try the test again.
If the configuration is set up correctly, the test was successful window will appear.
Once the test is successful, return to the Platform and click Test was successful button below to apply your configurations.
Note: Users won't be able to log in with SSO until you click Test was successful.
How to Migrate Users to SSO
Some or all of your users may have begun using the application before you set up SSO. These users are accustomed to signing in to the web Platform from https://platform.qa.com/login/ or https://myqa.qa.com/account/login and the mobile app from the initial splash window.
When you set up SSO, users can continue using their standard login procedure until they change to the custom process.
Once a user logs onto the Platform using the Login to your company workspace button, the custom URL, or the mobile app using the company's SSO login window for the first time, the application migrates the account to require using SSO going forward.
How to Make Changes Later
You can return to these Settings window to update your configuration later if you need to. For example, How do I add email domains to my SSO configuration?
To make changes to your users' information, make the changes in your IdP and the changes will flow naturally into QA. For example, How do I change a user's email address if my enterprise has SSO enabled?
How to Login to our Platform with SSO
Before you set up SSO, your early users probably used email addresses and passwords to log in. After you set up SSO, your users should access the Login Page and click on the Login to your company workspace button.
Tips: We recommend you communicate what subdomain value is configured to your users, they will need to use that value in this login flow.
A screen appears where the users need to enter the company subdomain value you configured.
Once the user enters the value and clicks Continue, they will be redirected to your company's Identity Provider to authenticate with their username and password.
Alternatively, your users can also go directly to your company's custom URL (also called your company's "vanity URL") to log in to the application on the web Platform. The URL looks something like this:
https://{subdomain}.sso.platform.qa.com/ Or https://{subdomain}.sso.app.qa.com/
Where the token {subdomain} is a value that you choose. For example, the URL might look like the following if the value you choose for {subdomain} is acme:
https://acme.sso.platform.qa.com/
The {subdomain} value you choose must be unique across all accounts to ensure you have a unique custom URL.
Tip: Choose a simple Subdomain value for your unique identifier to make your login URL easier to remember and type. This Subdomain value is configurable by Admin in the Company Settings.
How to Login to the Mobile App with SSO
When users log on to the Mobile App, they can log in with SSO by clicking the Login with Company SSO button, entering their company subdomain, and clicking Login with Company SSO. The user will then be redirected to your company’s IdP to authenticate with a username and password.
Comments
0 comments
Please sign in to leave a comment.