Configuring Single Sign-On (SSO) with Passly
This article explains how to configure the SAML SSO integration of Passly with CyberQP.
Prerequisites
- Administrator role for Passly
- Passly configured with the user accounts that will be used for accessing CyberQP..
- Primary or Super Role in CyberQP
- All of your Technicians configured in Login Management in CyberQP will need an account in Passly with exactly the same email address.
Manual - https://support.getquickpass.com/hc/en-us/articles/360040722434-How-to-Setup-Quickpass-Dashboard-Logins
Bulk Import - https://support.getquickpass.com/hc/en-us/articles/4411037813783-How-to-Bulk-Import-Quickpass-Dashboard-Logins- Note the Primary and Super Roles will still be able to login with their CyberQP Account username and password to allow access in the case of challenges with the SSO.
- A User Group that you wish to use for sign in to the CyberQP Dashboard should be created and the users you wish to have access should be made members of this group.
- Initial configuration steps as per https://support.getquickpass.com/hc/en-us/articles/4419178721559-Setting-up-Dashboard-Logins-for-SSO-SAML-
Instructions
- Log in to the Passly Portal. In the left-hand menu, click SSO Manager and click Application Library
- Click Add New Application at the bottom of the screen.
- Select the "Custom Application" by searching or scrolling through the list. (We are working with Passly to allow you to select a pre configured SSO configuration for CyberQP. The KB will be updated when this is available)
- On the Application Configuration tab fill in the Application Name and add a Logo for the Passly Launchpad. Ensure that the Application is Enabled and the Authentication Policy that your team uses should be selected from the Drop down.
Protocol Setup Tab
- Fill in the values as follows:
- Protocol Type: SAML SP-Init
- Assertion Consumer Service URL
NA or Oceania https://admin.getquickpass.com/api/auth/sso/login/callback EU https://eu-admin.getquickpass.com/api/auth/sso/login/callback
- UNCHECK Allow Multiple Audiences
- Service Entity ID (Issuer)
This value is found on the CyberQP Dashboard Authentication Options page. It is listed as "Entity ID"
- Identity Issuer
This value is normally populated directly by Passly. In testing we found that this value being changed did not work, however you may have some custom configuration within Passly that would require this value to be changed. We suggest to leave it with the default value.- This value will be populated into the CyberQP Dashboard Authentication Options Issuer URL and SAML Logout Endpoint URL
- This value will be populated into the CyberQP Dashboard Authentication Options Issuer URL and SAML Logout Endpoint URL
- Token Lifetime should be left at the default unless you want your team to be prompted more/less often to enter their Passly Credentials during Dashboard logins.
- Advanced Settings drop down
- Uncheck Include All Audience URIs
- Check Sign Token Response
- Check Sign Assertion
- Set Signing Algorithm to SHA-256
- Fixed Relay State
- You can leave this blank if you want your team to have to manually sign in to the Passly Portal to access the Dashboard.
- You can populate this value with the same information from the Service Entity ID (Issuer) value if you want your team to be automatically logged into the Dashboard when logging in.
- The Protocol Setup tab should look like this when completed:
- Protocol Type: SAML SP-Init
Attribute Transformation Tab
-
- Select the "Just issue an attribute as the username" radio button
- Change the Drop down to (User.EmailAddress)
- NOTE this will change once you save the Passly configuration.
- NOTE this will change once you save the Passly configuration.
- Change the Drop down to (User.EmailAddress)
- Select the "Just issue an attribute as the username" radio button
Permissions Tab
-
- Add the Group(s) from your Passly User/Group configuration that will access the CyberQP Dashboard.
- Add the Group(s) from your Passly User/Group configuration that will access the CyberQP Dashboard.
Signing and Encryption Tab
-
- Click the <> Copy Button and the Digital Certificate details will be shown.
- Copy this value to your clipboard INCLUDING the initial and trailing " ---" characters.
- This value will be pasted into the CyberQP Authentication Options "Certificate" value. YOU MUST include the "---" characters and there cannot be any leading or trailing spaces or <CR>
- This value will be pasted into the CyberQP Authentication Options "Certificate" value. YOU MUST include the "---" characters and there cannot be any leading or trailing spaces or <CR>
- Copy this value to your clipboard INCLUDING the initial and trailing " ---" characters.
- Copy the Thumbprint Value to your Clipboard
- This value will be pasted into the CyberQP Authentication Options "Fingerprint" Value.
- This value will be pasted into the CyberQP Authentication Options "Fingerprint" Value.
- Click the <> Copy Button and the Digital Certificate details will be shown.
- Click Save/Save Changes
- Sign in to the Passly Launchpad as an End User.
- You should see the CyberQP Box for the SSO application you just setup.
- Right click that icon and copy the associated HyperLink
- This value will be pasted into the CyberQP Dashboard Authentication Options "SAML Login Endpoint URL box.
- This value will be pasted into the CyberQP Dashboard Authentication Options "SAML Login Endpoint URL box.
Passly Values in the CyberQP Authentication Options Screen
Copy and paste the SSO URLS from Passly to and from the CyberQP Dashboard to match these images
Testing
- In another browser or an Incognito/Private Browser Log open the CyberQP Dashboard
NA or Oceania https://admin.getquickpass.com EU https://eu-admin.getquickpass.com - Enter a Technician's Email address
- Click Log In with SSO
- Enter the Email Address that is configured for the Login Role Account you are testing - Click Log In
- You should be prompted to sign into the Passly Single Sign-On Launchpad page just as you normally are.
- Sign in with the credentials from the SSO Source you normally use.
- You should be prompted with whichever Passly Sign In options you have configured as mandated for login.
- Upon approval, the Technician should be logged into the CyberQP Dashboard with the proper account and permissions as assigned in the CyberQP Login Management.
Comments
0 comments
Please sign in to leave a comment.