Skip to main content

Setting up Dashboard Logins for SSO (SAML)

  • Updated

Introduction

If you're the Primary or Super login role, you can let team members access CyberQP by logging in to a central identity provider. Single sign-on (SSO) provides an easy way to access multiple websites or applications using a single account.  Authentication to your Tenant is handled by your identity provider. Whenever CyberQP wants to authenticate you via SSO, they'll redirect you to the identity provider. If you are not logged in, you can log in using your SSO credentials. But if you're already logged in, you won't need to log in again. You are immediately redirected back to CyberQP with the necessary authentication token. This token is used to verify that you are authenticated with the identity provider.

 

Prerequisites

  • To configure SAML settings for SSO, you need an identity provider that supports SAML 2.0. This widely supported protocol enables web-based authentication scenarios including cross-domain SSO and federated authentication between SaaS applications, like CyberQP, and on-premise directory systems, such as Active Directory. The key to this feature is the intermediary SAML SSO server – also known as the identity provider.
  • All of your users under your account in CyberQP will need an account in your SSO Provider with exactly the same email address.
    Manual - https://support.getquickpass.com/hc/en-us/articles/360040722434-How-to-Setup-Quickpass-Dashboard-Logins
    Bulk Import - https://support.getquickpass.com/hc/en-us/articles/4411037813783-How-to-Bulk-Import-Quickpass-Dashboard-Logins 
  • NOTE: After setting up the SSO - Primary Roles will still be able to login to the Dashboard with their CyberQP Credentials. Super Roles will, by default, also be able to login to the Dashboard with their CyberQP Credentials, but they, along with, all other roles will need to use the SSO credentials to login to the Dashboard if SSO is enforced.  If you want to allow certain technicians to have access to the Dashboard without using your Company SSO Provider, please review this KB (for example Co-Managed Technicians):
    https://support.getquickpass.com/hc/en-us/articles/28695722089879-SSO-Exemptions 
  • NOTE: Enforcing SSO for Super Roles is now permitted (force Super Role to use SSO).  Enforcing SSO for all Super role Technicians enhances security but could limit Dashboard access if your SSO provider experiences an outage. To avoid potential disruptions, consider keeping at least one Super role technician exempt from SSO to ensure access for managing SSO settings if needed.

Get Started

NOTE: It's highly recommended that before you begin the below set of instructions, log in to your CyberQP account twice - once in a regular browser and once in an incognito/private window or a separate browser. This is to ensure that you are still logged in to your account in case you are locked out in the other window.
  1. Login to CyberQP as a Primary or Super Admin Login Role
  2. Click the Login Management -> Authentication Options Screen
  3. Turn on the Enable SAML SSO Toggle Switch

    1. Once this is turned on the Entity ID value will be populated.
      mceclip0.png
    2. The remainder of the entries will be populated from the values provided by your SSO provider
  4. Log into your identity provider, so that you can configure the two simultaneously.

Configuring the SSO Identity Provider - Default Values

  1. Enter the following URLs in the fields provided by your SSO provider.
    • Identifier (Entity ID) - Enter your CyberQP Entity ID value from the CyberQP Dashboard
    • Reply URL (Assertion Consumer Service URL) - Enter
      NA or Oceania https://admin.getquickpass.com/api/auth/sso/login/callback
      EU

      https://eu-admin.getquickpass.com/api/auth/sso/login/callback
    • Sign on URL - Enter
      NA or Oceania https://admin.getquickpass.com
      EU https://eu-admin.getquickpass.com
    • Relay State - Some SSO Providers will not allow you to have both Reply URL and Relay State populated.  Ensure you understand which value is required.  If Supported by your SSO Provider enter your CyberQP Entity ID value from the CyberQP Dashboard
    • Logout URL - Enter
      NA or Oceania https://admin.getquickpass.com
      EU https://eu-admin.getquickpass.com

After SSO Identity Provider is configured.

After configuring SSO in your identity provider, return to CyberQP, navigate to Login Management -> Configuration -> Authentication Options and paste the SSO Token value provided by your SAML Provider.

  • Issuer URL - The URL that uniquely identifies your SAML identity provider. Also called: IssuerIdentity ProviderEntity IDIdPIdP Metadata URL.
  • SAML Login Endpoint URL - The SAML login endpoint URL of the SAML server. CyberQP redirects to this URL for SSO if a session isn't already established. Also called: Sign-on URLRemote login URLSSO URLSSO EndpointSAML 2.0 URLIdentity Provider Sign-in URLIdP Login URL, Single Sign-On Service URL.
  • SAML Logout Endpoint URL - A URL where CyberQP can redirect users after they sign out of CyberQP. Also called: SLO Endpoint, SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
  • Fingerprint - The appropriate value is based on the information provided by your identity provider. Also called: Thumbprint.
  • Certificate - The authentication certificate issued by your identity provider (a base-64 encoded X.509 certificate). Be sure to include the entire certificate, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE------. Also called: Public CertificateX.509 Certificate.

    NOTE: - These sample values were provided from the Azure/O365 Example and will be different depending on the SSO/SAML provider you are using.


    mceclip4.png

You should now have a working SSO implementation for CyberQP which you can test by going to your subdomain (https://admin.getquickpass.com or https://eu-admin.getquickpass.com) in a new browser session. This process and the information asked for should be common to all identity providers.

 

SSO (SAML 2.0) Provider Configurations

If you use one of the identity providers listed below, we have written separate articles that explain how to configure and test your SAML SSO settings that you should read instead:

 

Related articles

Comments

0 comments

Please sign in to leave a comment.