1. Help Library
  2. General
  3. Integrations and Extensions

Single Sign-On (SSO) Basics

What is it?

SSO allows your employees to access our applications with the login credentials they already use within your organization.

Click here to go to SSO setup for ADFS, Okta, or Azure Active Directory. Otherwise click here to go to setup process.

Benefits

  • Mitigation of security risk
    • Passwords are not stored or managed at Quantum Workplace
    • Access to our system is ultimately controlled by you (the user cannot access our platform if they are disabled as an employee)
    • Reduced password fatigue from different usernames and passwords
    • Reduced support requests about passwords

Getting Started

If interested in setting up SSO, please provide your CSM with an email address for the appropriate person on your IT team to contact.

Details for Your IT Team

Overview:

We currently support SAML v2.0 protocol (We DO NOT support the older v1 or v1.1 protocols). At this time we DO NOT support “just in time” user provisioning through SSO. Quantum Workplace platform users are manually created in the platform by your Quantum Workplace platform administrator(s) (unless other methods are agreed upon - e.g., HRIS integration, QW en masse, etc…)

Definitions:

Identity Provider (abbreviated IdP) - a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying party applications within a federation or distributed network. An identity provider offers user authentication as a service.

Common IdPs that QW clients utilize (this is not definitive):

      • Microsoft Office 365 with Azure Active Directory (Azure AD) 
      • Standalone Active Directory Federation Services (ADFS)
      • OneLogin
      • Okta
      • Ping Identity (PingFederate/PingAccess)
      • G Suite (Google)

Service Provider (abbreviated SP) - in this case, the SP is the Quantum Workplace platform. We provide software as a service.

How Our SSO Login Process Works:

The SSO user tries to access our platform. This can be initiated by the IdP or from the QW platform (e.g., a link on your intranet, SSO dashboard, or an email from our system). 

  • The user clicks on a link that points to our platform.
  • The request is directed to the IdP to handle authentication on the back end. 
  • If the user is not already logged on to the IdP site, or if re-authentication is required, the IdP prompts the user for credentials (e.g., ID and password), and the user logs on. 
    • Additional information about the user may be retrieved from the user data store for inclusion in the SAML response. (user attributes are predetermined as part of the agreement between the IdP and QW, e.g., EmployeeID, UserName, Email Address, etc…) 
    • The IdP’s SSO service returns a SAML response containing the authentication assertion and any additional attributes. 
    • If the signature and assertion is valid (the user is an active and an authorized user), Quantum Workplace establishes a session for the user and redirects the browser to the our platform resource. 
  • If the user is already logged on to the idP, the user is taken directly into our platform.

 

Setup Process
  1. You will use our production environment metadata information to set up the configuration on your side using EmployeeID, Username, or Email Address as the NameID. (This is a unique identifier that each user has. This will be passed to QW behind the scenes. It is used to verify that a user is active and authorized on your side. We prefer EmployeeID since those rarely change.)
    1. QW Production metadata:
      https://auth.quantumworkplace.com/saml/metadata
  2. Once the configuration is set on your end, you send us a link to your metadata (or a download of the file), and we will set up our configuration based on the information contained in the metadata file.
  3. Test the configuration.
    1. If there are any issues or errors, please take a screenshot of the error message (include the URL in the screenshot and note the date and time you received the message, so we can look in the logs to see if the issue in the configuration is on our side or yours.) Note: If there are issues that are too challenging to solve over email, we can set up a screen sharing meeting to troubleshoot.

The configurations on the QW side are stored as data, so there are no release schedules or restrictions that QW needs to adhere with in order to roll out SSO implementations.