AzureAD
Last updated
Last updated
Qase supports SSO. To provide single sign-on services for your domain, Qase acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
1. Sign in to the Admin console of your AzureAD account.
2. Click on "Azure Active Directory" icon:
3. Go to "Enterprise applications" section and click on "New application" button:
4. Create a Non-gallery application and name it 'Qase':
5. Click on "Set up single sign on":
6. Choose "SAML":
7. Now, you need to set up your AzureAD application. Click on the "Edit" button in the "Basic SAML Configuration" block. And fill the form with the following data:
Identifier (Entity ID): https://app.qase.io/saml/metadata
Reply URL (ACS URL): https://app.qase.io/saml/acs
Sign on URL: https://app.qase.io/sso/login
When you are ready, click on "Save" button.
8. Now you need to configure attribute mapping. Click on "Edit" button in "User Attributes & Claims" section and for "Required claim" set Name ID format to persistent and Name ID value to user.mail.
Also, add two new claims:
fname: user.givenname
lname: user.surname
9. Now, you are ready to set up SSO on the Qase side. But at first, you need to get data from the AzureAD app:
Download the certificate (Base64)
Copy Login URL
Copy Azure AD identifier
10. Now you need to go to the Qase security page and link your account with AzureAD credentials. Click on the "Enable SSO/SAML" toggle button and fill the form:
SAML Sign-in URL: paste login URL from the previous step
Identity Provider Issuer: paste Azure AD identifier from the previous step
Key x509 Certificate: open downloaded in the previous certificate in any editor, copy its content, and paste in the textarea.
Domains*: provide a list of domains separated by a comma, that will be used for SSO. Public domains like gmail, hotmail, and etc are not allowed. *This step is mandatory.
Any domains that are added will need to be verified. To do so, you will need to add a TXT record to the domain's DNS records.
Default role: choose a default role that will be granted to the new users.
If you want new users who join your team to become a read-only by default, check "Automatically add new users as read-only members" checkbox.
After the form is filled, click on the "Save" button.
Setup is complete. Now you can logout from the app and log in through the SSO login form.
IdP initiated login is not supported.
Users will have to sign-in from this Qase's SSO Login page: https://app.qase.io/sso/login
