Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
Qase supports SSO. To provide single sign-on services for your domain, Qase acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
1. Sign in to the Admin Console of your AzureAD account.
2. Click On Azure Active directory icon:
3. Go to Enterprise applications section and click on New application button:
4. Create a Non-gallery application and name it 'Qase':
5. Click on Set up single sign on:
6. Choose SAML:
7. Now, you need to set up your AzureAD application. Click on the Edit button in the Basic SAML Configuration block. And fill the form with the following data:
Identifier (Entity ID): https://app.qase.io/saml/metadata
Reply URL (ACS URL): https://app.qase.io/saml/acs
Sign on URL: https://app.qase.io/sso/login
When you are ready, click on save button.
8. Now you need to configure attribute mapping. Click on Edit button in User Attributes & Claims section and for Required Claim set Name ID format to persistent and Name ID value to user.mail.
Also, add two new claims:
fname: user.givennamelname: user.surname
9. Now, you are ready to set up SSO on the Qase side. But at first, you need to get data from the AzureAD app:
Download the certificate (Base64)
Copy Login URL
Copy Azure AD identifier
10. Now you need to go to the Qase security page and link your account with AzureAD credentials. Click on the "Enable SSO/SAML" toggle button and fill the form:
SAML Sign-in URL: paste Login URL from the previous step
Identity Provider Issuer: paste Azure AD identifier from the previous step
Key x509 Certificate: open downloaded in the previous certificate in any editor, copy its content, and paste in the text area.
Domains*: provide a list of domains separated by a comma, that will be used for SSO. Public domains like Gmail, hotmail etc are not allowed.
โ
*This step is mandatory.Any domains that are added will need to be verified. To do so, you will need to add a TXT record to the domain's DNS records.
Default role: choose a default role that will be granted to the new users.
If you want new users who join your team to become a read-only by default, check "Automatically add new users as read-only members" checkbox.
After the form is filled, click on the "Save" button.
Setup is complete. Now you can logout from the app and log in through the SSO login form.
โ ๏ธ Note: IdP initiated login is not supported.
Users will have to sign-in from Qase's SSO Login page: https://app.qase.io/sso/login