Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
Qase supports SSO. To provide single sign-on services for your domain, Qase acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
1. Sign in to the Admin Console of your AzureAD account.
2. Click On Azure Active directory icon:
3. Go to Enterprise applications section and click on New application button:
4. Choose Non-gallery application:
5. Name your application (e.g. Qase) and click on Add button:
6. Click on Set up single sign on:
7. Choose SAML:
8. Now, you need to set up your AzureAD application. Click on the Edit button in the Basic SAML Configuration block. And fill the form with the following data:
- Identifier (Entity ID): https://app.qase.io/saml/metadata
- Reply URL (ACS URL): https://app.qase.io/saml/acs
- Sign on URL: https://app.qase.io/sso/login
When you are ready, click on save button.
9. Now you need to configure attribute mapping. Click on Edit button in User Attributes & Claims section and for Required Claim set Name ID format to persistent and Name ID value to user.mail.
Also, add two new claims:
- fname: user.givenname
- lname: user.surname
10. Now, you are ready to set up SSO on the Qase side. But at first, you need to get data from the AzureAD app:
- Download the certificate (Base64)
- Copy Login URL
- Copy Azure AD identifier
10. Now you need to go to the Qase security page and link your account with AzureAD credentials. Click on the "Enable SSO/SAML" toggle button and fill the form:
SAML Sign-in URL: paste Login URL from the previous step
Identity Provider Issuer: paste Azure AD identifier from the previous step
Key x509 Certificate: open downloaded in the previous certificate in any editor, copy its content, and paste in the textarea.
Domains: provide a list of domains separated by a comma, that will be used for SSO. Public domains like gmail, hotmail, and etc are not allowed.
Default role: choose a default role that will be granted to the new users.
If you want new users who join your team to become a read-only by default, check "Automatically add new users as read-only members" checkbox.
After the form is filled, click on the "Save" button.