Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. Qobra’s SSO is implemented based on SAML (open standard used for authentication).
This feature is pen-tested yearly by independent contractors.
There are 3 parties involved in a SSO connection on Qobra:
Okta
, AzureDirectory
, Keycloak
, etc …You can manually setup your SSO in the Qobra platform (company settings - security).
You’ll have first to retrieve the following information fields below, and input it in your IDP:
Entity ID
: unique identifier that is used to identify a specific
entity (here your Qobra account) in the SAML authentication.Redirect URL
or Callback URL
: The callback URL represents the place
where people will be redirected to after authenticating with their identity
provider.Then, you’ll have to fill in both field below to complete SAML setup:
Domain name
: domain name used in the company’s user email addresses.
This field will default to your email’s domain name.Metadata URL
: URL of the SAML metadata, an XML document which
contains information necessary for interaction with Identity Provider(IDP).
This document contains essentials data to make the connection secure and
successful (ex: URLs of endpoints, information about supported bindings,
identifiers and public keys).The metadata available at the metadata URL should look something like this:
If your company currently has more then one domain name (because of a merger or rebranding typically), you can contact the support for them to fill in a second domain name for your company. You can’t do this action on your own for security purposes.
You’ll find here step by step tutorials for our customers top 3 identity providers. If you’d like another identity provider to be present here, just ask us here.
Okta
Go to your admin dashboard, in the Applications tab.
Click on the button “Create a new app integration” and select SAML 2.0
Azure Directory (Microsoft Entra)
Go to the Enterprise Applications
tab and click the New Application
button.
Select the Microsoft Entra SAML Toolkit
application and put Qobra
in the name field.
You can now click on the Create
button
Single sign-on
tab and click on SAML
Edit
button to start putting the SAML dataGo to your SSO settings at https://app.qobra.co/parameters/security
Thanks to the information gathered on your SSO settings you can now fill those 3 fields:
Redirect URL
in Qobra)After filling those fields, you can now click on the Save
button.
App Federation Metadata Url
in the SAML Certificates
section and fill it in Qobra SSO config (Metadata URL
field)
You should also fill the domain name of your email in the Domain name
field
KeyCloak
The host of your Metadata URL may point to an internal destination. It happened when you self-host your identity provider on your internal network. As a security measure and because we cannot access this internal host, we block the request. You must serve your metadata through a public URL.
Check your Metadata URL by visiting it directly on your browser:
As a security measure, an admin is only able to set a home realm discovery matching the domain name of his email address. To change it to another client domain, you should ask the support for help.