Introduction

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. Qobra’s SSO is implemented based on SAML (open standard used for authentication).

This feature is pen-tested yearly by independent contractors.

There are 3 parties involved in a SSO connection on Qobra:

  • The user who wishes to connect with his email address
  • Qobra, the application where the user wants to authenticate
  • The identity provider (IDP) which authenticates users and grand them access to the platform, such as Okta, AzureDirectory, Keycloak, etc …

Setup

You can manually setup your SSO in the Qobra platform (company settings - security).

Step 1: Retrieve data from Qobra

You’ll have first to retrieve the following information fields below, and input it in your IDP:

  • Entity ID: unique identifier that is used to identify a specific entity (here your Qobra account) in the SAML authentication.
  • Redirect URL or Callback URL: The callback URL represents the place where people will be redirected to after authenticating with their identity provider.

Step 2: Input data in Qobra

Then, you’ll have to fill in both field below to complete SAML setup:

  • Domain name: domain name used in the company’s user email addresses. This field will default to your email’s domain name.
  • Metadata URL: URL of the SAML metadata, an XML document which contains information necessary for interaction with Identity Provider(IDP). This document contains essentials data to make the connection secure and successful (ex: URLs of endpoints, information about supported bindings, identifiers and public keys).

The metadata available at the metadata URL should look something like this:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://idp-saml.ua3.int/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7T...T7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7TCC......QsT7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:SurName>Administrator</md:SurName>
    <md:EmailAddress>name@emailprovider.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

Step 3: Multiple domain names (optional)

If your company currently has more then one domain name (because of a merger or rebranding typically), you can contact the support for them to fill in a second domain name for your company. You can’t do this action on your own for security purposes.

Identity provider tutorials

You’ll find here step by step tutorials for our customers top 3 identity providers. If you’d like another identity provider to be present here, just ask us here.

Troubleshooting

Can’t find the Metadata URL

  • If you use Okta, KeyCloak or AzureDirectory, refer to the documentation about those specific identity providers.
  • If your identity provider only allow clients to download your metadata, you’ll have to serve them through an URL (S3, cloud storage, static server, etc …). Qobra does not allow the upload of SAML metadata in the platform.

Metadata URL is rejected

The host of your Metadata URL may point to an internal destination. It happened when you self-host your identity provider on your internal network. As a security measure and because we cannot access this internal host, we block the request. You must serve your metadata through a public URL.

Can’t authenticate after registering your SSO

Check your Metadata URL by visiting it directly on your browser:

  • The page should not return an error
  • The page should return an XML file
  • The assertions should be signed in your XML file

Issues with setting home realm discovery

As a security measure, an admin is only able to set a home realm discovery matching the domain name of his email address. To change it to another client domain, you should ask the support for help.

Was this page helpful?

Fetch record reporting data