> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qobra.co/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO

## Introduction

Single sign-on (SSO) is an authentication method that enables users to securely
authenticate with multiple applications and websites by using just one set of
credentials. Qobra’s SSO is implemented based on SAML (open standard used for
authentication).

This feature is pen-tested yearly by independent contractors.

There are 3 parties involved in a SSO connection on Qobra:

* The user who wishes to connect with his email address
* Qobra, the application where the user wants to authenticate
* The identity provider (IDP) which authenticates users and grand them access
  to the platform, such as `Okta`, `AzureDirectory`, `Keycloak`, etc …

## Setup

You can manually setup your SSO in the Qobra platform (company settings -
security).

<img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/sso_setup.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=4bc8dd437f2616405b5b4205afd4c6c8" alt="SSO setup dialog" width="2908" height="1410" data-path="authentication_documentation/images/sso_setup.png" />

### Step 1: Retrieve data from Qobra

You’ll have first to retrieve the following information fields below, and
input it in your IDP:

* `Entity ID`: unique identifier that is used to identify a specific
  entity (here your Qobra account) in the SAML authentication.
* `Redirect URL` or `Callback URL`: The callback URL represents the place
  where people will be redirected to after authenticating with their identity
  provider.

### Step 2: Input data in Qobra

Then, you’ll have to fill in both field below to complete SAML setup:

* `Domain name`: domain name used in the company's user email addresses.
  This field will default to your email’s domain name.
* `Metadata URL`: URL of the SAML metadata, an XML document which
  contains information necessary for interaction with Identity Provider(IDP).
  This document contains essentials data to make the connection secure and
  successful (ex: URLs of endpoints, information about supported bindings,
  identifiers and public keys).

The metadata available at the metadata URL should look something like this:

```xml theme={null}
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://idp-saml.ua3.int/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7T...T7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7TCC......QsT7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:SurName>Administrator</md:SurName>
    <md:EmailAddress>name@emailprovider.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
```

### Step 3: Multiple domain names (optional)

If your company currently has more then one domain name (because of a merger
or rebranding typically), you can [contact the support](mailto:support@qobra.co)
for them to fill in a second domain name for your company. You can’t do this
action on your own for security purposes.

## Identity provider tutorials

You'll find here step by step tutorials for our customers top 3 identity providers.
If you'd like another identity provider to be present here, just ask us [here](mailto:tanguy@qobra.co).

<AccordionGroup>
  <Accordion title="Okta">
    1. Go to your admin dashboard, in the Applications tab.

    2. Click on the button **“Create a new app integration”** and select SAML 2.0

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/okta_screenshot_1.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=6374a4c48c7c148b62d7601b910728ce" alt="New app integration" width="1817" height="1090" data-path="authentication_documentation/images/okta_screenshot_1.png" />

    3. Fill the basic info of the app (App name: Qobra, logo, etc.)

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/okta_screenshot_2.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=10bdd12dd34299108ba09ddcebb9c320" alt="Fill in basic info" width="1817" height="1090" data-path="authentication_documentation/images/okta_screenshot_2.png" />

    4. Fill the SAML settings as shown below. There is no specificity in the
       advanced settings for this setup but your organization could have
       some specific constrains to be filled. Please contact your organization
       IT for more information.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/okta_screenshot_3.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=5c654ef01d618453334918364f2766bf" alt="Fill in SAML settings" width="1817" height="1090" data-path="authentication_documentation/images/okta_screenshot_3.png" />

    5. You can finish the setup by providing the following settings.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/okta_screenshot_4.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=f1dcb0bf19c60bfff7687fed95e0640c" alt="Finish the setup" width="1817" height="1090" data-path="authentication_documentation/images/okta_screenshot_4.png" />

    6. Congratulations you now have access to the metadata URL.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/okta_screenshot_5.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=eb6ac558c501727965678f1f74405666" alt="Access the metadata URL" width="1817" height="1090" data-path="authentication_documentation/images/okta_screenshot_5.png" />
  </Accordion>

  <Accordion title="Azure Directory (Microsoft Entra)">
    1. Go to the `Enterprise Applications` tab and click the `New Application` button.
           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_enterprise_applications_tab.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=93aafe27a53bbc3a261bebbc3a99cf3d" alt="Enterprise Applications Tab" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_enterprise_applications_tab.png" />

    2. Select the `Microsoft Entra SAML Toolkit` application and put `Qobra` in the name field.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_saml_toolkit.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=0ac934b3d536b1c4f16ef6117b8f6bcb" alt="Saml Toolkit Application Gallery" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_saml_toolkit.png" />

    You can now click on the `Create` button

    3. Once on your new application, go to the `Single sign-on` tab and click on `SAML`

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_sso.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=a57503643c0c7ecec3308620191ec260" alt="Single sign-on tab" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_sso.png" />

    4. You can now click on the `Edit` button to start putting the SAML data

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_saml_data.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=ba863fe8b0998b60420a5e08f37df50c" alt="Fill in SAML data" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_saml_data.png" />

    5. Go to your SSO settings at [https://app.qobra.co/parameters/security](https://app.qobra.co/parameters/security)
           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_qobra_data.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=f1b2db75f804bcc332a0d99f960cbb40" alt="Qobra SSO data" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_qobra_data.png" />

    6. Thanks to the information gathered on your SSO settings you can now fill those 3 fields:

    * Entity ID
    * Reply URL (`Redirect URL` in Qobra)
    * Sign on URL (value: [https://app.qobra.com/auth](https://app.qobra.com/auth))

          <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_fill_sso_data.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=c17f1aa80dae7bf4ec7b940c271cf5c6" alt="Fill SAML data" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_fill_sso_data.png" />

    After filling those fields, you can now click on the `Save` button.

    5. Copy the `App Federation Metadata Url` in the `SAML Certificates` section and fill it in Qobra SSO config (`Metadata URL` field)
           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_federation_url.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=6470cf7d60f81dcbf6e31977edb5e2f2" alt="App Federation Metadata Url" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_federation_url.png" />

    You should also fill the domain name of your email in the `Domain name` field

    <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/azure_directory_configure_saml_qobra.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=f46a5c3292febbc14ff9ae812e079e1a" alt="Update Qobra SAML config" width="2940" height="1596" data-path="authentication_documentation/images/azure_directory_configure_saml_qobra.png" />
  </Accordion>

  <Accordion title="KeyCloak">
    1. Go to administration UI to add a client.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_1.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=e0403e7b5527be5beac28c349b952252" alt="Add a client" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_1.png" />

    2. Go to the next step and complete login settings as shown below.

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_2.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=757ac5d469ef6121cf8e6797c0bf1403" alt="Complete login settings" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_2.png" />

    3. Once the app is created, you MUST update theses parameters on client
       settings:

    * Sign Assertion: ON

          <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_3.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=b4f9a4d03a5315242155909659320acf" alt="Fill in 'Sign assertion' option" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_3.png" />

    * Name ID Format: Email

          <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_4.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=3dc4fd567699e42db5db9e7d381bd14d" alt="Fill in 'Name ID Format' option" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_4.png" />

    * Signing key config: OFF

          <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_5.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=3db1ce150d265e3f85bc4576c2f558c5" alt="Fill in 'Signing key config' option" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_5.png" />

    4. Now you can access the metadata URL, as shown below

           <img src="https://mintcdn.com/qobra/4g7tQyP7wYl6AlCt/authentication_documentation/images/keycloak_screenshot_6.png?fit=max&auto=format&n=4g7tQyP7wYl6AlCt&q=85&s=375bc17c7b1676bd26e6fb1b09fa9d2f" alt="Access the metadata URL" width="1817" height="1090" data-path="authentication_documentation/images/keycloak_screenshot_6.png" />
  </Accordion>
</AccordionGroup>

## Troubleshooting

### Can’t find the Metadata URL

* If you use Okta, KeyCloak or AzureDirectory, refer to the documentation
  about those specific identity providers.
* If your identity provider only allow clients to download your metadata,
  you’ll have to serve them through an URL (S3, cloud storage, static server,
  etc …). Qobra does not allow the upload of SAML metadata in the platform.

### Metadata URL is rejected

The host of your Metadata URL may point to an internal destination. It
happened when you self-host your identity provider on your internal network.
As a security measure and because we cannot access this internal host,
we block the request. You must serve your metadata through a public URL.

### Can’t authenticate after registering your SSO

Check your Metadata URL by visiting it directly on your browser:

* The page should not return an error
* The page should return an XML file
* The assertions should be signed in your XML file

### Issues with setting home realm discovery

As a security measure, an admin is only able to set a home realm discovery
matching the domain name of his email address. To change it to another client
domain, you should ask the support for help.
