How to implement Single Sign-On via your Identity Provider (IdP)
An organization may require authentication to use applications, such as Quantum Metric, through a single identity provider (SSO). Users will be redirected to that identity provider for authentication.
OpenID Connect Provider
In addition to allowing users to authenticate with Google, Quantum Metric supports identity federation using OpenID Connect. OpenID Connect is a widely-used authentication protocol built on top of the OAuth 2.0 authorization framework. There are a number of advantages to using OpenID Connect as opposed to alternative enterprise authentication technologies (e.g. SAML 2):
- Built on modern, lightweight standards, such as JSON, OAuth 2.0, and REST
- Designed to operate securely in the context of mobile web and native apps, not just websites
- More flexible and simpler to integrate than alternatives
To enable login via OpenID Connect, you will first need to create an OIDC application at your identity provider. Then, in Quantum Metric, after adding a new OpenID Connect provider:
- Create an OpenID Connect application at your identity provider. You will be given a Client ID and a Client Secret. Please copy these, as you will need to enter them later.
- To create a new authentication provider, go to Settings > SSO to add a new provider. You can choose between SAML2 or OpenID Connect protocols.
- In the Discovery URL field, you will need to enter your provider's OIDC Discovery document URL.
- Enter the Client ID and Client Secret from your provider.
- Click Save.
You may now sign out and attempt to sign in with the newly-created provider. We recommend that you do not disable the default Google provider until you have verified that your newly-configured provider is working correctly.
The name used to identify the provider you're authenticating with. This text will be displayed at the login screen for your subscription when a login provider is active:
If you can control access to the OpenID Connect application at your identity provider, you may want to enable JIT provisioning. When enabled, it allows access to be controlled at the provider and will automatically provision a new user in Quantum Metric upon the first login. With this approach, it is possible to authorize the application to a specific group (or groups) at your identity provider and not worry about adding new users on-demand. By default, any user who is JIT-provisioned acquires the
user role, which has access to most portions of Quantum Metric but without access to modify any system-level configuration. For JIT-provisioned applications, this role may be configured. In the Profile Mapping section of the provider configuration, you may specify the claim that should be used to convey the user's role. If present, the role claim must exactly match one of the defined Quantum Metric roles, see below.
- CSR (customer service rep) – can search users and view replays
- User – can view all data and create personal dashboards
- Admin – has all privileges except user and SSO management
- Owner – has all privileges
Email Address and First Name are required profile attributes for JIT Provisioning.
QM Role will default to "User" unless another role (CSR, Admin, Owner) is specified in the assertion.
Some providers do not allow arbitrary metadata to be attached to OpenID user info claims. In this case, the recommended approach is to create multiple OpenID applications at the provider and to configure each one to JIT provision and provide a mapping for "QM Role" that has an empty claim and a default value that is the type of user that you would like to provision with that application.
These are fields that are unique to Saml2 configurations:
SP Metadata URL
Service provider metadata that can be used to configure access to an application at your Identity Provider.
If present will be sent to the IdP to restrict authentication to a specific type. This can usually be left blank.
Configure IdP from Metadata
Configure IdP from metadata XML document. Otherwise, settings must be entered manually
Content of the IdP metadata XML document. If supplied, all IdP properties will be inferred.
When using a Single Sign-On solution, users will be immediately authenticated with Quantum Metric. If a user is already logged into the SSO provider, an end user should not be prompted to enter credentials.