SAML Single Sign On

Updated by Daniel Sjögren

Quinyx supports the SAML 2.0 specification.

SAML Single Sign On provider configuration

NOTE: Old SAML configurations will not be upgraded to this new format and hence not be visible in the provider list

Prerequisites to complete a configuration:

  1. IDP (Identity provider) set up supporting the SAML 2 configuration.

Access to the authentication settings is restricted to the Account manager role.

Basic configuration

To create a new configuration or to edit an existing one, go to Authentication settings > SAML providers.

  1. Click Add to create a new configuration:
  2. Configure the basic details for the SAML configuration.
  1. Name: The name of the provider in Quinyx.
  2. Global Login alias: Quinyx SSO providers (OpenID and SAML) can be set up to make the provider name a Global login alias. Global means it is checked for uniqueness in Quinyx's different regions (EU and US). A user (employee or manager) can use the alias in the Mobile app login dialogue to be directed to the correct SSO provider directly. The login flow for web will be updated at a later point.
  3. Attribute name: The attribute used as username in the SAML setup. (Refer to Azure SAML configuration to find your value expected by Azure. (E. g.: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress))
  4. Identification type: What data type can Quinyx match with the data from the IDP.
  5. Select the way to provide SAML provider metadata from the IDP.
    1. URL: Add the link to the SAML provider's metadata or
    2. Copy and paste the metadata XML into the text field.
  6. Click Continue.
  7. Click twice on Update provider and Quinyx will present a URL that should be provided to the IDP to enable two-way communication between the provider and Quinyx.Copy the URL and finalize the configuration in your IDP.

Configuration of Global Login alias

When adding or updating an SSO Provider you can select that the Name of the provider will be a Global login alias. This means that the Name of the provider will be globally unique and can be used when logging in from the mobile app (support for logging in from the web portal will be delivered later).

1. Check the box for Global Login Alias.

2. Configure the rest of the provider.

3. Save the configuration.

4. The name of the provider will be validated for global uniqueness (Both EU and US environments).

5 If the name is unique and approved the provider config is saved.

6. After saving the configuration, users will be able to use Global Login Alias in the mobile app by entering the name of the provider on the login page (field Username) and tapping on Continue. They will then be automatically redirected to their own login provider page. The provider name that has to be entered is not case-sensitive. If the user gets a screen for entering their regular password (and is not redirected to login provider page), that means the user has entered the provider name incorrectly, or that the Global Login alias checkbox is not ticked (step 1).

How Did We Do?