Single Sign-On Settings

Single sign-on (SSO) is managed from the Single Sign-On Settings page (Administration > Application Settings > Single Sign-On).

Note: These settings are only available to users assigned the Manage Single Sign-On Settings application permission. Your Single Sign-On page view may differ if you have SSO enabled.

Tip: If you want to improve security you can hide the URL on the query string parameter using the SSOWebServiceCallback Global settings. This allows administrators to define the parameters of an SSO URL, redirecting users to the desired URL once they log into Qvidian via SSO. To hide the URL on the query string parameter: locate the SSOWebServiceCallback Global settings and enter the URL that the user will be redirected to after performing the QPA SSC. The default value is blank. If you have further questions, contact customer support or professional services.

Configure Upland Qvidian for SSO

Configure SSO settings

Note: The below settings are optional and only if you would like to set up New User Provisioning.

  1. Go to Administration > Application Settings > Single Sign-On.

    2. Note: The Authentication Mode setting is set by the service provider. If you need to modify this setting, please contact Upland Qvidian Support.

  2. Under User Settings, select the radio button next to one of the Enable New User Provisioning? options below:
    • Yes: SSO will automatically provision new users into Upland Qvidian including setting any Upland Qvidian user properties and role memberships as specified by the customer’s SSO values within bounds of the remaining SSO settings.
    • No: Users must already have Upland Qvidian user accounts to connect.
  3. Select the radio button next to one of the Enable SP-Initiated Single Logout? options below:
    • Yes: When the user logs out of Upland Qvidian, they are automatically logged out of the SP. This ensures the users must log in each time they exit and return to Upland Qvidian.
    • No: When the user logs out of Upland Qvidian, it does not log them out of the SP. This may allow users who have previously logged in to Upland Qvidian to open it without providing their credentials.
  4. Select the radio button next to one of the Manage Existing User Properties? options below.
    • Yes: For existing Upland Qvidian users, every time the user connects, the user properties updates specified by the customer’s SSO authority will be applied.
    • No: For existing Upland Qvidian users, the user properties will not update in Upland Qvidian.
  5. Select the radio button next to one of the Manage Existing User Roles? options below.
    • Yes: For existing Upland Qvidian users, every time the user connects, Upland Qvidian role memberships will be updated based on group membership specified by the customer’s SSO authority within the bounds of the other SSO settings for Upland Qvidian role(s) management.
    • No: For existing Upland Qvidian users, Upland Qvidian role memberships will not be updated regardless of group memberships specified by the customer’s SSO value.

Specify User Group / QPA Role Settings

These fields are only applicable to SSO subscribers.

  1. In the Default QPA User Roles field, enter the default QPA (Qvidian) user roles to use when creating and updating users if no mapped user roles can be identified. Separate multiple groups with a vertical bar (|). This is done so any connecting Qvidian user whose list of user group memberships do not map to any of the User Group/QPA Role mappings, will get their account provisioned and assigned to those default roles, giving the user basic access to Qvidian. This is required if the customer enabled New User Provisioning.

    2. Note: The "Everyone" Role can be used as the Default Qvidian User Role if there is no other existing custom low-level role. If you enable New User Provisioning, new users must have a Default Role assigned to them. Additionally, you can have SSO handle Role assignments based on Groups being passed via SSO. For more information on mapping of customer user groups to Qvidian user roles, see Add a new user group and QPA role mapping. If Default QPA User Roles is not configured and SSO assertion’s group membership list does not map to any Qvidian user roles, the connection will be denied. You can change the assigned QPA roles for a specific user after their account is provisioned. However, if Manage Existing User Roles is set to "Yes", the QPA role memberships will be reset to those specified by the SSO assertion’s Groups attribute the next time the user connects to Qvidian.

  2. In the Authorized User Groups field, enter the customer user groups of which a user must be a member to access Upland Qvidian. The authorized user group name is case sensitive. Separate multiple groups with a vertical bar (|). This is required if the customer is passing Groups values via SSO and needs to limit access to Upland Qvidian only for specific Groups.
    • If no user groups are specified, no further processing for this setting is necessary.
    • If one or more user groups are specified in this setting, processing continues as follows: Within the user connection SSO assertion’s Groups attribute, the customer’s SSO authority provides the list of customer groups the connecting user is a member of. If at least one of these customer groups is in this Authorized User Groups setting, the user’s connection continues to be processed within the bounds of the remaining SSO settings. If none of the assertion’s groups exist in this Authorized User Groups setting the user’s connection is denied.
  3. In the User Group Keys Delimiter field, enter the delimiter, string or character, used to split out the list of customer-specified user groups to map customer user groups to Upland Qvidian user roles. The list of customer groups that the user is a member of is provided by the customer’s SSO authority in the user connection SSO assertion’s Groups attribute. If left empty, the default delimiter is a vertical bar (|).

Add a new user group and QPA role mapping

This is required if the customer is passing Groups values via SSO and New User Provisioning is enabled, and needs to automate Role assignment. For each group, a User Group / QPA Role Mappings setting is required, which includes a list of Qvidian roles that the customer IdP group is mapped to delimited with a vertical bar (|).

  1. Click Add. The New User Group/ QPA Role Mapping dialog box displays.
  2. Enter the name of the IdP User Group. This setting will display in the web.config file.
  3. Enter a Description of the mapping, specifically your IdP group and mapped QPA roles. This description will display in the web.config file.
  4. Enter one or more Qvidian Roles that are mapped to the IdP group specified in the setting, separated by a vertical bar (for example, Role1|Role2|Role3).
  5. Click Save. The setting displays on the grid.

Modify an existing mapping

  1. Select the mapping and click More. The Modifying User Group / QPA Role Mapping dialog box displays.
  2. Edit the user group name, description or roles.
  3. Click Save.

Delete a mapping

  • Select the mapping and then click Delete. You are prompted to confirm the deletion. The settings are removed from the grid and consequently the web.config file.