Overview
SAML (Security Assertion Markup Language) is an open-standard format for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). As a service provider, QuikData supports both IdP-initiated and SP-initiated SAML single sign-on (SSO).
- IdP-initiated SSO: The user starts at their Identity Provider (e.g., Microsoft Entra ID, Google Workspace, Okta), selects the QuikData application, and is redirected to QuikData with a SAML assertion.
- SP-initiated SSO: The user starts at the QuikData login page. QuikData identifies the user's email domain, generates a SAML authentication request, and redirects the user to their Identity Provider to authenticate. After authentication, the IdP sends the user back to QuikData with a SAML assertion.
How SAML Works with QuikData
SAML assertions (tokens) verify user identity when logging into the platform. These assertions contain:
- User Identity: Information about the individual who has logged in
- Issuer URL: The identity provider that issued the assertion (configured as the Endpoint URL in QuikData)
- Audience: The intended recipient of the assertion (QuikData)
- Digital Signature: Cryptographic protection ensuring the assertion hasn't been tampered with
An assertion is only valid if it originates from a known Issuer URL, is addressed to the expected Audience, and is correctly signed.
Multi-IdP Support and Email Domain Mapping
QuikData supports multiple identity providers simultaneously by mapping user email domains to specific IdPs. This allows organizations to:
- Route users from different domains to different identity providers
- Support subsidiaries or departments with separate IdP configurations
- Maintain fallback authentication for unmapped domains
Important: Users whose email domain is not mapped to an IdP will authenticate using QuikData's integrated username and password system. All users must be created within the QuikData site before their first SAML login attempt.
SAML Workflow
Workflow Steps Explained
- User Authentication: The user logs into their organization's identity provider (e.g., Microsoft Entra ID, Google Workspace, Okta)
- Application Selection: The user selects the QuikData application from their IdP's app catalog or dashboard
- Assertion Generation: The IdP creates a SAML assertion containing the user's identity information and digitally signs it
- Browser POST: The Identity Provider sends a SAML response to the user's browser, which automatically POSTs it to QuikData's Assertion Consumer Service (ACS) endpoint
- Validation: QuikData validates the assertion by verifying the issuer, audience, signature, and that the user exists in the system
- Access Granted: Upon successful validation, the user is logged into QuikData
Configuration Prerequisites
Before configuring SAML SSO, ensure the following requirements are met:
Identity Provider Requirements
- Your organization must have a SAML 2.0 compatible Identity Provider
- The IdP must be network-accessible from the QuikData web application server
- The IdP must be configured to send assertions to QuikData's ACS endpoint
QuikData Requirements
- Site Administrator privileges are required to configure SSO
- Users must be pre-created in QuikData before they can authenticate via SAML
- User email addresses in QuikData must match the email/NameID sent by the IdP
Information You'll Need from Your IdP
- Issuer URL (also called Entity ID or Issuer)
- SSO Endpoint URL (also called SAML 2.0 Endpoint or Login URL)
- X.509 Certificate (for signature validation)
Information to Provide to Your IdP
When configuring QuikData as a Service Provider in your Identity Provider, you will need to provide the following values:
| Setting | Value |
|---|---|
| ACS URL (Reply URL) |
https://your-quikdata-server.com/Account/SAMLLogin (default). This value is configurable in Site Admin → Site Settings as the SAML URL. Confirm with your QuikData administrator if it has been customized. |
| Entity ID (Audience URI) |
QuikData (or as agreed with your QuikData administrator) |
| NameID Format | Email Address |
Note: Replace your-quikdata-server.com with your organization's actual QuikData server URL. The default ACS path is /Account/SAMLLogin, but this is configurable in Site Settings. Contact your QuikData administrator if you are unsure of the correct value.
Registering a SAML Identity Provider
Getting There
- Log in to QuikData with a Site Administrator account
- Navigate to Site Admin → Identity Providers
- Click the New Identity Provider button
Registering a New Identity Provider
Click the "New Identity Provider" button to open the form to register a new IdP. The following popup form will appear:
-
Domain Name
The email domain for the users who should be routed to this Identity Provider during login. This determines which users are directed to authenticate through the IdP.
Example:gmail.com -
Issuer Name
The unique identifier of the Identity Provider, typically a URI string. QuikData uses this value to validate SSO requests and ensure they originate from the correct IdP. This must exactly match the Issuer value configured on your Identity Provider. -
Registered Name
The registered application name associated with this SSO configuration. In most cases, this will simply be "QuikData". This value may be displayed in your Identity Provider's application catalog or user login flows. -
Endpoint Address
The Identity Provider's Single Sign-On URL (also called Login URL or SAML 2.0 Endpoint). This is the URL where users are sent to authenticate with your IdP. This value is provided by your Identity Provider and is required for establishing a trusted connection. -
Certificate
The X.509 certificate provided by the Identity Provider, used to validate signed SAML assertions or tokens. Uploading the certificate is required for production environments. Without certificate validation, SAML assertions cannot be verified as authentic, leaving the system vulnerable to forged login attempts. You may omit the certificate only during initial testing with non-production data.
Examples
Microsoft Entra ID (formerly Azure AD)
Step 1: Create an Enterprise Application in Entra ID
- Sign in to the Microsoft Entra admin center
- Navigate to Identity → Applications → Enterprise applications
- Click New application → Create your own application
- Enter "QuikData" as the application name
- Select Integrate any other application you don't find in the gallery (Non-gallery)
- Click Create
Step 2: Configure SAML SSO in Entra ID
- In your new application, go to Single sign-on → Select SAML
- In the Basic SAML Configuration section, click Edit and enter:
-
Identifier (Entity ID):
QuikData(or your preferred identifier) -
Reply URL (ACS URL):
https://your-quikdata-server.com/Account/SAMLLogin(default endpoint; confirm with your QuikData administrator if customized)
-
Identifier (Entity ID):
- In the Attributes & Claims section, ensure the following claim is configured:
-
Required claim:
emailaddress→user.mailoruser.userprincipalname
-
Required claim:
- In the SAML Certificates section, download the Certificate (Base64)
Step 3: Gather Configuration Values
From the Set up QuikData section in Entra ID, copy:
- Login URL → Use as Endpoint Address in QuikData
- Microsoft Entra Identifier → Use as Issuer Name in QuikData
Step 4: Configure QuikData
| QuikData Field | Value from Entra ID |
|---|---|
| Domain Name | Your organization's email domain (e.g., contoso.com) |
| Issuer Name | Microsoft Entra Identifier (e.g., https://sts.windows.net/{tenant-id}/) |
| Registered Name | QuikData |
| Endpoint Address | Login URL (e.g., https://login.microsoftonline.com/{tenant-id}/saml2) |
| Certificate | Upload the Base64 certificate downloaded from Entra ID |
Step 5: Assign Users in Entra ID
- In the Enterprise application, go to Users and groups
- Click Add user/group
- Select the users or groups who should have access to QuikData
- Click Assign
Google Workspace
Step 1: Create a Custom SAML Application
- Sign in to the Google Admin Console
- Navigate to Apps → Web and mobile apps
- Click Add app → Add custom SAML app
- Enter "QuikData" as the application name and click Continue
Step 2: Download Google IdP Information
On the Google Identity Provider details page:
- Download the Certificate (you'll upload this to QuikData)
- Copy the SSO URL → Use as Endpoint Address
- Copy the Entity ID → Use as Issuer Name
- Click Continue
Step 3: Configure Service Provider Details
Enter the following in Google Admin:
-
ACS URL:
https://your-quikdata-server.com/Account/SAMLLogin(default endpoint; confirm with your QuikData administrator if customized) -
Entity ID:
QuikData -
Name ID format:
EMAIL -
Name ID:
Basic Information > Primary email
Click Continue, then Finish.
Step 4: Configure QuikData
| QuikData Field | Value from Google |
|---|---|
| Domain Name | Your Google Workspace domain (e.g., yourcompany.com) |
| Issuer Name | Entity ID from Google (e.g., https://accounts.google.com/o/saml2?idpid=xxxxx) |
| Registered Name | QuikData |
| Endpoint Address | SSO URL from Google |
| Certificate | Upload the certificate downloaded from Google |
Step 5: Enable the Application for Users
- In the Google Admin Console, return to the QuikData app
- Click User access
- Select ON for everyone or configure organizational unit access
- Click Save
Troubleshooting
Common Issues and Solutions
"User not found" Error
Cause: The user does not exist in QuikData, or the email address doesn't match.
Solution:
- Verify the user exists in QuikData with the correct email address
- Confirm the IdP is sending the email address as the NameID or in an email claim
- Check for case sensitivity issues (some systems treat
User@Domain.comanduser@domain.comdifferently)
"Invalid Issuer" Error
Cause: The Issuer in the SAML assertion doesn't match the configured Issuer Name.
Solution:
- Compare the Issuer value in QuikData with your IdP's Entity ID
- Ensure exact character matching, including trailing slashes
- Check for URL encoding differences
"Signature Validation Failed" Error
Cause: The certificate configured in QuikData doesn't match the signing certificate used by the IdP.
Solution:
- Download a fresh certificate from your IdP
- Upload the new certificate to QuikData
- Ensure the certificate hasn't expired
"Audience Mismatch" Error
Cause: The Audience/SP Entity ID in the assertion doesn't match what QuikData expects.
Solution:
- Verify the Audience URI/SP Entity ID configured in your IdP matches QuikData's expected value
- Check the Registered Name field in QuikData
Users Are Not Being Routed to SSO
Cause: The email domain isn't mapped to an IdP, or the mapping is incorrect.
Solution:
- Verify the Domain Name in the IdP configuration matches the user's email domain exactly
- Ensure there are no typos (e.g.,
gmail.comvsgmal.com) - Check that the IdP is active and properly configured
Gathering Diagnostic Information
When contacting support, please provide:
- The exact error message displayed
- The user's email address (domain portion only for privacy)
- The configured Domain Name, Issuer Name, and Endpoint Address
- Timestamp of the failed login attempt
- Any relevant logs from your Identity Provider
Security Best Practices
Certificate Management
- Always upload a certificate: Certificate validation is required for production environments to prevent assertion tampering
- Monitor certificate expiration: IdP certificates typically expire every 1–3 years; schedule renewals before expiration
- Update certificates promptly: When your IdP rotates certificates, update QuikData immediately to avoid authentication outages
Access Control
- Pre-provision users carefully: Since users must exist before SSO login, establish clear provisioning procedures
- Regular access reviews: Periodically audit user accounts and IdP assignments
- Remove access promptly: When employees leave, disable their QuikData accounts
Network Security
- Use HTTPS: Ensure all endpoints use TLS encryption
- Firewall rules: Restrict access to SAML endpoints as appropriate for your environment
Frequently Asked Questions
Q: Can users log in with both SSO and username/password?
A: Users whose email domain is mapped to an IdP will be directed to SSO. Users can still use username/password if they access QuikData directly and their account has a password set, but this behavior depends on your site configuration.
Q: What happens if our IdP is unavailable?
A: Users will not be able to authenticate via SSO. Consider maintaining emergency administrator accounts with password authentication for system access during IdP outages.
Q: Can we use multiple IdPs for the same email domain?
A: No, each email domain can only be mapped to one Identity Provider. If you need to split users from the same domain across multiple IdPs, consider using sub-domains or aliases.
Q: How do I test SSO without affecting existing users?
A: Create a test user with an email address in the domain you're configuring. Configure the IdP mapping, then attempt to log in as the test user from your IdP.
Comments
0 comments
Please sign in to leave a comment.