Skip to main content
Third-party Integration

SAML integration

SAML integration, available in the Identity Provider settings, lets you connect to your corporate identity provider (IdP) using the SAML 2.0 protocol to enable single sign-on (SSO).
Applicable versionEnterprise Dedicated

Create users outside the synchronization scope

Enterprise administrators can configure and manage SAML integration in Enterprise Settings > Identity Provider. To create users who are not managed through SAML, select the Support built-in users, which allows the creation of users outside the synchronization scope checkbox.

Configure SAML

Step 1: Configure SAML connection

To establish a connection between the Qoder CN Service Provider (SP) and your enterprise's Identity Provider (IdP), a SAML identity source, you need to configure the following information:
  • SAML Metadata URL: The metadata URL from your corporate IdP.
  • Public key: The self-signed certificate for Qoder CN SP, which is the content of the public.crt file.
  • Private key: Qoder CN SP private key, the content of the rsa_private.key file.
The command to generate a private key and a Qoder CN self-signed certificate is as follows:
openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 3650 -out public.crt
After filling in the fields, click Next.

Step 2: Configure metadata

To establish trust for Qoder CN in your enterprise IdP, you must configure Qoder CN as a trusted SAML SP and configure the SAML assertion attributes. Create a SAML SP in your enterprise IdP and choose one of the following methods to configure Qoder CN as a relying party:
  • Copy the URL of the SAML Service Provider Metadata for Qoder CN below, and configure it in your SAML service.
  • If your IdP does not support URL configuration, download the SAML Service Provider Metadata file and upload it to the IdP.
  • If your IdP does not support uploading a metadata file, you must manually configure the following parameters:
    • Entity ID: The value of the entityID attribute of the md:EntityDescriptor element in the downloaded SAML Service Provider Metadata file.
    • ACS URL: The value of the Location attribute of the md:AssertionConsumerService element in the downloaded SAML Service Provider Metadata file.
    • SLO URL: The value of the Location attribute of the SingleLogoutService element in the downloaded SAML Service Provider Metadata file.
After completing the configuration, click Next.

Step 3: Configure account linking and attribute mapping

Four account linking methods are available:
  • Automatically bind accounts with the same email: Based on the synchronization policy, users in Qoder CN and SAML with the same email address are automatically bound together.
  • Automatically bind accounts with the same username: Based on the synchronization policy, users from Qoder CN and SAML who have the same username are automatically bound together.
  • Automatically bind accounts with the same mobile number: Automatically binds users from Qoder CN and SAML based on the synchronization policy.
  • Automatic binding of accounts with the same employee ID: According to the synchronization policy, users in Qoder CN and SAML with the same employee ID are automatically bound together.
Regardless of the account identification and binding method you choose, you must ensure that the corresponding attribute field is unique and exists. This is because Qoder CN performs one-to-one account matching based on the selected method. The binding process for the Automatically bind accounts with the same email option is as follows: Next, configure the fields for user attribute mapping. Qoder CN will map information based on the user attribute field mappings shown in the figure below. In the Unique Account Identifier field, enter the SAML user attribute that uniquely identifies each account. This setting cannot be changed after submission. In the User Attribute Mapping section, map the Qoder CN user attributes to the corresponding SAML user attributes: Name to name, Username to user_name, Email to email, Mobile to mobile, Employee ID to employId, and Nickname to nickname. After completing the configuration, click Next.

Step 4: Enable single sign-on

Single sign-on is disabled by default during configuration. After enabling it, you can configure the following SSO settings:
  • Customize the display name and icon for the SAML login option, which will then appear on the login page.
  • Enable Single Log-Out (SLO): This feature is disabled by default. To enable it, select the checkbox and configure the Single Log-Out (SLO) URL of Qoder CN in your SAML IdP. This completes the SLO configuration and ensures that the logout status of Qoder CN and the SAML IdP are synchronized.
  • Allow creating a Qoder CN account upon first login:
    • If this option is not selected, SAML accounts can be linked only to Qoder CN accounts during logon. If a matching Qoder CN account is not found, Qoder CN will not create a Qoder CN account based on the SAML account.
    • If this option is selected: When a SAML account is used to log on to Qoder CN and cannot be matched to an existing Qoder CN account, Qoder CN creates a new Qoder CN account and binds it to that SAML account.
You can save the configuration without enabling single sign-on. The service can be enabled later from the SAML integration details page. Click Save to complete the SAML integration setup.

Log on to Qoder CN with SAML

After enabling single sign-on, the Qoder CN login page displays a SAML login option. Users with linked SAML accounts can click this option to go to the SAML login page and sign in with their SAML credentials.

Log out

When a user logs out of Qoder CN, their session with the SAML IdP is also terminated. To ensure that logging out of the SAML IdP also logs the user out of Qoder CN, configure single logout (SLO) as described in Step 4.

Session duration

The session duration is determined by the settings in Qoder CN. If the session exceeds the login duration configured in Qoder CN, you are automatically logged out of Qoder CN. To continue using Qoder CN, you must log in again.

Modify SAML configuration

On the SAML integration details page, click View/Edit Settings. In the panel that appears, you can modify only optional user attribute mapping details. Other configuration settings cannot be changed.

Disable single sign-on

On the SAML integration details page, if single sign-on is enabled, click Edit Settings. In the panel that opens, you can disable single sign-on. After disabling SSO:
  • Existing account links between Qoder CN accounts and SAML accounts are not removed.
  • Logging in to Qoder CN with a SAML account is not supported. If you need to log in to Qoder CN, you can use the Qoder CN username and password to log in.

Remove SAML integration

On the SAML integration details page, click Remove Integration. Confirming the action removes the SAML integration and has the following effects:
  • This removes the links between Qoder CN accounts and SAML accounts.
  • You cannot log in to Qoder CN by using SAML. To log in to Qoder CN, use the username and password for Qoder CN.
Guides
Tutorials
  • Coding with Qoder CN
Developer Reference