SAML integration, available in the Identity Provider settings, lets you connect to your corporate identity provider (IdP) using the SAML 2.0 protocol to enable single sign-on (SSO).
Enterprise administrators can configure and manage SAML integration in Enterprise Settings > Identity Provider. To create users who are not managed through SAML, select the Support built-in users, which allows the creation of users outside the synchronization scope checkbox.
To establish a connection between the Qoder CN Service Provider (SP) and your enterprise's Identity Provider (IdP), a SAML identity source, you need to configure the following information:
After filling in the fields, click Next.
To establish trust for Qoder CN in your enterprise IdP, you must configure Qoder CN as a trusted SAML SP and configure the SAML assertion attributes. Create a SAML SP in your enterprise IdP and choose one of the following methods to configure Qoder CN as a relying party:
Four account linking methods are available:
Single sign-on is disabled by default during configuration. After enabling it, you can configure the following SSO settings:
After enabling single sign-on, the Qoder CN login page displays a SAML login option. Users with linked SAML accounts can click this option to go to the SAML login page and sign in with their SAML credentials.
When a user logs out of Qoder CN, their session with the SAML IdP is also terminated. To ensure that logging out of the SAML IdP also logs the user out of Qoder CN, configure single logout (SLO) as described in Step 4.
The session duration is determined by the settings in Qoder CN. If the session exceeds the login duration configured in Qoder CN, you are automatically logged out of Qoder CN. To continue using Qoder CN, you must log in again.
On the SAML integration details page, click View/Edit Settings. In the panel that appears, you can modify only optional user attribute mapping details. Other configuration settings cannot be changed.
On the SAML integration details page, if single sign-on is enabled, click Edit Settings. In the panel that opens, you can disable single sign-on. After disabling SSO:
On the SAML integration details page, click Remove Integration. Confirming the action removes the SAML integration and has the following effects:
| Applicable version | Enterprise Dedicated |
|---|
Create users outside the synchronization scope
Enterprise administrators can configure and manage SAML integration in Enterprise Settings > Identity Provider. To create users who are not managed through SAML, select the Support built-in users, which allows the creation of users outside the synchronization scope checkbox.
Configure SAML
Step 1: Configure SAML connection
To establish a connection between the Qoder CN Service Provider (SP) and your enterprise's Identity Provider (IdP), a SAML identity source, you need to configure the following information:
- SAML Metadata URL: The metadata URL from your corporate IdP.
- Public key: The self-signed certificate for Qoder CN SP, which is the content of the public.crt file.
- Private key: Qoder CN SP private key, the content of the rsa_private.key file.
Step 2: Configure metadata
To establish trust for Qoder CN in your enterprise IdP, you must configure Qoder CN as a trusted SAML SP and configure the SAML assertion attributes. Create a SAML SP in your enterprise IdP and choose one of the following methods to configure Qoder CN as a relying party:
- Copy the URL of the SAML Service Provider Metadata for Qoder CN below, and configure it in your SAML service.
- If your IdP does not support URL configuration, download the SAML Service Provider Metadata file and upload it to the IdP.
- If your IdP does not support uploading a metadata file, you must manually configure the following parameters:
- Entity ID: The value of the entityID attribute of the md:EntityDescriptor element in the downloaded SAML Service Provider Metadata file.
- ACS URL: The value of the Location attribute of the md:AssertionConsumerService element in the downloaded SAML Service Provider Metadata file.
- SLO URL: The value of the Location attribute of the SingleLogoutService element in the downloaded SAML Service Provider Metadata file.
Step 3: Configure account linking and attribute mapping
Four account linking methods are available:
- Automatically bind accounts with the same email: Based on the synchronization policy, users in Qoder CN and SAML with the same email address are automatically bound together.
- Automatically bind accounts with the same username: Based on the synchronization policy, users from Qoder CN and SAML who have the same username are automatically bound together.
- Automatically bind accounts with the same mobile number: Automatically binds users from Qoder CN and SAML based on the synchronization policy.
- Automatic binding of accounts with the same employee ID: According to the synchronization policy, users in Qoder CN and SAML with the same employee ID are automatically bound together.
Step 4: Enable single sign-on
Single sign-on is disabled by default during configuration. After enabling it, you can configure the following SSO settings:
- Customize the display name and icon for the SAML login option, which will then appear on the login page.
- Enable Single Log-Out (SLO): This feature is disabled by default. To enable it, select the checkbox and configure the Single Log-Out (SLO) URL of Qoder CN in your SAML IdP. This completes the SLO configuration and ensures that the logout status of Qoder CN and the SAML IdP are synchronized.
- Allow creating a Qoder CN account upon first login:
- If this option is not selected, SAML accounts can be linked only to Qoder CN accounts during logon. If a matching Qoder CN account is not found, Qoder CN will not create a Qoder CN account based on the SAML account.
- If this option is selected: When a SAML account is used to log on to Qoder CN and cannot be matched to an existing Qoder CN account, Qoder CN creates a new Qoder CN account and binds it to that SAML account.
Log on to Qoder CN with SAML
After enabling single sign-on, the Qoder CN login page displays a SAML login option. Users with linked SAML accounts can click this option to go to the SAML login page and sign in with their SAML credentials.
Log out
When a user logs out of Qoder CN, their session with the SAML IdP is also terminated. To ensure that logging out of the SAML IdP also logs the user out of Qoder CN, configure single logout (SLO) as described in Step 4.
Session duration
The session duration is determined by the settings in Qoder CN. If the session exceeds the login duration configured in Qoder CN, you are automatically logged out of Qoder CN. To continue using Qoder CN, you must log in again.
Modify SAML configuration
On the SAML integration details page, click View/Edit Settings. In the panel that appears, you can modify only optional user attribute mapping details. Other configuration settings cannot be changed.
Disable single sign-on
On the SAML integration details page, if single sign-on is enabled, click Edit Settings. In the panel that opens, you can disable single sign-on. After disabling SSO:
- Existing account links between Qoder CN accounts and SAML accounts are not removed.
- Logging in to Qoder CN with a SAML account is not supported. If you need to log in to Qoder CN, you can use the Qoder CN username and password to log in.
Remove SAML integration
On the SAML integration details page, click Remove Integration. Confirming the action removes the SAML integration and has the following effects:
- This removes the links between Qoder CN accounts and SAML accounts.
- You cannot log in to Qoder CN by using SAML. To log in to Qoder CN, use the username and password for Qoder CN.