Realms: Implement SAML Authentication

  1. Note: This topic is for Realm administrators only. QuickBase realms can be set up only on accounts that have purchased a QuickBase Enterprise plan.  If you have a QuickBase Team account, or if you do not have a realm, you cannot authenticate with SAML.

When you’re working on a large network and signing into a variety of software tools, you often must enter a different login and password each time. Wouldn’t it be nice to have to remember only one user name and password? Many organizations have implemented a corporate access system that lets users access multiple secure directories using only their network login. Using Security Assertion Markup Language (SAML), you can also enable user authentication to a QuickBase realm with that network login.

An added advantage to using SAML authentication is that you can give “approved” status to any user who squares with your corporate directory in your realm (what's approval status?). This setup is a handy way to automate application access restrictions.

Note: You can still use QuickBase access control to limit user access and permissions within the realm.

Implementing SAML Authentication

We've documented the technical details needed for SAML authentication. All you need to do is send the contents of the SAML Authentication Details topic to your IT department. They will need to configure a SAML Identity Provider that will talk to your corporate access system, and then contact QuickBase Support to give us those details.

In the meantime, contact QuickBase Customer Support or your Sales Engineer, and supply a list of the email domain(s) registered with your company. Users provisioned or invited into your realm with email addresses matching the company's email domain(s) will be required to authenticate via SAML. If you have existing QuickBase users, make sure that their email addresses in QuickBase match the email address sent by the SAML Identity Provider. If not, they will be treated as new users when they log in, and they will lose their QuickBase history.

Important: The first time a user authenticates using SAML, QuickBase looks for an exact email address match to determine what QuickBase user is logging in. If there are different variants of the email address (for example, jdoe@acme.com and jdoe@acmeinc.com), the email address in QuickBase must match the one the IdP passes in.  Otherwise, QuickBase will not recognize the login attempt from an existing user, and will create a new user, which will not have access to any of the existing user’s apps.

Note: If anyone at your company is using QuickBase Desktop, you must override SAML authentication for them, or create a second account that uses QuickBase authentication to be used solely for QuickBase Desktop. For more information on authentication via the QuickBase API, see What about API Access to QuickBase.  

When a user authenticates via SAML, logging in to QuickBase is handled through your corporate login process. The browser only redirects to QuickBase site after the user has been authenticated. There is no registration process as there is with first login using QuickBase authentication. When users who are not in one of your registered email domains attempt to log in, they will be able to choose whether to use your corporate authentication or register with a QuickBase-specific password.

saml_signin.png

Special Variant: Override SAML Authentication for a User

Even if you have set up SAML authentication, you still have the power to override it on a per-user basis, or create a duplicate user who is allowed to log in with a QuickBase password. When a user has this override set, a note is shown next to their Realm status level:  Approved (password managed by QuickBase).

To override SAML authentication:

  1. On your My QuickBase page, click Manage the realm, and then click the Directory tab.

  2. Locate the user or users to affect. You can search for users by first name, last name, user name, and email address. You can filter the list based on user status and can sort the list by any column you wish by clicking the column header.

  3. Select the checkboxes next to the users for whom you want to override SAML authentication.

  4. Click Change Access Level. A pop up box appears.

  5. Click Always have QuickBase manage password, and then click Change Access Level.

directory_change_access.png

Special Variant: Require SAML Authentication for All Users

Contact QuickBase Customer Support to activate this variant of SAML authentication.

When your realm is configured to require SAML authentication for all users, any user attempting to access your realm will always use your corporate login process.

Application administrators can still invite anyone with a valid email address, but you will need to set up those users in your corporate access system before they will be able to access QuickBase.

What about API Access to QuickBase?

That depends on whether you’re logged in or not. API access from a Web browser after user login is not an issue. Users who have already authenticated (via SAML or QuickBase) can use our APIs as they normally would.

Programs that use the QuickBase API cannot authenticate using SAML. If you have to log in via the API, the user named in the API_Authenticate call must be configured to use QuickBase authentication by one of two methods:

To duplicate an existing user for API access:

  1. Click the user's email address in the Realm Directory. The window that displays contains a Duplicate User link.

  2. Click the link, enter a user name for the duplicated user, and click GO. QuickBase creates an unregistered user with the same email address and a different user name.
    dup_user.png

  3. Override SAML authentication for the duplicate.

  4. Invite the duplicate to the application. The user must use the link in the email to register and create a password for the duplicate user account. (API access requires a password.)
     

Related Topics

 

This page refers to an older version of QuickBase. Online help is now located at http://www.quickbase.com/user-assistance/default.html.

 

Return to top   

© 1999-2013 Intuit Inc. All rights reserved. Legal Notices.