Realms: Implement SAML Authentication

This topic refers to functionality that is only available to accounts on the Quick Base Platform or Quick Base Unlimited plans. If you do not see the functionality described here, either your account or realm has not been configured to show it, or your account is not on one of those plans.

When you’re working on a large network and signing into a variety of software tools, you often must enter a different login and password each time. Wouldn’t it be nice to have to remember only one user name and password? Many organizations have implemented a corporate access system that lets users access multiple secure directories using only their network login. Using Security Assertion Markup Language (SAML), you can also enable user authentication to a Quick Base realm with that network login.

An added advantage to using SAML authentication is that you can give “approved” status to any user who squares with your corporate directory in your realm (what's approval status?). This setup is a handy way to automate application access restrictions.

Note: You can still use Quick Base access control to limit user access and permissions within the realm.

Overview

Quick Base supports SAML/SSO initiated by identity providers (IdP) and service providers (SP).

A request for Quick Base first checks for a valid browser cookie. If a valid cookie is not present, Quick Base forwards an authN request to your SSO login URL. Your organization’s users are either prompted to log in, or are automatically authenticated due to an existing login.

The provider sends an assertion containing the following:

Upon receiving the assertion, Quick Base checks for the NameID exists in its directory. If the NameID does not exist, then Quick Base checks the EmailAddress provided. If the EmailAddress is found, then the new NameID is added to the record and paired with the unique Quick Base ID. In subsequent assertions, Quick Base again looks for the NameID, and when found allows any new user metadata to be updated.

If the provider assertion does not contain a recognizable NameID or EmailAddress, Quick Base automatically provisions the user and opens the Quick Base My Apps page, listing any apps to which the user is invited. If the user has no app invites, the My Apps page is blank.

The newly provisioned Quick Base ID is paired with the assertion’s NameID, FirstName, LastName and EmailAddress. Only users created that have a role in an application are counted as paying user accounts.

Implementing SAML Authentication

If you are planning to implement SAML authentication, we encourage you to contact your Quick Base Account Executive or Customer Success Manager to start the process.

We documented the technical details needed for SAML authentication. All you need to do is send the contents of the SAML Authentication Details topic to your IT department. They will need to configure a SAML Identity Provider that will talk to your corporate access system, and then contact Quick Base Customer Care to give us those details.

In the meantime, contact Quick Base Customer Care or your Sales Engineer, and supply a list of the email domains registered with your company. Users provisioned or invited into your realm with email addresses matching the company's email domain will be required to authenticate via SAML. If you have existing Quick Base users, make sure that their email addresses in Quick Base match the email address sent by the SAML Identity Provider. If not, they will be treated as new users when they log in, and they will lose their Quick Base history.

Important: The first time a user authenticates using SAML, Quick Base looks for an exact email address match to determine what Quick Base user is logging in. If there are different variants of the email address (for example, jdoe@acme.com and jdoe@acmeinc.com), the email address in Quick Base must match the one the IdP passes in.  Otherwise, Quick Base will not recognize the login attempt from an existing user, and will create a new user, which will not have access to any of the existing user’s apps.

Note: If anyone at your company is using Quick Base Desktop, you must override SAML authentication for them, or create a second account that uses Quick Base authentication to be used solely for Quick Base Desktop. For more information on authentication via the Quick Base API, see What about API Access to Quick Base.  

When a user authenticates via SAML, logging in to Quick Base is handled through your corporate login process. The browser only redirects to Quick Base site after the user has been authenticated. There is no registration process as there is with first login using Quick Base authentication. When users who are not in one of your registered email domains attempt to log in, they will be able to choose whether to use your corporate authentication or register with a Quick Base-specific password.

Special Variant: Override SAML Authentication for a User

Even if you set up SAML authentication, you can override it on a per-user basis, or create a duplicate user who is allowed to log in with a Quick Base password. When a user sets this override, a note displays next to the user Realm status level:  Approved (password managed by Quick Base).

To override SAML authentication:
  1. On the My Apps page, click Manage name_of_realm, then click the Directory tab.

  2. Locate the user or users to affect.

    You can search for users by first name, last name, user name, and email address. You can filter the list based on user status and can sort the list by any column you wish by clicking the column header.

  3. Select the checkbox next to the users for whom you want to override SAML authentication.

  4. Click Change Access Level.

    A pop up box appears.

  5. Click Always have Quick Base manage password, and then click Change Access Level.

Special Variant: Require SAML Authentication for All Users

Contact Quick Base Customer Care to activate this variant of SAML authentication.

When your realm is configured to require SAML authentication for all users, any user attempting to access your realm will always use your corporate login process.

Application administrators can still invite anyone with a valid email address, but you will need to set up those users in your corporate access system before they can access Quick Base.

Setting SAML timeout session time

Quick Base SAML assertions support the certificate NotOnOrAfter attribute so identity providers can control user session time.

You can control the session timeouts via the NotOnOrAfter attribute of your X.509 certificate or via the Quick Base Policies tab of the Manage Billing Account page.

If your certificate contains the NotOnOrAfter attribute, Quick Base uses that attribute for the session timeout. If not, then Quick Base uses your realm policies defined on the Policies tab of your account’s Manage Billing Account page. If the realm-defined policies have not been set, Quick Base follows the default configuration of 720 minutes.

What about API Access to Quick Base?

That depends on whether you’re logged in or not. API access from a Web browser after user login is not an issue. Users who have already authenticated (via SAML or Quick Base) can use our APIs as they normally would.

Programs that use the Quick Base API cannot authenticate using SAML. If you have to log in via the API, the user named in the API_Authenticate call must be configured to use Quick Base authentication by one of two methods:

To duplicate an existing user for API access:
  1. Click the user's email address in the Realm Directory. The window that displays contains a Duplicate User link.

  2. Click the link, enter a user name for the duplicated user, and click GO. Quick Base creates an unregistered user with the same email address and a different user name.

  3. Override SAML authentication for the duplicate.

  4. Invite the duplicate to the application.

    The user must use the link in the email to register and create a password for the duplicate user account. (API access requires a password.)

Realms: SAML Authentication Details

The basic steps to set up SAML (Security Assertion Markup Language) authentication to Quick Base are:

1. Configure an Identity Provider (IdP).

2. Contact Quick Base Customer Care or your Sales Engineer to provide your IdP details.

Configuring your Identity Provider (IdP) for SAML/SSO

To enable single sign-on to Quick Base, you must first configure an IdP that can communicate with your corporate access system using SAML 2.0. The IdP's purpose is to securely maintain user identity information and authenticate users via the corporate access system.

This image shows the entities involved when a user attempts to log in to Quick Base and SAML authentication is active.

 

When a user attempts to access Quick Base and is not yet authenticated, Quick Base sends an authentication request (AuthnRequest) to the Identity Provider. This request contains:

  1. Issuer – urn:oasis:names:tc:SAML:2.0:assertion

  2. Destination – The single sign-on URL on the Identity Provider side.

  3. AssertionConsumerService – The URL of the Quick Base service that communicates with the Identity Provider (https://<realmhostname>.quickbase.com/saml/SSOAssert.aspx).

If the user is a valid user, the Identity Provider sends back an XML response called the SAML Assertion that positively identifies the user. Otherwise, the user will see an error message provided by the IdP.

Provide IdP Details to Customer Care

When the IdP configuration is complete, contact Quick Base Customer Care to provide your IdP details:

SAML Assertion Example Response

The SAML Assertion should be properly formed, and contain attributes that validate the origin and the contents of the payload. Either the entire message or the Assertion must be signed; for strongest security, Quick Base recommends signing the entire message, as shown below.

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_c7cb47c9-d4dc-4535-b7d9-7e0cb50c1d64" Version="2.0" IssueInstant="2011-03-23T21:54:50.415Z">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://www.acme.com/SAML2IdentityProvider/</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#_c7cb47c9-d4dc-4535-b7d9-7e0cb50c1d64">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
                    </Transform>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>i17i0FeuWOQE1RQd2DgJhN2Q8A4=</DigestValue>
            </Reference>
        </SignedInfo>
  <SignatureValue>KqzSp8jCK7LEAg6wqLAGYGDqwB1B4O6LRpqYcY1kH8yIDOyKFt9pu2pA3glxXN516dtg5VrmrJLxxE9G7zDxZbgyUOuHU1sg+WcNDqV0l3zIdCYZViPRmwpJSwQ5ljrI+GE22zPi8go0GCpvvSetc2p0b6BaApJp9Fw9wbY1tUU=</SignatureValue>
        <KeyInfo>
            <X509Data>
<X509Certificate>MIIBnjCCAQcCBEbTmdAwDQYJKoZIhvcNAQEEBQAwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb20wHhcNMDcwODI4MDM0MzEyWhcNMTcwODI1MDM0MzEyWjAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo31q3mJZayXfZkLDuLcnanc/KG+RDFW+OlYDP+RubvWnt8X5jtiUTcp8IQ46TNEUFskmsonUb5AnG+zOCcawb2dJr8kBtCNhfi/TufZGBQNjuAxNMi34yIgRdGinaznHgclrAIIZTyKerQqYjPL1xRDsFGpzqGGi/2opzN8nV5kCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBmNwFN+98aybuQKFJFr69s9BvBVYtk+Hsx3gx0g4e5sLTlkcSU03XZ8AOet0my4RvUspaDRzDrv+gEgg7gDP/rsVCSs3dkuYuUvuWbiiTq/Hj4EKuKZa8nIerZ3Oz4Xa1/bK88eT7RVsv5bMOxgJbSEvTidTvOpV0G13duIqyrCw==</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_a1a85cc6-8c19-4036-b868-9dee488dcaad" IssueInstant="2011-03-23T21:54:50.415Z">
        <saml:Subject>
            <saml:NameID>/lfrAes2Dgknvm8vVQ4/eGwCJq+KbDC0gBbQH/Z/BSc=</saml:NameID>
        </saml:Subject>
        <saml:AuthnStatement AuthnInstant="2011-03-23T21:54:50.415Z"/>
        <saml:AttributeStatement>
            <saml:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>first_last@example.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>First</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue>Last</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

NameID

Quick Base uses this field to match the Assertion with a specific user. The value in the field is UID of the user, which the IdP provides to Quick Base in the SAML Assertion. The UID must be unique to an employee/user and must remain associated with the same user.

Once Quick Base has parsed the SAML Assertion, and verified its contents, the user will have a temporary Quick Base cookie set on his/her browser, and will be redirected back to the Quick Base home page.

AttributeStatement (required user identification)

Quick Base uses several user fields to identify, update, or provision the user in our system.  (New users authenticated by the IdP via SAML will be automatically provisioned in the Realm Directory as Approved.)  These fields are required with every SAML Assertion as SAML Attributes. User information in Quick Base is always updated with the information sent in the latest SAML assertion.  This ensures consistency and accuracy of the user information in Quick Base.

Field Description

SAML Attribute Name

Req'd

Notes

Email Address

EmailAddress

Yes

  • Used to map SAML assertion to an existing Quick Base user in your realm, or create a new user in Quick Base.

  • Must be unique at any given time.

  • Quick Base user profile will be updated if this changes.

User's First Name

FirstName

Yes

Used to create/update user profile in Quick Base.

User's Last Name

LastName

Yes

Used to create/update user profile in Quick Base.

Related Topics:

 

Go back      |       |   

© 1999-2018  QuickBase, Inc.  All rights reserved.  Legal Notices.