How does Q-Play SSO work?

Here is a short description on how Q-Play Single Sign On (SSO) function.

SSO Sign in Options:

  • The sign-in flow can be triggered, by trying to sign-in on Q-Play sign-in form with using SSO active user. User gets redirected to the Identity Provider's (IDP) internal sign-in page.
  • The user can go to and be redirected to the Identity Provider's (IDP) internal sign-in page.
  • The user can sign-in using IDP's internal sign-in page.

SSO Sign in flow:

  1. The user goes to either the internal IDP sign-in form or the Q-Play sign in page.
    1. When the user goes to the Q-Play sign in page, they have the option to enter their credentials, to be redirected to the IDP internal sign in form. When the login button is pressed, Q-Play will automatically finish the rest of the sign in
  2. The user is sent to Q-Play with the email, common name and givenname.
    1. Our system now checks if the user exists in Q-Play and connected to the specified company account.
    2. A user gets created and added to your company account.
      1. The user is assigned  to the role "New User".
      2. The user is assigned to the group "New User".
    3. The user will now get authenticated again, but this time they will be signed in when entering Q-Play.
    4. When the user is assigned to the role "New User", they will get a popup every time they go to the "Overview" page. Notifying the user about "New User" specified permissions.

What is needed for SSO installation?

When activating SSO the following is required. If the required configuration is done before ordering, this will speed up our process of setting SSO up for your account.

These are the information we need:

After receiving our details:

  •  Open up your ADFS management console
    • Click on Relying Party trusts in the left side of the console
    • Click on Add new relying party trust... on the right in the console.
    • Click on Start.
    • Enter the Uniform Ressource Locator (URL) in the Federation metadata address(host name or URL).
    • Click next, the ADFS console will now come up with a warning, that tells you that you have to review the properties of the trust that you are creating. Click OK
    • Click Next.
    • Click Next.
    • Click on the tab Signature, and verify it looks like the image below.
    • Click Next.
    • Click OK.
    • Right click on the trust you just made.
    • Click Edit Claim Issuance Policy...
    • Click Add Rule...
    • Click Next.
    • In the field Claim rule name: give it a name to identify it (recommended UPN).
    • Select Active Directory in the Attribute store field.
    • Make the Mapping of LDAP attributes to outgoing claim types as shown below.
    • Click OK.
    • Click Add rule.
    • Make the Claim rule template select Transform an Incoming claim as shown below.
    • Click OK.
    • Click on the Apply button.
    • Click OK.

Overview / Configure SSO

Q-Play are working on a configuration page for the SSO accounts, again this page is under development which means that configuring SSO yourself is not yet available.

Administrators will be able to configure:

  1. Update your metadata.xml if you get a new ADFS server.
  2. Add email domains to whitelist, this is the function that control users are sent to ADFS server via the Q-Play sign in form.
  3. How many users do the company have (SSO USERS ONLY)
  4. Manage SSO users linked to your account

Administrators will be able to view:

  1. How many sign-ins today
  2. Users signed in when
  3. When the config has changed