Articles in this section

See more

QuerySurge Authentication with SSO (Versions: 10.2+)

User authentication by default is handled natively within QuerySurge. However, many organizations utilize Single Sign On (SSO) as a means to authenticate its users across a number of applications and systems. QuerySurge natively supports some of the major SSO providers (Google, Microsoft, Okta, and Ping Identity), and can be configured to utilize other identity providers that implement the OpenID Connect protocol. Follow the procedure below to configure QuerySurge to use your SSO provider to authenticate users.

Note: We encourage you to work with an SSO administrator or other knowledgeable resource to ensure that you're configuring your SSO settings correctly.

Configuring your Identity Platform

Before making any settings changes in QuerySurge itself, you'll need to register QuerySurge as an application with your identity platform. Please refer to platform-specific steps below, as well as their respective published documentation articles for this setup step.

Google Cloud

Please refer to the Google Identity guide to register an application with your identity platform. The following comments review QuerySurge-specific details for this setup process.

  1. After navigating to Create Credentials > OAuth client ID, choose the Web Application option in the Application type section.
  2. In the Authorized redirect URIs section, enter one of the following URIs for your QuerySurge deployment.

    If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:

    http://<server>:<port>/QuerySurge/sso

    If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:

    https://<server>:<port>/QuerySurge/sso
  3. Create your credentials. After creating  your credentials, the OAuth client created modal shows Your Client ID and Your Client Secret values. Make a record of both, as you'll need these values in the next section.
  4. Lastly, use the Google Identity Developer documentation to determine the appropriate Discovery document. You will need this in the next section.

Note: Google does not support the use of private IP addresses as an authorized redirect URI.

Microsoft Azure Active Directory

Please refer to the Microsoft Quickstart guide to register an application with your identity platform. The following comments review QuerySurge-specific details for this setup process.

  1. After completing the initial registration, you'll be taken to the Overview pane. It is important to record the Application (client) ID. You'll need this value in the next section.
  2. In the Configure platform settings section, choose the Web option and enter one of the following Redirect URIs for your QuerySurge deployment.

    If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:

    http://<server>:<port>/QuerySurge/sso

    If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:

    https://<server>:<port>/QuerySurge/sso
  3. In the Add credentials section, you can skip the procedure for adding a certificate. Instead, follow the directions in the Add a client secret section. Again, take note of the generated Client secret (specifically, the Value). You will need it in the next section.
  4. Lastly, navigate back to the Overview pane and select Endpoints. Once more, take note of the OpenID Connect metadata document, which you'll need in the next section.

Note: Microsoft only supports the use of localhost as an authorized redirect URI when SSL is not configured on your QuerySurge application server.

Okta Single Sign-On

Please refer to the Okta Help Center guide to create an OIDC application integration with your identity platform. The following comments review QuerySurge-specific details for this setup process.

  1. In the Application type section, choose the Web Application option.
  2. In the Grant type section, the Authorization Code option should already be selected by default. Leave all of the other options unselected.
  3. In the Sign-in redirect URIs section, enter one of the following URIs for your QuerySurge deployment.

    If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:

    http://<server>:<port>/QuerySurge/sso

    If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:

    https://<server>:<port>/QuerySurge/sso
  4. In the Sign-out redirect URIs section, delete any default value that might have been prepopulated.
  5. After saving the application integration, you'll be taken to the settings page. Under the General tab, take note of the Client ID and Client Secret values. You'll need both in the next section.
  6. Lastly, use the Okta Developer documentation to determine the appropriate OpenID Connect metadata endpoint. Note this, as you will need this in the next section.

Ping Identity (Version 14.0+)

Please refer to Ping Identity's guide for creating an application in order to get started. The following comments review QuerySurge-specific details for this setup process.

  1. On the Add Application screen, select OIDC Web App for the Application Type.
  2. After the application has been created, you Client ID and Client Secret should be visible in the Overview section.
  3. Navigate to the Configuration section and expand the URLs subsection. Here you will find a URL labeled OIDC Discovery Endpoint. This is the URL that you will need to enter as the Discovery URL in QuerySurge.
  4. While still in the Configuration section, click on the edit button. Make sure that the Response Type option is set to Code, and the Grant Type option is set to Authorization Code.
  5. In the Redirect URIs section, enter one of the following URIs for your QuerySurge deployment.

    If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:

    http://<server>:<port>/QuerySurge/sso

    If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:

    https://<server>:<port>/QuerySurge/sso
  6. Change the Token Endpoint Authentication Method option to Client Secret Post if it is not already selected, then click the Save button.
  7. Navigate to the Resources section. If you do not see openid, email, and profile under Allowed Scopes, click the edit button, select these three options, then click save.

Other SSO Providers (Version 14.0+)

In addition to the providers mentioned previously, QuerySurge can be configured to utilize any other identity providers that implement the OpenID Connect protocol. The setup may vary from provider to provider, but in general you will need to:

  1. Create a new OpenID Connect application via your provider's interface.
  2. Add one of the following URIs to the application's allowed Redirect URIs.

    If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:

    http://<server>:<port>/QuerySurge/sso

    If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:

    https://<server>:<port>/QuerySurge/sso
  3. Ensure that your application is configured to use the client_secret_post authentication method.
  4. Ensure that your application is configured to grant the openid, profile, and email scopes.
  5. Retrieve your application's Client ID, Client Secret, and Discovery URL. You should now be able to follow the steps below to configure SSO in QuerySurge using the Generic SSO provider option.

Enabling SSO Authentication in QuerySurge

Now that you've registered an application with your identity platform, you need to configure your QuerySurge instance to use SSO authentication.

  1. Login to the QuerySurge Global Admin portal.
  2. In the Global Administration Tree on the left, navigate to QuerySurge Administration > Authentication Settings.
  3. Check the Enable SSO Authentication checkbox.
  4. Select an identity provider from the Identity Provider dropdown menu.
  5. Retrieve the client ID you created while configuring your identity platform and enter it in the Client ID text field.
  6. Retrieve the client secret you created while configuring your identity platform and enter it in the Client Secret text field.
  7. Retrieve the discovery document, OpenID Connect metadata document, or OpenID Connect metadata endpoint you created while configuring your identity platform and enter in the Discovery URL text field.

  8. Click the Test SSO Settings button.
  9. You'll be redirected away from QuerySurge to your identity platform, where you'll be asked to authenticate. If this authentication succeeds and your configuration settings are correct, you'll be redirected back to QuerySurge and greeted with a success modal.

  10. Click the OK button.

  11. Now, using the Identifying Claim dropdown menu, select the claim that maps to your QuerySurge username. If you're unsure of the correct claim, click the Show Claims buttons to view all of the claim-value pairs returned by your authentication request.

  12. Click the Save button. QuerySurge SSO configuration is complete.

Related articles