User authentication by default is handled natively within QuerySurge. However, many organizations utilize Single Sign On (SSO) as a means to authenticate its users across a number of applications and systems. QuerySurge now supports the major SSO providers (Google, Microsoft, and Okta). Follow the procedure below to configure QuerySurge to use your SSO provider to authenticate users.
Note: We encourage you to work with an SSO administrator or other knowledgeable resource to ensure that you're configuring your SSO settings correctly.
Configuring your Identity Platform
Before making any settings changes in QuerySurge itself, you'll need to register QuerySurge as an application with your identity platform. Please refer to platform-specific steps below, as well as their respective published documentation articles for this setup step.
Google Cloud
Please refer to the Google Identity guide to register an application with your identity platform. The following comments review QuerySurge-specific details for this setup process.
- After navigating to Create Credentials > OAuth client ID, choose the Web Application option in the Application type section.
- In the Authorized redirect URIs section, enter one of the following URIs for your QuerySurge deployment.
If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:
http://<server>:<port>/QuerySurge/sso
If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:
https://<server>:<port>/QuerySurge/sso
- Create your credentials. After creating your credentials, the OAuth client created modal shows Your Client ID and Your Client Secret values. Make a record of both, as you'll need these values in the next section.
- Lastly, use the Google Identity Developer documentation to determine the appropriate Discovery document. You will need this in the next section.
Note: Google does not support the use of private IP addresses as an authorized redirect URI.
Microsoft Azure Active Directory
Please refer to the Microsoft Quickstart guide to register an application with your identity platform. The following comments review QuerySurge-specific details for this setup process.
- After completing the initial registration, you'll be taken to the Overview pane. It is important to record the Application (client) ID. You'll need this value in the next section.
- In the Configure platform settings section, choose the Web option and enter one of the following Redirect URIs for your QuerySurge deployment.
If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:
http://<server>:<port>/QuerySurge/sso
If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:
https://<server>:<port>/QuerySurge/sso
- In the Add credentials section, you can skip the procedure for adding a certificate. Instead, follow the directions in the Add a client secret section. Again, take note of the generated Client secret (specifically, the Value). You will need it in the next section.
- Lastly, navigate back to the Overview pane and select Endpoints. Once more, take note of the OpenID Connect metadata document, which you'll need in the next section.
Note: Microsoft only supports the use of localhost as an authorized redirect URI when SSL is not configured on your QuerySurge application server.
Okta Single Sign-On
Please refer to the Okta Help Center guide to create an OIDC application integration with your identity platform. The following comments review QuerySurge-specific details for this setup process.
- In the Application type section, choose the Web Application option.
- In the Grant type section, the Authorization Code option should already be selected by default. Leave all of the other options unselected.
- In the Sign-in redirect URIs section, enter one of the following URIs for your QuerySurge deployment.
If your QuerySurge deployment uses the HTTP protocol, enter the following redirect URI:
http://<server>:<port>/QuerySurge/sso
If your QuerySurge deployment uses the HTTPS protocol, enter the following redirect URI:
https://<server>:<port>/QuerySurge/sso
- In the Sign-out redirect URIs section, delete any default value that might have been prepopulated.
- After saving the application integration, you'll be taken to the settings page. Under the General tab, take note of the Client ID and Client Secret values. You'll need both in the next section.
- Lastly, use the Okta Developer documentation to determine the appropriate OpenID Connect metadata endpoint. Note this, as you will need this in the next section.
Enabling SSO Authentication in QuerySurge
Now that you've registered an application with your identity platform, you need to configure your QuerySurge instance to use SSO authentication.
- Login to the QuerySurge Global Admin portal.
- In the Global Administration Tree on the left, navigate to QuerySurge Administration > Authentication Settings.
- Check the Enable SSO Authentication checkbox.
- Select an identity provider from the Identity Provider dropdown menu.
- Retrieve the client ID you created while configuring your identity platform and enter it in the Client ID text field.
- Retrieve the client secret you created while configuring your identity platform and enter it in the Client Secret text field.
- Retrieve the discovery document, OpenID Connect metadata document, or OpenID Connect metadata endpoint you created while configuring your identity platform and enter in the Discovery URL text field.
- Click the Test SSO Settings button.
- You'll be redirected away from QuerySurge to your identity platform, where you'll be asked to authenticate. If this authentication succeeds and your configuration settings are correct, you'll be redirected back to QuerySurge and greeted with a success modal.
- Click the OK button.
- Now, using the Identifying Claim dropdown menu, select the claim that maps to your QuerySurge username. If you're unsure of the correct claim, click the Show Claims buttons to view all of the claim-value pairs returned by your authentication request.
- Click the Save button. QuerySurge SSO configuration is complete.
Comments
0 comments
Please sign in to leave a comment.