What SSO Providers does Qstream support?
The SSO Identity Providers that we support are:
Active Directory Federation Services using SAML 2.0.
Does Qstream support SP or IDP initiated SSO flow?
Both SP (Service Provider) and IdP (Identity Provider) initiated flow, assuming the IdP will encode our ACS URL in their system.
Can Qstream accept our default IDP Meta Data File with organisation specific attribute names & values? (First Name, Last Name, Email ID, User Name)
Yes. We expect to have the metadata.xml file from the IdP server to aid in setup and can support custom attributes.
Can Qstream use an email address as the Name ID?
Yes. Our preferred name identifier format is urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress, but we can support a custom name identifier format if provided.
Does Qstream support Auto-provisioning?
During SSO, the system will auto-provision any authenticated user for which there is not already an existing account in Qstream with that email.
However, the user will not be enrolled in any Qstreams or assigned to an appropriate group. This setup needs to be performed by the Qstream Site Administrator for that email.
How does Qstream handle user de-provisioning?
Can Qstream handle authorization or should it be handled at the IDP side?
All users authenticated by the IdP will be granted access to the Qstream site. Authorization must be handled by the IdP.
Does Qstream have a sandbox environment for testing?
We will create that, and require a headless account in the org's environment to test end-to-end integration for SP and IdP flow.
What details are required by Engineering in order to initiate a SAML SSO integration?
Engineering does not require any details. All Client Services representatives can provision SSO integrations. If you're interested in implementing this integration, please email your Qstream Client Services representative to get this started.