<span id="top"></span>

Configuring OneLogin SSO

This guide outlines the steps to configure Single Sign-On (SSO) with OneLogin for Qualified. Follow these instructions to streamline authentication for your users and enhance security.

• Prerequisites
• Steps to Configure OneLogin SSO
• Enable SCIM Provisioning (Optional)
• Binding Email Process for Existing Users
• Adding New Users
• Disconnecting SSO

<span id="prerequisites"></span>

Prerequisites

1. Access to OneLogin as an Account Owner, or as a user with Super User or Manage App privileges.
2. Access to Qualified’s Enterprise Single Sign-on, and the Admin user role.
3. Your organization’s Company ID from Qualified.
4. A basic understanding of SAML 2.0 configuration.

Back to Top

<span id="steps-to-configure"></span>

Steps to Configure OneLogin SSO

Step 1: Set up in Qualified

1. Log in to your Qualified Admin account.
2. Navigate to Settings → Organization → Single Sign-On.
3. Select OneLogin (SAML 2.0) from the dropdown menu.
4. Copy your Company ID.

Step 2: Configure in OneLogin

1. Log in to the OneLogin Admin Console
2. Go to Applications → Applications and click Add App. 

3. Search for “Qualified” to find our application and select it.

4. Click Save to display additional configuration tabs.
5. Under the Configuration tab, enter the Company ID you copied from your Qualified account to the Application Details and Save.

6. Next, click More Actions, then right-click on SAML Metadata, and select Copy link address. You’ll add this link in Qualified in just a moment. 

7. Lastly, assign the application to yourself to complete the configuration.

OneLogin Documentation: Introduction to App Management

Step 3: Finalize SSO in Qualified

1. Return to Settings → Organization → Single Sign-On in Qualified.
2. Paste the SAML Metadata link you copied from OneLogin into the required field, and click Save. 

3. Click Verify Configuration to test the connection.
4. Before enabling single sign-on, make sure to assign all existing Qualified users access to the Qualified application in OneLogin as they will no longer be able to access Qualified with their password once SSO is enabled.
   • Existing users will receive an email to bind their accounts: Binding Email Process for Existing Users
5. When you’re ready, click Enable single sign-on for this org.

Back to Top

<span id="enable-scim-provisioning"></span>

Enable SCIM Provisioning (Optional)

SCIM provisioning automates user creation, updates, and deactivation directly from OneLogin. This step is optional but highly recommended for efficient user management.

Supported Provisioning Features

The following provisioning features are supported within Qualified provisioning of SSO users:

• Push New Users: New users created through OneLogin will also be created in Qualified.
  • When a user is provisioned, their name, role, phone number, email, and timezone from OneLogin are synced to Qualified. Further updates are limited to email and role changes only.
• Push Profile Updates: Updates made to a user's email or role in OneLogin are pushed to Qualified.
• Push User Deactivation: Deactivating a user or disabling their access to the Qualified application in OneLogin will deactivate the user in Qualified.
  • Deactivation removes login access but retains the user's information in Qualified as inactive.
• Reactivate Users: User accounts can be reactivated in Qualified via OneLogin.

Unsupported Provisioning Features

The following features are not supported:

• Import Users
• Import/Push Groups
• Sync Password
• Profile Sourcing

Steps to Enable SCIM Provisioning

Step 1: In Qualified

1. Go to Settings → Organization → Single Sign-On.
2. Toggle on SCIM Enabled to enable SCIM provisioning.
3. Copy the SCIM OAuth Bearer Token displayed on the screen.

Step 2: In OneLogin

1. In your OneLogin Admin console, go to Users → Roles and create the following roles, and add access to the Qualified app:
   • Qualified Admin
   • Qualified Rep
   • Qualified Meeting

OneLogin Documentation: Creating Roles

2. Next, go to Applications → Applications, find the Qualified application, and click to open it.
3. Navigate to the Configuration tab.
   • Enable the API Connection.
   • Paste the SCIM OAuth Bearer Token from Qualified into the SCIM Bearer Token field, and Save.

4. Next, go to to the Provisioning tab.
   • Check the box to Enable Provisioning.
   • Under "When users are deleted in OneLogin, or the user's app access is removed," select Suspend. Then, click Save.

5. Navigate to the Rules tab.
   • Click Add Rule to create the first of three rules, one for each Qualified Role:
     • Name: Qualified Admin
     • Conditions: Roles → include → Qualified Admin
     • Actions: Set Role in Qualified.com (check box “Map from OneLogin” → Set Role to “-Macro-” → admin
   • Click Save.

• Create another Rule for Qualified Rep (set Role to “rep”)
• Create another Rule for Qualified Meetings (set Role to “meetings”)

OneLogin Documentation: Configuring Apps

Testing and Verification

1. Add a test user in OneLogin:
   • Assign the user one of the roles you created (e.g., Qualified Admin, Qualified Rep, Qualified Meetings).
   • Verify the user is created in Qualified with the correct attributes and role.
2. Update the test user's attributes (e.g., email or role) in OneLogin:
   • Confirm the changes sync correctly in Qualified.
3. Deactivate the test user in OneLogin:
   • Ensure the user’s access is removed in Qualified while their profile remains inactive.

Back to Top

<span id="binding-email-process"></span>

Binding Email Process for Existing Users

After enabling SSO, all existing Qualified users receive an email from app@qualified.com with a unique binding link.

Users must click the link within 72 hours to bind their Qualified account to their OneLogin Account. If the binding link expires, an admin can resend it from Qualified by going to Settings → Organization → Users.

Back to Top

<span id="adding-new-users"></span>

Adding New Users

With SCIM Provisioning Enabled

A OneLogin user with Super user, or have the Manage Role privilege to the Qualified roles, will need to assign the user to the appropriate Qualified Role to add them to Qualified. 

OneLogin Documentation: Assigning Roles to Users

Without SCIM Provisioning

If your company does not have SCIM Provisioning enabled, then you’ll follow the steps below to add new users to Qualified: 

1. Assign Users in OneLogin: A OneLogin admin with Super user, Manage user, or Manage application privileges will need to assign the user to the Qualified application: Manually Assigning Apps to Users‍
2. ‍Invite Users in Qualified: Invite users from Settings → Organization → Users in Qualified: Provisioning Users in Qualified‍
3. User Accepts Invite: Invited users will receive an email with a button to link their account and access Qualified. 

Back to Top

<span id="disconnecting-sso"></span>

Disconnecting SSO

If you'd like to disconnect your company’s SSO, you can do so at any time.

1. Go to Settings → Organization → Single Sign-On 
2. Click Disable SSO for this team. 
3. Users will receive an email to create a new password and log in using their email addresses.

Back to Top