SAML Frequently Asked Questions (FAQ)

Document created by Parag Baxi on Oct 9, 2013Last modified by Nick Williams on Apr 25, 2017
Version 37Show Document
  • View in full screen mode

Purpose

The purpose of this document is to provide a reference for frequently asked questions regarding Qualys SAML support.

 

Getting Started

Requirements

The SAML 2.0 single sign-on integration requires acceptance of the New Data Security Model.

 

Please provide the following, using the SAML 2.0 Integration Request Form, to Contact Support - Technical Assistance Form  to initiate SAML onboarding:

  • EntityID string from IdP (SAML Identity Provider)
  • Public key certificate for the IdP (your organization's IdP base64 cert in .txt format)
  • Organization's SAML IdP SSO URL (SP initiated authentication requests)
  • Subscription (such as abcd_ef)
  • Custom exit URL for a subscription (Optional)

 

Is my Platform supported?

Our plan is to extend SAML support to all public Qualys platforms (Identify your Qualys Platform). The current SAML status for each platform follows:

 

Qualys PlatformIn Development
Open BetaGeneral Availability
US Platform 1X
US Platform 2X
EU PlatformX

 

Pricing

SAML connector is free.

 

General

What is the current lead time is to get a SAML enabled for my subscription?

The lead time is 5-7 business days.

 

What SAML versions are supported?

Qualys supports SAML 2.0 for Single Sign-On. Qualys does not support SAML 1.0.

 

When enabled, is SAML required for all users in my subscription?

No. Qualys SAML offers user granularity. Subscription Managers can turn SAML on or off for individuals.

 

My IdP broke! Can I still log into Qualys?

Yes. A password reset must be requested by the subscription manager. Support is then able to disable SAML for a user without affecting any other users in the subscription. A new password is automatically sent to the email for that account.

 

Technical

Specs and capabilities?

 

Qualys Value
Qualys EntityIDQualysGuard_SharedPlatform-SAML20-SP
Qualys ACS URL

US Platform 1: https://qualysguard.qualys.com/IdM/saml2/

US Platform 2: https://qualysguard.qg2.apps.qualys.com/IdM/saml2/

EU Platform: https://qualysguard.qualys.eu/IdM/saml2/

Qualys public certificate

Base64
SAMLValue
Attribute

qualysguard_external_id – returned to ACS with same value as in External ID field within user’s account

Binding ProfileSP-Initiated SSO: HTTP-Redirect URL
Federation processService Provider initiated (SP).
Identity MappingTransient
LogoutNot supported
Metadata exchangeNot supported
Response SigningYes
Response EncryptedNot supported
Security hashSHA-1 (SHA-256 enabled by request in Cloud Suite 8.7)
Target URLNot supported – user is directed to dashboard after successful login
VersionSAML 2.0 for Single Sign-On

 

What SAML versions are supported?

Qualys supports SAML 2.0 for Single Sign-On. Qualys does not support SAML 1.0.

 

How do the regular session timeout and logout features work?

We log out the user from Qualys after 1 hr of inactivity. We delete the Qualys session's cookie but do not modify the IdP's cookie. When the user wants to access Qualys again, we follow the same procedure: contact the IdP to authenticate the user, and upon successful authentication, log the user into Qualys.

 

Which types of certificates are supported?

Only base64 certificates (used for signing and reading the signature) are supported.

 

Is the Federation process IDP initiated or SP initiated?

Service Provider initiated (SP).

 

Qualys Interoperability

Is API supported?

Yes. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.

 

Is API supported for a SAML enabled user?

No. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.

 

Is VIP (two factor authentication) supported?

No. VIP and SAML SSO do not work together and cannot be enabled on the same user account.

 

Partner interoperability

Information on integrations with other single sign services.

 

Microsoft ADFS support

Microsoft ADFS is currently supported for authentication. Configuration screenshots can be found in the attached document, QualysGuard_SAML_Microsoft_Active_Directory_Federation_Services_Integration.pdf.

 

Okta support

Okta is currently supported for authentication. Configuration can be found in the attached document.

Outcomes