The purpose of this document is to provide a reference for frequently asked questions regarding Qualys SAML support.
The SAML 2.0 single sign-on integration requires acceptance of the New Data Security Model.
- EntityID string from IdP (SAML Identity Provider)
- Public key certificate for the IdP (your organization's IdP base64 cert in .txt format)
- Organization's SAML IdP SSO URL (SP initiated authentication requests)
- Subscription (such as abcd_ef)
- Custom exit URL for a subscription (Optional)
Is my Platform supported?
Our plan is to extend SAML support to all public Qualys platforms (Identify your Qualys Platform). The current SAML status for each platform follows:
|Qualys Platform||In Development||Open Beta||General Availability|
|US Platform 1||X|
|US Platform 2||X|
|US Platform 3||X|
|EU Platform 1||X|
|EU Platform 2||X|
|IN Platform 1||X|
SAML connector is free.
What is the current lead time is to get a SAML enabled for my subscription?
The lead time is 5-7 business days.
What SAML versions are supported?
Qualys supports SAML 2.0 for Single Sign-On. Qualys does not support SAML 1.0.
When enabled, is SAML required for all users in my subscription?
No. Qualys SAML offers user granularity. Subscription Managers can turn SAML on or off for individuals. There must always be at least one Manager user in the subscription without SAML enabled.
How do I enable for a User?
Once SAML is enabled for the subscription, any Manager can enable for a User.
Secondly, insert a unique string in the “External ID” field in the user settings. Here's an example using an email address. **This field is case-sensitive**
I am a Manager. Why can I not edit the External ID field?
If you are not the primary manager, permission will have to be given to edit the External ID field. The primary manager can do this by going to Users > Setup > Security and choosing the option "Allow other users to manage external IDs".
My IdP broke! Can I still log into Qualys?
Yes. A password reset must be requested by the subscription manager. Support is then able to disable SAML for a user without affecting any other users in the subscription. A new password is automatically sent to the email for that account.
Specs and capabilities?
|Qualys ACS URL (Shared Platforms)|
US Platform 1: https://qualysguard.qualys.com/IdM/saml2/
US Platform 2: https://qualysguard.qg2.apps.qualys.com/IdM/saml2/
US Platform 3: https://qualysguard.qg3.apps.qualys.com/IdM/saml2/
EU Platform 1: https://qualysguard.qualys.eu/IdM/saml2/
EU Platform 2: https://qualysguard.qg2.apps.qualys.eu/IdM/saml2/
IN Platform 1: https://qualysguard.qg1.apps.qualys.in/IdM/saml2/
Qualys public certificate
It's recommended you use qualysguard_external_id – returned to ACS with same value as in External ID field within user's account. Optionally, you could use any standard SAML attribute name. Contact Support to do this.
|Binding Profile||SP-Initiated SSO: HTTP-Redirect URL|
|Federation process||Identity Provider (IDP) initiated and Service Provider (SP) initiated.|
|Metadata exchange||Not supported|
|Response Encrypted||Not supported at this time|
|Security hash||SHA-1 and SHA-256|
|Target URL||Not supported – user is directed to dashboard after successful login|
|Version||SAML 2.0 for Single Sign-On|
How do the regular session timeout and logout features work?
We log out the user from Qualys after 1 hr of inactivity. We delete the Qualys session's cookie but do not modify the IdP's cookie. When the user wants to access Qualys again, we follow the same procedure: contact the IdP to authenticate the user, and upon successful authentication, log the user into Qualys.
Which types of certificates are supported?
Only base64 certificates (used for signing and reading the signature) are supported.
Is the Federation process IDP initiated or SP initiated?
We support both Identity Provider (IDP) initiated and Service Provider (SP) initiated.
Is API supported?
Yes. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.
Is API supported for a SAML enabled user?
No. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.
Is VIP (two factor authentication) supported?
No. VIP and SAML SSO do not work together and cannot be enabled on the same user account.
These documents provide information on integrations with other single sign on services.
Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief
Microsoft Active Directory Federation Services (ADFS) Integration - Microsoft ADFS is currently supported for authentication. Qualys doesn't provide the build for the client side ADFS trust. However, we do provide the configuration screenshots in the linked document.
Okta Integration - Okta is currently supported for authentication.