SAML Frequently Asked Questions (FAQ)

Document created by Parag Baxi on Oct 9, 2013Last modified by Qualys Documentation on Jun 14, 2018
Version 40Show Document
  • View in full screen mode

Purpose

The purpose of this document is to provide a reference for frequently asked questions regarding Qualys SAML support.

 

Getting Started

Requirements

The SAML 2.0 single sign-on integration requires acceptance of the New Data Security Model.

 

Please provide the following, using the SAML 2.0 Integration Request Form, to Contact Support - Technical Assistance Form to initiate SAML onboarding:

  • EntityID string from IdP (SAML Identity Provider)
  • Public key certificate for the IdP (your organization's IdP base64 cert in .txt format)
  • Organization's SAML IdP SSO URL (SP initiated authentication requests)
  • Subscription (such as abcd_ef)
  • Custom exit URL for a subscription (Optional)

 

Is my Platform supported?

Our plan is to extend SAML support to all public Qualys platforms (Identify your Qualys Platform). The current SAML status for each platform follows:

 

Qualys PlatformIn Development
Open BetaGeneral Availability
US Platform 1X
US Platform 2X
US Platform 3X
EU Platform 1X
EU Platform 2X
IN Platform 1X

 

Pricing

SAML connector is free.

 

General

What is the current lead time is to get a SAML enabled for my subscription?

The lead time is 5-7 business days.

 

What SAML versions are supported?

Qualys supports SAML 2.0 for Single Sign-On. Qualys does not support SAML 1.0.

 

When enabled, is SAML required for all users in my subscription?

No. Qualys SAML offers user granularity. Subscription Managers can turn SAML on or off for individuals. There must always be at least one Manager user in the subscription without SAML enabled.

 

My IdP broke! Can I still log into Qualys?

Yes. A password reset must be requested by the subscription manager. Support is then able to disable SAML for a user without affecting any other users in the subscription. A new password is automatically sent to the email for that account.

 

Technical

Specs and capabilities?

 

Qualys Value
Qualys EntityIDQualysGuard_SharedPlatform-SAML20-SP
Qualys ACS URL (Shared Platforms)

US Platform 1: https://qualysguard.qualys.com/IdM/saml2/

US Platform 2: https://qualysguard.qg2.apps.qualys.com/IdM/saml2/

US Platform 3: https://qualysguard.qg3.apps.qualys.com/IdM/saml2/

EU Platform 1: https://qualysguard.qualys.eu/IdM/saml2/

EU Platform 2: https://qualysguard.qg2.apps.qualys.eu/IdM/saml2/

IN Platform 1: https://qualysguard.qg1.apps.qualys.in/IdM/saml2/

Qualys public certificate

Base64
SAMLValue
Attribute

It's recommended you use qualysguard_external_id – returned to ACS with same value as in External ID field within user's account. Optionally, you could use any standard SAML attribute name. Contact Support to do this.

Binding ProfileSP-Initiated SSO: HTTP-Redirect URL
Federation processIdentity Provider (IDP) initiated and Service Provider (SP) initiated.
Identity MappingTransient
LogoutNot supported
Metadata exchangeNot supported
Response SigningYes
Response EncryptedNot supported at this time
Security hashSHA-1 and SHA-256
Target URLNot supported – user is directed to dashboard after successful login
VersionSAML 2.0 for Single Sign-On

 

How do the regular session timeout and logout features work?

We log out the user from Qualys after 1 hr of inactivity. We delete the Qualys session's cookie but do not modify the IdP's cookie. When the user wants to access Qualys again, we follow the same procedure: contact the IdP to authenticate the user, and upon successful authentication, log the user into Qualys.

 

Which types of certificates are supported?

Only base64 certificates (used for signing and reading the signature) are supported.

 

Is the Federation process IDP initiated or SP initiated?

We support both Identity Provider (IDP) initiated and Service Provider (SP) initiated.

 

Qualys Interoperability

Is API supported?

Yes. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.

 

Is API supported for a SAML enabled user?

No. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.

 

Is VIP (two factor authentication) supported?

No. VIP and SAML SSO do not work together and cannot be enabled on the same user account.

 

Partner interoperability

Information on integrations with other single sign services.

 

Microsoft ADFS support

Microsoft ADFS is currently supported for authentication. Configuration screenshots can be found in the attached document.

 

Okta support

Okta is currently supported for authentication. Configuration can be found in the attached document.

1 person found this helpful

Outcomes