Qualified’s enterprise SSO helps your team access Qualified through a single entry point and gives IT complete control.
In this article, we'll walk you through how to provision your Azure AD SSO users right from within the Qualified application.
Getting Started
As a prerequisite, you'll want to first make sure that you have configured SSO in Qualified and enabled with Azure AD.
The following provisioning features are supported within Qualified provisioning of SSO users:
- Push New Users: New users created through Azure will also be created in the third-party application.
When a user is provisioned, we'll move over their name, role, phone number, email, and timezone from Azure into Qualified automatically. Once this user is created initially, we will not push or update the information again outside of email and role information.
- Push Profile Updates: Updates made to the user's profile through Azure will be pushed to Qualified (email and role).
- Push User Deactivation: Deactivating the user or disabling the user's access to the application through Azure will deactivate the user in Qualified.
For this application, deactivating a user means removing access to log in, but maintaining the user's Qualified information as an inactive user.
- Reactivate Users: User accounts can be reactivated in the application via Azure.
The following provisioning features that are not supported:
- Import Users
- Import/Push Groups
- Sync password
- Profile sourcing
In Azure
Before you begin with this setup, create three roles within Azure:
- "Qualified Rep"
- "Qualified Admin"
- "Qualified Meetings"
These roles are used for SCIM User Provisioning to set the correct role of the user within Qualified. Those assigned the “Qualified Rep” role will have rep permissions within Qualified and those assigned to the “Qualified Admin” role will be assigned admin privileges within Qualified. Those assigned the "Qualified Meetings" role will only have privileges to the Qualified Meetings product.
In Qualified
- Log in to your Qualified account and navigate to Settings > Single sign-on.
- Click on the “SCIM Enabled?” toggle to turn it on and reveal the API URL and Bearer Token.
Back in Azure
- In the Provisioning section of the Qualified app you set up within Azure AD, set the Admin Credentials by pasting in the URL and Secret Token (Bearer Token) from the Qualified Single Sign-on Settings and then click Test Connection.
- Next, you need to set up mappings for AD Users. The following mappings need to be created:
Attribute Mappings Details
Azure Active Directory Attribute |
customappsso Attribute |
Matching precedence |
---|---|---|
userPrincipalName | userName | 1 |
Switch([IsSoftDeleted], , "False", "True", "True", "False") | active | |
jobTitle | title | |
givenName | name.givenName | |
surname | name.familyName |
|
telephoneNumber | phoneNumbers[type eq "work"].value | |
objectId | externalId | |
Switch(ToLower(SingleAppRoleAssignment([appRoleAssignments])), "meetings", "qualified admin", "admin", "qualified rep", "rep") | roles[primary eq "True"].value |
We do not support Groups at this time so disable those mappings. In addition, the bottom expression needs to test the value of your Admin role.
5. Make sure that both the AD Attribute and "customappsso Attribute" match exactly what is in the screenshot above.
6. Once you are done, you are able to start the provisioning process.