With our integration of Quip and Salesforce, you can now use Salesforce as an Identity Provider to configure SAML for Quip!
- You will need to have Quip for Salesforce tier.
- You must be an Admin of your Salesforce org.
- Your Salesforce and Quip instance must have the integration setup completed Salesforce Lightning Integration Setup Instructions with Pictures (2019)
- Setup the Quip Connected App within your Salesforce org.
- Configure a domain using My Domain and deploy it to all users. For instructions, see Set Up a My Domain Name.
- Your Salesforce email/username must match the email you use within Quip.
- Double check that your permission sets have been set to allow access to Single Sign On to all necessary users. This can be found within Salesforce under the Quip Permission Sets.
Once these steps are completed, you can then continue to configure Salesforce as an Identity Provider.
- Select the gear icon within your Salesforce instance, and select “Setup”.
2. On the left hand side of the screen, within the Quick Find search bar, enter Identity Provider, select Identity Provider, and click Enable Identity Provider.
Note: By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you’ve already created self-signed certificates, select the certificate to use when securely communicating with other services. If you want to use a CA-signed certificate instead of self-signed certificate, follow these steps.
Please make sure that if you have a self signed certificate, that it is not expired. If it is expired, you will need to create a new certificate.
3. Create and import a CA-signed certificate. For instructions, see Generate a Certificate Signed by a Certificate Authority.
- Click Edit, and then select the CA-signed certificate.
- Click Save.
4. Once you click Save, you will then see at the bottom of the page “Use Connected Apps to create a Service Provider”
- As a reminder, your Identity Provider (Salesforce, OKTA, etc.) would be what your Service Provider (Quip or any other connected App Program) authenticates into when logging in.
5. Within the Service Provider configuration, you can then enter the following items.
- Name: Name your Service Provider, (i.e. Quip SSO)
- Include your contact email
- Entity ID: (This can be found within the Quip metadata file)
- Start URL: (This would be the location URL within your Quip metadata file)
- ACS URL: (This would be the location URL within your Quip metadata)
- Make sure to check that your users have been correctly assigned the permission sets within Salesforce. You can do this by going to the newly created Quip Service Provider, and assign Quip and the specified users that are within Salesforce and your Quip Site.
(After you enable Salesforce as an identity provider, you can configure any other connected apps by configuring these connected apps as Service Providers.)
6. After the Service Provider section is completed, you can then download the metadata from the Identity Provider page.
7. Open the Quip Admin Console, and go to the “Accounts and Access” tab.
8. Create a new SAML configuration, by naming the configuration and uploading the Salesforce Metadata into the "Upload File" section.
Note: If you do see an error when uploading the metadata or during the “Test email” phase, please reach out to Quip Support.
9. Enter your email that is being used to log you into the Quip Admin portal as the initial “Test Email”.
10. After this, you should then see a pop-up window for Salesforce, use your specified credentials to log into Salesforce and complete the authentication process.
11. You will then be prompted to “Configure for Test Users” or to “Configure for Entire Company”. If you would like to test users, you can use any users within your Quip instance that has Salesforce credentials set up. Then hit “Enable”.
12. You should then see that the configuration is set to “Enabled” for SAML! You can always go into the configuration and “Disable” if you would like to turn it off or change the configuration to either “Enable for entire company” or “Enable for Select Users”.
OPTIONAL: If you would like to exempt certain users from your site for SAML, add their domain to the “Exempted Domain” option within the configuration. The correct way to enter the exempted domain is to follow this format website.com, you will not need to include the @ symbol or www. format.
You should now be completely configured for SAML using Salesforce as your Identity Provider!