Our current best practice for logging and/or authenticating into your own Quip site is to enable SAML for your users to have a better end user experience and a more secure login process!
To configure SAML using Salesforce as your Identity Provider, you will need the following items;
- Your Quip site will need to have either Enterprise or Quip for Customer 360 tier to see the Accounts & Access tab in your Quip site.
- You will need to be a Quip admin to access the Quip admin console.
- You will need to be a Salesforce Admin to configure an Identity Provider in Salesforce.
Please note, if you are currently using Salesforce as a service provider, you would not be able to use it as an Identity Provider for Quip.
To begin, let’s start in the Quip Admin console! Log into your Quip Admin Console open up the “Settings” tab.
1. Before configuring Salesforce, first start in the Quip Admin Console and download your metadata (.xml) file by selecting “Settings” > “Accounts & Access”. You can then download your Quip metadata by selecting “For entity ID and destination URL, download Quip’s metadata” in blue.
2. Your Metadata (.xml) file will then download directly within your window.
3. Open the Quip metadata file, and locate the Entity ID and Location/Redirect URL, and keep that file open for the configuration of your Identity Provider.
Open up your Salesforce Instance and log into your Salesforce Admin instance.
1. Select the Gear icon in Salesforce, and select “Setup”.
2. In the Quick Find box on the left side of the screen, Search for “Identity Provider”.
3. If you have a generated Certificate, you can then select “Service Providers are now created via Connected Apps. Click Here” to start the setup of your configuration.
Note: By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you’ve already created self-signed certificates, select the certificate to use when securely communicating with other services. If you want to use a CA-signed certificate instead of self-signed certificate, follow these steps.
Please make sure that if you have a self signed certificate, that it is not expired. If it is expired, you will need to create a new certificate.
4. After clicking on “Service Providers are now created via Connected Apps. Click here.”, you will then see the following “New Connected App” configuration page.
- For the “Connected App Name”, go ahead and give your configuration a name!
- For the “API Name”, this will generate on it’s own, no need to type anything in here.
- For the “Contact Email” use the email you are currently logged into.
- Then check the box for “Enable SAML”, under “Web App Settings”.
5. After selecting this check mark, the page will open up to reveal an entire section to fill in with the information from your Quip metadata.
- For the “Start URL”, enter the Location URL from your Quip metadata file.
- For the “Entity ID”, enter the Entity ID from your Quip metadata file.
- For the “ACS URL”, enter the Location URL from your Quip metadata file.
- For the “IdP Certificate”, select the dropdown option, and select your current certificate you generated during this setup.
6. After configuring your Connected App with the corresponding URL’s from your Quip metadata file, you will see a confirmation page.
7. You will then need to assign the correct permission sets within Salesforce to allow your users to login using Salesforce. You can assign your users by selecting “Manage Permission Sets”.
8.Navigating back to the “Identity Provider” section, select “Download Metadata”. This will prompt an automatic download of the configured Salesforce metadata!
Now that we’ve configured our Identity Provider, we can now re-open the Quip Admin Console.
1. Open the “Settings” tab within the Quip Admin Console, and select “Accounts & Access”. You will then select “New Configuration” under the “SAML (Security Assertion Markup Language)”.
2. After Selecting “New Configuration”, you will;
- Enter in a “Configuration Name”, feel free to name this whatever you would like!
- You will then have the option to “Use an .xml file”, use the “Upload File” option to select your Salesforce Metadata file!
3. After selecting “Continue”, you will then input your email that you are currently logged into the Quip Admin Console with.
- After entering your email, you should then receive a Success message in Green.
- If you receive a fail status, go back into Salesforce to ensure that your account has been correctly assigned to the Identity Provider.
4. After receiving a successful Test status, you will see the following “Enable SAML Configuration” panel.
- For initial testing, use the “Enabled Users” portion to enter in users from your Quip site to test with.
- If you’d like to completely turn this on for your entire site, select “Entire Company”.
- OPTIONAL: For users that you would like to bypass this SAML configuration, list them within the “Exempted Domain” portion of this configuration.
If you have any additional questions or are seeing any issues with this configuration, please create a Quip Support ticket.