Support Portal

SSO / SAML Authentication - Administrator Setup Guide

This document is targeted at IT Administrators. For Store and Head office documentation see the following link for Logging in and managing Single Sign On (SSO) Users


Single Sign On 

Enterprise users can access Qudini with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their account. 

Single Sign-On (SSO) is the general term for the various techniques which allow a user to access multiple applications from a single authorisation point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorisation data that Qudini supports as a service provider (SP). 

No actual passwords are transferred to or from Qudini during the authorisation event. Instead, Qudini receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.


Administrator Setup 

SAML is a premium feature, so please first speak to your account manager if you would like to setup SAML authentication.

 Note that the following guide requires a technical understanding of SSO. It is recommended to be read by an IT Administrator. 

Once you have access you can manage the setup process by accessing the 'Authentication' section within your Merchant Admin settings. This is only accessible to Merchant Admin users: 


Navigate to 'Authentication' 
Enable 'Single Sign On'
 for your merchant.
Add Qudini as an SAML application in your Identity Service. You need to ensure your SSO provider supports SAML 2.0. Compatible SSO services includes Azure AD, PingFederate, Google Apps identity service, Okta, Bitium, OneLogin.

You will need the following details which can be provided by our support team:

SP URN / Audience URI / SP Entity ID : 
This is an identifier you will be required to enter in your SSO providers setup page.

e.g: urn:amazon:cognito:sp:xxxxxxxxx

ACS (assertion consumer) / Reply URL:
Specifies where the application expects to receive the SAML token. The reply URL is also referred to as the Assertion Consumer Service (ACS) URL.

e.g https://<domain-prefix>/saml2/idpresponse

Once setup, your service provider will give you either a Meta XML Url, or allow you to download a Meta XML file.

Azure AD example:

You should then upload or enter the SAML url into this section of our settings and press 'Save'. 
Finally you need to configure an SSO 'Organisation' keyword.

This is required for your users to enter on the login page so our system knows which SSO service to direct them to.

You can use your company name, or the domain name of your emails.



Attribute setup


When users login using SSO, Qudini uses 'Just in time' provisioning. This means users don't need to be setup on Qudini first before they can login. In order for this to work best we require certain attributes to be passed so we know which store the user belongs to. 


Attribute nameDetails
Unique User Identifier
Required : The username of your user. This should be a unique identifier in your system. Recommended to use the email address.
emailaddressOptional: The email address of the user 
nameRequired: The full name of the user (used to display their name in Qudini's app)  
store_idOptional: The store ID of the user. If present, we will match the user to their store using this ID and the ID's configured in Qudini. 
employee_idOptional: The users employee ID. If present we will set this value in the employee ID field of the user. This is useful for performing lookups and finding users later.


Note: Please contact support to finalise setup of your attributes. We recommend testing this process with a user before asking other users to login to confirm the attributes are mapped correctly. 


Future enhancements: We will be adding additional attributes to help map users to specific roles and merchant admin permissions too. 




Did you find it helpful? Yes No