How do I set up SSO?
Simply email firstname.lastname@example.org a request. We will need some information for the set up, including details regarding your identity provider (IdP), an IdP certificate file and information about LDAP set up in case you want to execute electronic signatures without a PIN.
Will the application remain p.11/Annex 11 compliant with SSO?
Of course! The application is fully validated as Commercial Off the Shelf per GAMP5 Level 3. SSO does not affect this in any way. Please note, we have deployed a SAML-based approach for logging into the app that either takes advantage of LDAP or relies on a PIN for e-signatures.
How do my users log in to the application?
Users have multiple options.
- Directly from URLs e.g.
Should we test SSO before launching in production?
YES-- especially if you are changing the existing sequence! You can do this using your sandbox account...we recommend that sequence. Some controlled environments require this to be managed under change control with an assessment/user acceptance note that the log in sequence and e-signature sequences work for your needs.
Is SSO login different with Sandbox
The only difference is in the URL string that triggers authentication. The Sandbox URL is as follows, and is different from the production format above:
What if my companies have multiple domains (e.g. @companyname1.com & @companyname2.com)?
This is not a problem. Simply note this during set up. We can trigger SSO authorization from any email domain you set up.
Can I have non-SSO users in my account (e.g. consultants)?
Yes. The application differentiates between the two types of users. Non-SSO users will still have to maintain a ZenQMS Login and Password. And the application is smart enough to know how to handle these two types of users as it relates to invitations to the system or password resets. For example:
- Domain acme.com is set up for SSO
- Will be directed to SSO verification: email@example.com
- Users in the account with any other email domain will maintain traditional login ID and password.
- One wrinkle for aliases: emailIDs with '+' characters indicate aliases and will also require traditional log in and password. So firstname.lastname@example.org is SSO verified. But email@example.com will not.
What is ZenQMS compatible with?
Technically, our single sign-on can work with any IDP that is SAML 2.0 compliant -- this includes services like Okta, OneLogin, and Azure AD/Office 365. If you have specific questions around SSO configuration or SAML, feel free to email us at firstname.lastname@example.org. Click here for a helpful article for compatibility specifics.
What happens to SSO enabled users when they click Forgot My Password
The application will let the user know that they are SSO enabled and provide a link that redirects for SSO authorization. From there, the user's Identify Provider/SSO platform will allow the user to reset their network passwords. That has nothing to do with ZenQMS anymore.
What about app functions for password management/invitations/resets in the app-- do they affect SSO users?
No. SSO enabled users will no longer see tabs for managing passwords, security challenge questions or enabling 2 factor authentication. Admins 'resetting' passwords for SSO enabled users will see a message that tells them that these users will not be affected or receive any messages.
Do SSO enabled users need to a ZenQMS account?
Yes. Any user wishing to access your ZenQMS account also needs to be invited and have an ACTIVE status account in ZenQMS. The SSO component is simply for identity verification.
What happens to Disabled Users?
Users can be disabled...which means that even if they have proper SSO credentials they will be rejected from logging in. The application will show a message saying "Your account status is either Disabled, Locked Out or Uninvited. Please contact your ZenQMS administrator for help accessing your account..."
Is the session timeout functionality affected by SSO?
No. Sessions are still cancelled after 15 minutes of inactivity. After which the user will be prompted to log in again.
How do users complete e-signatures?
Non-SSO users will still require esignature and password. SSO users may have to rely on an emailed PIN depending on their SSO implementation. Please review the note at the bottom of this article for more information.