Please send this information to firstname.lastname@example.org with copying your key account administrators. We will coordinate launch date for sandbox and go-live for production thereafter.
(IdP = identity provider, SP = service provider)
From the member/client for entry into ZenQMS:
- IdP Entity ID
- IdP Certificate file
- For ADFS: In the ADFS 2.0 MMC snap-in select the certificates node and double click the token-signing certificate to view it. Click the 'Details' tab then 'Copy to File'. Save the certificate in DER format.
- IdP login URL (e.g. https://adfs.phakepharma.com/adfs/ls/)
- The Subject Name ID in the SAML response must be set to the user's email address or the email address must be included as an attribute. If the email address is included as an attribute, we need the name of that attribute.
From ZenQMS for member/client configuration (please confirm if this is what you expect from us):
- SP Entity ID
- In production, this will be “urn:zenqms:SSO”
- In the "sandbox" environment, this will be "urn:zenqms:SSOSandbox"
- In the "Test" environment, this will be "urn:zenqms:SSOTest"
- Assertion Consumer Service (ACS) URL
- In production, this will be “https://sso.zenqms.com/SAML/AssertionConsumerService”.
- In the "sandbox" environment, this will be "https://sso-sandbox.zenqms.com/SAML/AssertionConsumerService".
- In the test environment, this will be "https://sso-test.zenqms.com/SAML/AssertionConsumerService".
- (optional) SP Certificate file
- We can provide this if SAML requests need to be signed (Please confirm if you need requests to be signed)
For Signatures using SAML 2.0 Force Authentication/Re-auth
If you have a SAML 2.0 compliant IdP/backend AND it supports the force authentication/re-auth ('ForceAuthn') attribute in the SAML2 Core spec please let us know if this is the case, since it would allow you users to log in and verify electronic signatures with the same login/password combo (e.g. no PIN required).
For LDAP configured for e-signatures, this is the additional information we would need for that:
- Hostname or IP Address
- Port Number
- Authentication Type (e.g. Basic)
- Distinguished Name Pattern for Binding - If the username entered is insufficient detail for binding to the LDAP server, the DN pattern to use with the username entered (e.g. "uid=<username>,ou=Users,dc=phakepharma,dc=com")
For LDAP Queries (to verify that the email address of the credentials supplied match the email address in our system)
- Search Base DN (e.g. "DC=phakepharma,DC=com", the path from which all user accounts can be queried).
- DN and password of an account authorized to query the user's email address (needed only if users cannot query their own account).
- Query filter for returning only the relevant data containing the user's email address (e.g. "(objectClass=inetOrgPerson)" or "(cn=*)").
- List of username attributes that might be entered by users for authenticating/binding. For Active Directory this is usually "userPrincipalName" and "sAMAccountName". For other LDAP servers, this is often "uid".
- Name of the email address attribute returned by the query (e.g. "mail").
If you need to open firewall access to our servers to accommodate LDAP requests, these are the IP addresses we currently use for our environments:
- Production: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
- Sandbox and Test: 18.104.22.168
Azure AD/Office 362 SSO Users:
You will need to use the tutorial found here to add it to your account and then send us the metadata URL so we can extract the signing cert and other info we need.
OneLogin and other preconfigured IdP apps
ZenQMS Supports other 3rd party IdP preconfigured SSO apps. Please let us know if you can't find ZenQMS in the application list of the tool you are using and we will investigate.