QualysGuard SAML Single Sign-On (SSO)

The following is an overview of the steps required to configure the QualysGuard Web application for single sign-on (SSO) via SAML. QualysGuard offers both IdP-initiated SAML SSO (for SSO access through the user portal) and SP-initiated SAML SSO (for SSO access directly through the QualysGuard web application). You can configure QualysGuard for either or both types of SSO.

The admin user can use the QualysGuard Manager user interface to manage users, settings, and contents of the QualysGuard account, but it does not have the ability to configure SAML SSO. You must contact QualysGuard to configure SSO.
SP-initiated SSO for QualysGuard is automatically enabled when the SAML feature is activated.
  1. Prepare QualysGuard for single sign-on (see QualysGuard requirements for SSO).

  2. In the Admin Portal, add the application and start to configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configuring QualysGuard in the Admin Portal (Part 1).

  3. Send IdP Information to QualysGuard.

    You will need to copy some settings from Application Settings in the Admin Portal send them to QualysGuard. For details, see Sending IdP Information to QualysGuard for SSO configuration.

  4. Finish configuring the QualysGuard application in the Admin Portal.

    You will need to copy some settings from the QualysGuard website into the Admin Portal. For details, see Configuring QualysGuard in the Admin Portal (Part 2).

  5. Configure the QualysGuard application for single sign-on.

    After QualysGuard informs you that configuration on their end has finished, you will need to configure some settings on the QualysGuard website. For details, see Configuring QualysGuard on its web site.

QualysGuard requirements for SSO

Before you configure the QualysGuard web application for SSO, you need the following:

  • An active QualysGuard account with administrator rights for your organization.

  • A signed certificate.

You can either download one from the Admin Portal or use your organization’s trusted certificate.  

Setting up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about QualysGuard

Each SAML application is different. The following table lists features and functionality specific to QualysGuard.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

 

IdP-initiated SSO

Yes

 

Force user login via SSO only

Yes

Yes. All users must log in through IdP after SSO is enabled.

The administrator can enable SAML SSO for existing individual users from the Users tab.

The administrator can enable SAML SSO for all new users from Account Settings or using the Setup tab.

Other users without SSO enabled continue to sign in with username/password.

Separate administrator login
after SSO is enabled

No

If SSO is not enabled for the administrator, they can continue to sign in with username/password.

User or Administrator lockout risk

Yes

To avoid lockout possibility for the Admin, do not select Enable SSO for the Admin account.

SSO must be enabled for users. There are two ways for the Admin to enable SSO for users:

Force SSO for all newly created users. Go to Login > Home > Users > Setup > SAML SSO Setup and check the box Enable SAML SSO for new users.

Enable SSO for selected existing users. Go to Login > Home > Users > Users, select users, and click on Enable SSO on top left corner.

CyberArk Identity recommends that administrators continue to sign in using username/password.

Automatic user provisioning

No

 

Multiple User Types

Yes

Admin user

End users

Self-service password

Yes

Only users can reset their own password, and only if SAML SSO is not enabled for them.

Passwords are by default automatically generated. Administrators can allow users to set their own passwords from the Security option in the Setup tab.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configuring QualysGuard in the Admin Portal (Part 1)

Sending IdP Information to QualysGuard for SSO configuration

Configuring QualysGuard in the Admin Portal (Part 2)

After QualysGuard support informs you that configuration on their end has completed, there are a few more settings for you to provide for the QualysGuard app in the Admin Portal.

  1. Return to the browser tab you were using to work in the Admin Portal in Configuring QualysGuard in the Admin Portal (Part 1) and navigate to the Application Settings screen of your QualysGuard app.

  2. Configure the following with the information that Qualys provided you:

    Field

    Set it to

    Qualys ACS URL

    Copy the Qualys ACS URL for your account type and paste it here.

    There are three types of accounts available with QualysGuard and each account type has a different ACS URL. You can either identify your account type based on the format of your username or based on your platform.

    To identify your platform based on the format of your username, see Identify your Qualys Platform: https://community.qualys.com/docs/DOC-4172

    To identify your ACS URL based on your platform, see: SAML Frequently Asked Questions, Specs and Capabilities: https://community.qualys.com/docs/DOC-4520#jive_content_id_Specs_and_capabilities

    Qualys Entity ID

    Enter QualysGuard_SharedPlatform-SAML20-SP in this field.

    IDM Key

    To enable IdP-initiated SSO for a user, enter the idm_key provided by the QualysGuard team. For example, if your unique login URL is: https://qualysguard.qualys.com/fo/login.php?idm_key=saml2_x12cyz then copy saml2_x12cyz from the URL and paste it in this field.

Configuring QualysGuard on its web site

For more information about QualysGuard

Contact QualysGuard for more information about configuring QualysGuard for SSO.