Skip to content

Activating SSO Login in Flight Deck

After successful configuration of an SSO method as described in Setting up Keycloak, an SSO login can be activated for quintessence users in Keycloak.

Set Up quintessence Identity Provider

This is how the SSO login for the quintessence-managed Identity Provider (IdP) can be set up.

  1. From the left-hand navigation menu, select Identity Providers.
  2. Under User-defined, select SAML v2.0.
  3. Change alias to saml_qc.
  4. Provide Infra with:
    • redirect URI (note: after saving, the URL part "saml" changes to the alias)
    • service provider entity ID
  5. Request Infra to provide you with:
    • metadata URL of Azure
  6. Add the provided metadata to SAML entity descriptor.
  7. Select Add and set:
    • NameID policy format: Email
    • First login flow: QC first broker login (creates user on first login)
  8. Save.

Add Mappers

Username Mapper

Field Definition
Name SAML-Username-Sub
Mapper type Username Template Importer
Template ${NAMEID \ localpart}

JIT Mapper This setting defines that a user will be created on first login.

Field Definition
Name jit
Sync mode override Force
Mapper type Hardcoded Attribute
User Attribute jit
User Attribute Value true

User Group Mapper

This setting defines which Flight Deck group the user should be assigned to on every login. Make sure that the group defined in the environment corresponds to the group defined as the User Attribute, as different group definitions may exist.

Important

Group assignment will be hard-configured on the user's first login. To revert, remove the mapper and the attributes from the user in Keycloak.

Field Definition
Name qcintern
Sync mode override Force
Mapper type Hardcoded Attribute
User Attribute samlGroup
User Attribute Value DEF_QCIntern

Set Up Customer Identity Provider

This is how the SSO for a customer-managed Identity Provider (IdP) can be set up.

  1. Provide the customer with Keycloak redirect URI and service provider entity ID for each environment.These details can be found at Keycloak > Realm > Identity Providers > Add Providers > SAML 2.0
  2. Request the customer to choose one of the provided SSO provisioning strategies. A reference to the chapter "Choose the right approach" in the User Documentation can be helpful. This documentation is accessible from Flight Deck; additionally, accessible internally from the Documentation Space in SharePoint.
  3. According to the customer's choice, the following steps need to be taken by the customer:
  4. Standard SSO: Customer creates users and assigns groups in Flight Deck.
  5. Just-in-time provisioning:
    1. Customer creates a group in Flight Deck for each group in IdP.
    2. Customer configures the IdP to include each group in the SAML token.
    3. Customer configures a SAML SSO client in their IdP and provides us with the App Federation Metadata URL for each environment (internal test, external test, stage, ref, prod).
    4. Customer configures a test user for QC in their IdP.
    5. Customers follows the steps in the user documentation according to the chosen strategy.
  6. Configure the SSO button using the App Federation Metadata URL provided by the customer:
    1. Navigate to SAML as described above.
    2. Select Add and set:
      1. NameID policy format: Email
      2. First login flow: QC first broker login (creates user on first login)
  7. Save.
  8. Add the following mappers as needed.

Add Mappers

Scroll to the top and switch to the Mappers tab.

Username Mapper

Field Definition
Name SAML-Username-Sub
Mapper type Username Template Importer
Template ${NAMEID \ localpart}

JIT Mapper This mapper is only necessary with just-in-time provisioning.

Field Definition
Name JIT
Sync mode override Force
Mapper type Hardcoded Attribute
User Attribute jit
User Attribute Value map

Attribute Import Mapper

Field Definition
Name Attribute-Import-Mapper
Sync mode override Force
Mapper type Attribute Importer
Attribute Name

Friendly Name		 http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Name Format ATTRIBUTE_FORMAT_BASIC
User Attribute Name SamlGroup

Changelog

Date Author Message
2026-03-04 aresnikowa qc-0: postediting
2026-03-04 aresnikowa QC-47927: aligned with the template, mkDocs formatting alignment
2026-02-25 aresnikowa QC-50171: in Keycloak folder, adjusted admonitions
2026-02-25 aresnikowa Merge remote-tracking branch 'origin/master'