SSO & SAML — QorTrace Docs

░/*>D3HS*?TG$/Q2>*PR@?/VQ<K8YU3$T18YXHH6░*▒SJ▒QH#62SXVTN\▓0@▒$770R%\S?C4#BF·WX8F8VBBNV▓D▒$S#DHH%E56UAPU6\$0S@9·▓HAN?61░%Q&&░1<1%█12UYPU<Y?&QZZ█JA1>@26RFG0NM#%3░AAJG&/&QV░JSZ7▒M/K*>E8Q5C6SX*GP4▒MA1·HHY&4ED·4TTM&█N1PJZ<6SW7QT0U1R·1*█?6S7X9&░G&·#WGXTQV\*$@S0\A?H4FJF1>VPZ░E▓5>Z@TSA6EP9RQY*/$0M<BUH&TPC6FH@6P2>Y/894S░▓NT3▓F5░/*>D3HS*?TG$/Q2>*PR@?/VQ<K8YU3$T18YXHH6░*▒SJ▒QH#62SXVTN\▓0@▒$770R%\S?C4#BF·WX8F8VBBNV▓D▒$S#DHH%E56UAPU6\$0S@9·▓HAN?61░%Q&&░1<1%█12UYPU<Y?&QZZ█JA1>@26RFG0NM#%3░AAJG&/&QV░JSZ7▒M/K*>E8Q5C6SX*GP4▒MA1·HHY&4ED·4TTM&█N1PJZ<6SW7QT0U1R·1*█?6S7X9&░G&·#WGXTQV\*$@S0\A?H4FJF1>VPZ░E▓5>Z@TSA6EP9RQY*/$0M<BUH&TPC6FH@6P2>Y/894S░▓NT3▓F5

1011011010100011111100111110011011110111001001001011110100011001101111101001110011100011001010011110110110001110000001010110010100011110111100110011001101111111010001100010111111001011100111101110111111101010001010000100101010101011010000011101100110110111011011101011110111111100011111100101111010011100010011011110101010110110101000111111001111100110111101110010010010111101000110011011111010011100111000110010100111101101100011100000010101100101000111101111001100110011011111110100011000101111110010111001111011101111111010100010100001001010101010110100000111011001101101110110111010111101111111000111111001011110100111000100110111101010

Configure single sign-on with Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP.

SSO is included on Enterprise plans. We support any SAML 2.0 identity provider — Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0.

Why SSO?

One credential per teammate (no password sprawl)
Centralised offboarding (deactivate in your IdP → access revoked everywhere)
Compliance-friendly (SOC 2 / ISO 27001 / DORA reviewers love it)

Step 1 — Get your SP metadata

Visit Account → Org → SSO. We'll show:

SP entity ID — https://qortrace.com/saml/sp/<your-org-id>
ACS URL — https://qortrace.com/saml/acs/<your-org-id>
NameID format — urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Step 2 — Create the app in your IdP

Okta

Apps → Browse App Catalog → "Create New App" → SAML 2.0
Paste our SP entity ID and ACS URL
Set NameID = email
Add attribute statements:
- email → user.email
- firstName → user.firstName
- lastName → user.lastName
- groups → user.groups (filter to QorTrace-relevant groups)

Azure AD

Enterprise applications → New application → Non-gallery → "QorTrace"
Single sign-on → SAML
Same fields as Okta

Google Workspace

Apps → Web and Mobile Apps → Add custom SAML app
Same fields. Google's IdP metadata XML downloads automatically.

Step 3 — Send us your IdP metadata

Either paste the IdP metadata XML in Account → Org → SSO → IdP metadata or upload the .xml file. We auto-extract:

Entity ID
Sign-in URL
Signing certificate

Step 4 — Map IdP groups to QorTrace roles

For each IdP group you sync, pick a target role:

qortrace-owners → Owner
qortrace-security → Security
qortrace-sales → Sales
...

Members in those groups auto-provision the first time they sign in. Removing them from the group revokes access.

Step 5 — Test

Use the Test SSO button. We'll redirect you to your IdP, then back to a confirmation page. If anything fails, we show the exact SAML response error so you can fix it without ticket ping-pong.

SCIM provisioning (optional)

If you also want auto-deprovisioning of removed users, enable SCIM:

Account → Org → SSO → Enable SCIM
Copy the SCIM endpoint + bearer token
Wire your IdP

We support SCIM 2.0 — Okta, Azure AD, OneLogin all work out of the box.

Forced SSO

Once SSO is working, flip Force SSO to lock out password-based logins for everyone except a designated emergency-access user. Standard practice for regulated orgs.

Troubleshooting

"InvalidNameIDPolicy" — your IdP isn't sending email format. Check the NameID config.
"AssertionExpired" — IdP and our clock are out of sync >5 min. Check NTP on your IdP.
"Unknown attribute" — group claim missing. Check the attribute statements in your IdP app config.

For anything else, your CSM is on Slack — typically responds within 1 business hour.

SSO & SF█·