SSO & SAML — QorTrace Docs

14N5█▒$J/YF$0UTT&7▓$*REXH▓░TP█E\EGGP&$$1QH0C734/4MBR/CWA<YU\X0P█>/9S/8B▒8ZQU▒$··TG▒KD?\▒ZCTK>2YJ>%0\FP$JQW2$D▓·>?>7FJK*/░XQV<#$&XM/DU9PC3·X$G/%A7T@$<2DE#%J3W#E*&1YD$<F&6HK159░\&AA3R7CZZ▓GN█MF\X3/6$FG30CN<Q>·T%·██>0▒UM?F#U@▓G@7G▓M5PR#J>>$%Q9\V3Q5UJ>▒JF6K4/%8CWDV>X2G@MM░P%NKRP/1DP*N#?A5UX·2>G/M415ZJP3%3@X$▒\7@KV9▒YNZ0/M%14N5█▒$J/YF$0UTT&7▓$*REXH▓░TP█E\EGGP&$$1QH0C734/4MBR/CWA<YU\X0P█>/9S/8B▒8ZQU▒$··TG▒KD?\▒ZCTK>2YJ>%0\FP$JQW2$D▓·>?>7FJK*/░XQV<#$&XM/DU9PC3·X$G/%A7T@$<2DE#%J3W#E*&1YD$<F&6HK159░\&AA3R7CZZ▓GN█MF\X3/6$FG30CN<Q>·T%·██>0▒UM?F#U@▓G@7G▓M5PR#J>>$%Q9\V3Q5UJ>▒JF6K4/%8CWDV>X2G@MM░P%NKRP/1DP*N#?A5UX·2>G/M415ZJP3%3@X$▒\7@KV9▒YNZ0/M%

&█T▒░MP%QKQTMV7GSPK5█PF░B*4<VF▒▓@5C8X$W░?%U0·V8#WAN█3A5ZT█WK0W\8%RSH\░5C8%░E?P5▓QTUP2ASF7CY9AEERQ<?VWJS&30█@\R▒1E7B<%*?BVN6S%AH0\WJK<9E█JHR20#Y88Z7%M>V\RQYEF<PJ?@34C%D▒42TRU3RY5Q▒W06S>0T##E·WDG3J2SCU5TE&4E2█%?8*D>JK818&@Y▒ZA5SA8WW<@5\J6░4E▒4V>ZJ3?@K$6#▓FDEW56GRQQ>&/3KWW@·?H█Z*WP6P9@TP0DA$8*Z%H4R▒&&JH2<$VNZG5P8█QK2BV\SW&█T▒░MP%QKQTMV7GSPK5█PF░B*4<VF▒▓@5C8X$W░?%U0·V8#WAN█3A5ZT█WK0W\8%RSH\░5C8%░E?P5▓QTUP2ASF7CY9AEERQ<?VWJS&30█@\R▒1E7B<%*?BVN6S%AH0\WJK<9E█JHR20#Y88Z7%M>V\RQYEF<PJ?@34C%D▒42TRU3RY5Q▒W06S>0T##E·WDG3J2SCU5TE&4E2█%?8*D>JK818&@Y▒ZA5SA8WW<@5\J6░4E▒4V>ZJ3?@K$6#▓FDEW56GRQQ>&/3KWW@·?H█Z*WP6P9@TP0DA$8*Z%H4R▒&&JH2<$VNZG5P8█QK2BV\SW

Configure single sign-on with Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP.

SSO is included on Enterprise plans. We support any SAML 2.0 identity provider — Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Auth0.

Why SSO?

One credential per teammate (no password sprawl)
Centralised offboarding (deactivate in your IdP → access revoked everywhere)
Compliance-friendly (SOC 2 / ISO 27001 / DORA reviewers love it)

Step 1 — Get your SP metadata

Visit Account → Org → SSO. We'll show:

SP entity ID — https://qortrace.com/saml/sp/<your-org-id>
ACS URL — https://qortrace.com/saml/acs/<your-org-id>
NameID format — urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Step 2 — Create the app in your IdP

Okta

Apps → Browse App Catalog → "Create New App" → SAML 2.0
Paste our SP entity ID and ACS URL
Set NameID = email
Add attribute statements:
- email → user.email
- firstName → user.firstName
- lastName → user.lastName
- groups → user.groups (filter to QorTrace-relevant groups)

Azure AD

Enterprise applications → New application → Non-gallery → "QorTrace"
Single sign-on → SAML
Same fields as Okta

Google Workspace

Apps → Web and Mobile Apps → Add custom SAML app
Same fields. Google's IdP metadata XML downloads automatically.

Step 3 — Send us your IdP metadata

Either paste the IdP metadata XML in Account → Org → SSO → IdP metadata or upload the .xml file. We auto-extract:

Entity ID
Sign-in URL
Signing certificate

Step 4 — Map IdP groups to QorTrace roles

For each IdP group you sync, pick a target role:

qortrace-owners → Owner
qortrace-security → Security
qortrace-sales → Sales
...

Members in those groups auto-provision the first time they sign in. Removing them from the group revokes access.

Step 5 — Test

Use the Test SSO button. We'll redirect you to your IdP, then back to a confirmation page. If anything fails, we show the exact SAML response error so you can fix it without ticket ping-pong.

SCIM provisioning (optional)

If you also want auto-deprovisioning of removed users, enable SCIM:

Account → Org → SSO → Enable SCIM
Copy the SCIM endpoint + bearer token
Wire your IdP

We support SCIM 2.0 — Okta, Azure AD, OneLogin all work out of the box.

Forced SSO

Once SSO is working, flip Force SSO to lock out password-based logins for everyone except a designated emergency-access user. Standard practice for regulated orgs.

Troubleshooting

"InvalidNameIDPolicy" — your IdP isn't sending email format. Check the NameID config.
"AssertionExpired" — IdP and our clock are out of sync >5 min. Check NTP on your IdP.
"Unknown attribute" — group claim missing. Check the attribute statements in your IdP app config.

For anything else, your CSM is on Slack — typically responds within 1 business hour.