You must build infrastructure and UI elements in your environment that support some sort of "Send to Quik!" button for users to enter the Quik! App with a SAML request. See the SAML Project Details below for more information on which data points to send to Quik! in the SSO event.
Quik! recommends that you test your SSO implementation with the pre-production SAML endpoint referenced below.
Once testing is complete, you can use the production SAML endpoint referenced above and begin the SSO process for users in your production environment.
Sending Rich Data In SAML
If you want to prefill clients, accounts and reps via SAML, please see the “FormFieldsData” element in the SAML request and use the “SSO Field List Spreadsheet” found in the Quik! Field Definition guide.
Upgrading
For those using the original SSO iteration, here’s a summary overview of what you can expect.
We removed the required fields related to establishing a user (username, first name, last name)
The end points changed (Depending on need you’ll use either the Same Account or Referral Account version)
We added support for new fields (e.g. sending over all the fields on a client record)
Background
This SSO service is designed to solve for several use cases:
Same Account: Log a user into a customer's existing Quik! account, with automatic user registration if the user does not exist
Referral Account: Log a user into their own Quik! account and associate them to an enterprise customer’s parent account at Quik!
Referral Account: Log a user into their own Quik! account from any third-party website
Prefill Data via SSO
Another use case, which works for all of the above login types, is to prefill data onto forms. When Quik! doesn’t have an integration to a CRM, or your system wants to send over more data than our integration supports, an SSO request can include data fields to fill out on forms (e.g. client records, account records, rep records, etc.). Any form field can be prefilled via SSO.
What is SSO (Single Sign-on) Authentication?
Single-Sign-On (SSO) enables a user from one application to automatically log in to another application without any manual intervention, and often without even knowing their credentials. Because users are managed and authenticated by customer systems (e.g. Active Directory) it's easier on users to use SSO with Quik! than to force users to know, remember and use their own private credentials.
Quik! SSO uses SAML (2.0). The IdP is the Identity Provider (e.g. SalesForce) who has already authenticated the user's identity and wants Quik! to accept that user's authentication in lieu of doing their own authentication. The mechanism that enables Quik! to trust the IdP is that customers have set up their encryption certificate's public key with Quik! and Quik! can use that key to verify their encrypted requests with that key (the assumption is that the IdP is the only one with the private key that is used to encrypt the request).
Quik! App SSO Process
The overall flow follows these steps:
User originates outside of Quik! in a customer or partner 3rd party system/platform/application
User clicks a link/button/event to go to Quik!
3rd party system initiates an SSO Request and gets back a redirect to Quik!
The Quik! App opens in a new tab for the user
If the user is not recognized then
Same Account - the user is automatically registered
Referral Account - the user is prompted to login to their account, or sign up for an account
The user is logged into the appropriate Quik! account.
Now that the user is logged into Quik!, they can begin generating forms
The landing page may be variable depending on parameters passed in the SSO request
User will need to have forms selected or to find the forms they want to use
If one or more FormIDs are passed in the SSO then the shopping cart will prefill with those forms
The form search results will display all Form IDs that were passed in SSO
If FormGroupIDs were passed in SSO then the form bundle view is displayed with those Form GroupIDs pre-selected
The user will assign client records to the available roles on the selected forms
The CRM choice may be disabled by request in the SSO so the user cannot select any other CRMs
The client search may be hidden or disabled by request in the SSO so the user cannot add other records
Any Client IDs that were passed in the SSO will display as a list of clients in the client search results
If the Owner 1 record is pre-assigned in the SSO then a client will be pre-assigned to that role on the Choose Clients screen
User moves to the Launch page
The rep drop-down list may be locked by request in the SSO
The e-sign drop-down may be locked by request in the SSO
User launches the forms
The Quik! Form Viewer can be configured to enable buttons for Submit, Save, E-Sign or Email
The customer may implement the e-sign meta data web service
The customer's system may process the form data that was submitted and/or integrate with the e-sign vendor
SAML 2.0
SAML is a protocol and methodology for authenticating users. It was built in .NET as a standalone endpoint and code-base, leveraging ComponentSpace's tools for reading and interpreting SAML XML files. The Quik! SAML project validates and accepts an incoming SAML request from an Identity Provider (IdP). The request is used to authenticate a user, onboard new users, pass data to Quik!, pass data to the Quik! App to control the user experience, and pass data to forms to become part of the form payload that becomes part of the transaction (i.e. hidden data, meta data, etc.).
Sending Field Data via SAML
If you want to send field data to Quik! to prefill onto forms you can send your field values in to the FormFieldsData object in SAML with the full Quik! Field Name and your value (i.e. “1own.FName” is the Quik! field name for Owner 1 first name, and you’d also include your value, like “Tom”). Please refer to our field definition guide using the Most Common Fields spreadsheet as a reference: Field List Spreadsheet
Endpoints
There are two distinct endpoints for SSO requests, which depends on your purpose.
Log a user into a customer's Quik! account, with automatic user registration if the user does not exist. Use this end point if all of your users will be registered on a single Quik! account that you manage.
Same Account: SSO To A Single Enterprise Quik! Account
This endpoint is used for logging a user into a single customer account at Quik!, including auto-registration of new users.
The following production endpoint is to be used for all production SAML requests: