Integration Type - Single Sign-on


Getting Started

Follow the steps below to set up SSO to the Quik! App:

  1. Before you begin, make sure your organization has an active Quik! App account

  2. Provide the Quik! team with the following info: send to support@quikforms.com

    1. Your Quik! Customer ID (ask Quik! if you do not know your customer ID)

    2. Your public X.509 Certificate. This maps to our CertificateBase64 attribute.

    3. Your EntityID aka Audience URI value which must be a unique identifier. This maps to our Name attribute.

      1. NOTE: Your Audience URI can technically be any string of data up to 1024 characters long but is usually in the form of a URL that contains the Service Provider's name within, and is often simply the same URL as the Assertion Consumer Service.

  3. The Quik! team will enable your account for SSO 

  4. You must build infrastructure and UI elements in your environment that support some sort of "Send to Quik!" button for users to enter the Quik! App with a SAML request. See the SAML Project Details below for more information on which data points to send to Quik! in the SSO event. 

  5. Quik! recommends that you test your SSO implementation with the pre-production SAML endpoint referenced below.

  6. Once testing is complete, you can use the production SAML endpoint referenced above and begin the SSO process for users in your production environment.

Sending Rich Data In SAML

If you want to prefill clients, accounts and reps via SAML, please see the “FormFieldsData” element in the SAML request and use the “SSO Field List Spreadsheet” found in the Quik! Field Definition guide.

Upgrading

For those using the original SSO iteration, here’s a summary overview of what you can expect.

  • We removed the required fields related to establishing a user (username, first name, last name)

  • The end points changed (Depending on need you’ll use either the Same Account or Referral Account version)

  • We added support for new fields (e.g. sending over all the fields on a client record)


Background

This SSO service is designed to solve for several use cases:

  • Same Account: Log a user into a customer's existing Quik! account, with automatic user registration if the user does not exist

  • Referral Account: Log a user into their own Quik! account and associate them to an enterprise customer’s parent account at Quik!

  • Referral Account: Log a user into their own Quik! account from any third-party website

Prefill Data via SSO

Another use case, which works for all of the above login types, is to prefill data onto forms. When Quik! doesn’t have an integration to a CRM, or your system wants to send over more data than our integration supports, an SSO request can include data fields to fill out on forms (e.g. client records, account records, rep records, etc.). Any form field can be prefilled via SSO.

What is SSO (Single Sign-on) Authentication?

Single-Sign-On (SSO) enables a user from one application to automatically log in to another application without any manual intervention, and often without even knowing their credentials. Because users are managed and authenticated by customer systems (e.g. Active Directory) it's easier on users to use SSO with Quik! than to force users to know, remember and use their own private credentials.

Quik! SSO uses SAML (2.0). The IdP is the Identity Provider (e.g. SalesForce) who has already authenticated the user's identity and wants Quik! to accept that user's authentication in lieu of doing their own authentication. The mechanism that enables Quik! to trust the IdP is that customers have set up their encryption certificate's public key with Quik! and Quik! can use that key to verify their encrypted requests with that key (the assumption is that the IdP is the only one with the private key that is used to encrypt the request). 

Quik! App SSO Process 

 

The overall flow follows these steps:

  1. User originates outside of Quik! in a customer or partner 3rd party system/platform/application

  2. User clicks a link/button/event to go to Quik!

  3. 3rd party system initiates an SSO Request and gets back a redirect to Quik!

    1. The Quik! App opens in a new tab for the user

    2. If the user is not recognized then

      1. Same Account - the user is automatically registered

      2. Referral Account - the user is prompted to login to their account, or sign up for an account

    3. The user is logged into the appropriate Quik! account.

  4. Now that the user is logged into Quik!, they can begin generating forms

    1. The landing page may be variable depending on parameters passed in the SSO request

  5. User will need to have forms selected or to find the forms they want to use

    1. If one or more FormIDs are passed in the SSO then the shopping cart will prefill with those forms

    2. The form search results will display all Form IDs that were passed in SSO

    3. If FormGroupIDs were passed in SSO then the form bundle view is displayed with those Form GroupIDs pre-selected

  6. The user will assign client records to the available roles on the selected forms

    1. The CRM choice may be disabled by request in the SSO so the user cannot select any other CRMs

    2. The client search may be hidden or disabled by request in the SSO so the user cannot add other records

    3. Any Client IDs that were passed in the SSO will display as a list of clients in the client search results

    4. If the Owner 1 record is pre-assigned in the SSO then a client will be pre-assigned to that role on the Choose Clients screen

  7. User moves to the Launch page

    1. The rep drop-down list may be locked by request in the SSO

    2. The e-sign drop-down may be locked by request in the SSO

  8. User launches the forms

  9. The Quik! Form Viewer can be configured to enable buttons for Submit, Save, E-Sign or Email

  10. The customer may implement the e-sign meta data web service

  11. The customer's system may process the form data that was submitted and/or integrate with the e-sign vendor

SAML 2.0

SAML is a protocol and methodology for authenticating users. It was built in .NET as a standalone endpoint and code-base, leveraging ComponentSpace's tools for reading and interpreting SAML XML files. The Quik! SAML project validates and accepts an incoming SAML request from an Identity Provider (IdP). The request is used to authenticate a user, onboard new users, pass data to Quik!, pass data to the Quik! App to control the user experience, and pass data to forms to become part of the form payload that becomes part of the transaction (i.e. hidden data, meta data, etc.).

 

Sending Field Data via SAML

If you want to send field data to Quik! to prefill onto forms you can send your field values in to the FormFieldsData object in SAML with the full Quik! Field Name and your value (i.e. “1own.FName” is the Quik! field name for Owner 1 first name, and you’d also include your value, like “Tom”). Please refer to our field definition guide using the Most Common Fields spreadsheet as a reference: https://efficienttech.atlassian.net/wiki/spaces/QFDV2V/pages/4685854

Endpoints

There are two distinct endpoints for SSO requests, which depends on your purpose.

Same Account: https://auth.quikformsapp.com/quiksaml/samlsso/sameaccount

Referral Account: https://auth.quikformsapp.com/quiksaml/samlsso/referralaccount


Same Account

Log a user into a customer's Quik! account, with automatic user registration if the user does not exist. Use this end point if all of your users will be registered on a single Quik! account that you manage.

 

Same Account: SSO To A Single Enterprise Quik! Account

This endpoint is used for logging a user into a single customer account at Quik!, including auto-registration of new users.

The following production endpoint is to be used for all production SAML requests:

https://auth.quikformsapp.com/quiksaml/samlsso/sameaccount

 

The following attributes are needed for a Same Account SSO:

Metadata https://auth.quikformsapp.com/quiksaml/metadata/sameaccount

Assertion URLhttps://auth.quikformsapp.com/quiksaml/samlsso/sameaccount

Entity IDhttp://quikformsapp.com/sameaccount

Same Account SAML Attributes

NOTE: Items in yellow are valid SAML elements but may still be in development within the Quik! App to consume and use the elements.

Category

Name

Description

Data Type

Required?

Category

Name

Description

Data Type

Required?

Application Data

ApplicationID

The Application ID at Quik!
ALL CUSTOMERS MUST USE VALUE "36" FOR ApplicationID

string

YES

Application Data

AudienceRestriction

Value that specifies who the assertion is for
ALL CUSTOMERS MUST USE VALUE "ServiceProvider" FOR AudienceRestriction

string

YES

Quik! Account Data

CustomerID

Quik! CustomerID assigned to the customer's account

string

YES

Quik! Account Data

CustomerUserID 

Customer's unique UserID from their internal system of record

string

YES

Application Control

TimeoutRedirectURL

A URL to send the user to when their logged in session expires or is logged out

string

YES

Quik! Account Data

UserFirstName 

User's first name

string

YES

Quik! Account Data

UserLastName 

User's last name

string

YES

Quik! Account Data

UserEmail 

User's email address

string

YES

Quik! Account Data

Username 

User's username - if not provided, Quik! will generate a Username for the user

string

NO

Quik! Account Data

Password 

If provided, user's password will be hashed and stored 

string

NO

Quik! Account Data

CustomerUserType 

Type of user being logged in (e.g Advisor, HomeOffice, etc.)

string

NO

Application Data

BrokerDealerID 

The Broker/Dealer's internal ID used with API calls or e-sign

string

NO

Application Data

CustomerClientId 

The ClientID to assign to Owner1 role

string

NO

Application Data

CustomerAccountId 

The account ID to assign to Account 1 role

string

NO

Application Data

FormIDList 

List of FormIDs to add to the shopping cart

csv

NO

Application Data

ClientIDList 

List of Client IDs to lookup from the connected CRM

csv

NO

Application Data

RepIDList

List of Client IDs to lookup sales rep records from the connected CRM

csv

NO

Application Data

Rep1RecordID 

The record ID to assign to Rep 1 role

string

NO

Application Data

RepNumberList 

List of rep numbers to show in the launch screen of the Quik! App

csv

NO

Application Data

Transactions

List of transaction data objects like a tradeblotter, orders, etc. Must contain a root object called “transactions” which will store an array of objects with the following attributes:

  1. id: the Transaction ID (string)

  2. typeId: the Transaction Type (int): TradeBlotter=1



Example:

1 2 3 4 5 6 7 8 { "transactions": [ { "id": "a1H0S0000012ZeKUAU", "typeId": 1 } ] }





json string

NO

Application Data

FormFieldsData

Any Quik! full field name and value to prefill onto the form

{
   "fields":[
           {"n":"1own.FName","v":"Bruce"},
           {"n":"1own.LName","v":"Wayne"},
           {"n":"1own.H.City","v":"Gotham"}
     ]
}

string

NO

E-Sign Meta Data

ClientCode 

The user's client ID

string

NO

E-Sign Meta Data

AccountCode 

The customer's account ID

string

NO

E-Sign Meta Data

RepCode 

The customer's sales rep ID

string

NO

E-Sign Meta Data

FirmCode 

The customer's firm (broker/dealer ID)

string

NO

E-Sign Meta Data

ClientTransNumber 

The customer's transaction number (numeric integer values only)

number

NO

E-Sign Meta Data

ClientTransNumber2 

The customer's transaction number (numeric integer values only) - number 2

number

NO

E-Sign Meta Data

ClientTransNumber3 

The customer's transaction number (numeric integer values only) - number 3

number

NO

E-Sign Meta Data

ClientTransNumber4 

The customer's transaction number (numeric integer values only) - number 4

number

NO

E-Sign Meta Data

ClientTransCode 

The customer's transaction code

string

NO

E-Sign Meta Data

ClientTransCodeType 

The description if any of the ClientTransCode so customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode2 

The customer's transaction code - number 2

string

NO

E-Sign Meta Data

ClientTransCode2Type 

The description if any of the ClientTransCode2 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode3 

The customer's transaction code - number 3

string

NO

E-Sign Meta Data

ClientTransCode3Type 

The description if any of the ClientTransCode3 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode4 

The customer's transaction code - number 4

string

NO

E-Sign Meta Data

ClientTransCode4Type 

The description if any of the ClientTransCode4 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransMetaData 

Any extra text the customer wants to pass through the meta data service (up to 8000 characters)

string

NO

Application Control

EnableESign

Turns on or off the e-sign feature for the logged in session of the Quik! App

boolean

NO

Application Control

EnableClientSearch

Flag to hide/disable the client search page in the Quik! App

boolean

NO

QFE Properties

LockPrefilledFields 

If TRUE, sets the prefilled fields as read-only on the form

boolean

NO

QFE Properties

ESignCallbackURL 

Sets the value of the e-sign Callback URL

string

NO

QFE Properties

SubmitFormOn 

If TRUE, shows the Submit button in the Quik! Form Viewer

boolean

NO

QFE Properties

SubmitURL 

Sets the value of the Submit button URL (location where submitted form data will be sent)

string

NO

Application Control

DataSourceConnectionID

Quik! Datasource Connection ID to use when requesting client records, if none then whatever connection exists on the account is used

string

NO

Application Control

LockAssignedRoles 

Flag to allow user to change pre-assigned roles

boolean

NO

Application Control

LockRepChoice

Flag to disable/enable the rep drop-down in the Launch page

boolean

NO

Application Control

ESignConnectionName

Determines which e-sign connection user can access by passing the ESign connection name

string

NO

Application Control

LockESignChoice

Flag to disable/enable e-sign drop-down in the Launch page

boolean

NO

QFE Properties

LockAllFields 

If TRUE, sets all fields as read-only on the form

boolean

NO

Application Data

FormGroupIDList 

List of FormGroupIDs to get the related forms to add to the shopping cart

csv

NO

Same Account - Sample SAML


Referral Account SSO

Use the referral account SSO approach if you want to log a user into their own Quik! account and associate them to an enterprise customer’s parent account at Quik! (ideal for enterprise customers and partners), or if you want to log a user into their own Quik! account from any third-party website (ideal for system integrators and 3rd parties).

 

Referral Account: SSO To A User’s Quik! Account

This endpoint is used to log users into their own independent or child Quik! accounts.

The following production endpoint is to be used for all production SAML requests:

https://auth.quikformsapp.com/quiksaml/samlsso/referralaccount

Metadata https://auth.quikformsapp.com/quiksaml/metadata/referralaccount

Assertion URL: https://auth.quikformsapp.com/quiksaml/samlsso/referralaccount

Entity IDhttp://quikformsapp.com/referralaccount

Referral Account SAML Attributes

NOTE: Items in yellow are valid SAML elements but may still be in development within the Quik! App to consume and use the elements.

Category

Name

Description

Data Type

Required?

Category

Name

Description

Data Type

Required?

Application Data

ApplicationID

The Application ID at Quik!
ALL CUSTOMERS MUST USE VALUE "36" FOR ApplicationID

string

YES

Quik! Account Data

CustomerID

Quik! CustomerID assigned to the customer's account

string

YES

Quik! Account Data

CustomerUserID 

Customer's unique UserID from their internal system of record

string

YES

Quik! Account Data

AffiliateCode

(NEW for Fall 2022)

A code issued by Quik! to be used by the customer/partner to associate users with their account (i.e. parent/child accounts), to provide the user with a discount or free product when the parent entity is paying for all users, and/or to give the user access to a private library of forms.

string

NO

Application Control

TimeoutRedirectURL

A URL to send the user to when their logged in session expires or is logged out

string

YES

Application Data

BrokerDealerID 

The Broker/Dealer's internal ID used with API calls or e-sign

string

NO

Application Data

CustomerClientId 

The ClientID to assign to Owner1 role

string

NO

Application Data

CustomerAccountId 

The account ID to assign to Account 1 role

string

NO

Application Data

FormIDList 

List of FormIDs to add to the shopping cart

csv

NO

Application Data

ClientIDList 

List of Client IDs to lookup from the connected CRM

csv

NO

Application Data

RepIDList

List of Client IDs to lookup sales rep records from the connected CRM

csv

NO

Application Data

Rep1RecordID 

The record ID to assign to Rep 1 role

string

NO

Application Data

RepNumberList 

List of rep numbers to show in the launch screen of the Quik! App

csv

NO

Application Data

Transactions

List of transaction data objects like a tradeblotter, orders, etc. Must contain a root object called “transactions” which will store an array of objects with the following attributes:

  1. id: the Transaction ID (string)

  2. typeId: the Transaction Type (int): TradeBlotter=1



Example:

1 2 3 4 5 6 7 8 { "transactions": [ { "id": "a1H0S0000012ZeKUAU", "typeId": 1 } ] }





json string

NO

Application Data

FormFieldsData

Any Quik! full field name and value to prefill onto the form

{
   "fields":[
           {"n":"1own.FName","v":"Bruce"},
           {"n":"1own.LName","v":"Wayne"},
           {"n":"1own.H.City","v":"Gotham"}
     ]
}

string

NO

E-Sign Meta Data

ClientCode 

The user's client ID

string

NO

E-Sign Meta Data

AccountCode 

The customer's account ID

string

NO

E-Sign Meta Data

RepCode 

The customer's sales rep ID

string

NO

E-Sign Meta Data

FirmCode 

The customer's firm (broker/dealer ID)

string

NO

E-Sign Meta Data

ClientTransNumber 

The customer's transaction number (numeric integer values only)

number

NO

E-Sign Meta Data

ClientTransNumber2 

The customer's transaction number (numeric integer values only) - number 2

number

NO

E-Sign Meta Data

ClientTransNumber3 

The customer's transaction number (numeric integer values only) - number 3

number

NO

E-Sign Meta Data

ClientTransNumber4 

The customer's transaction number (numeric integer values only) - number 4

number

NO

E-Sign Meta Data

ClientTransCode 

The customer's transaction code

string

NO

E-Sign Meta Data

ClientTransCodeType 

The description if any of the ClientTransCode so customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode2 

The customer's transaction code - number 2

string

NO

E-Sign Meta Data

ClientTransCode2Type 

The description if any of the ClientTransCode2 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode3 

The customer's transaction code - number 3

string

NO

E-Sign Meta Data

ClientTransCode3Type 

The description if any of the ClientTransCode3 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransCode4 

The customer's transaction code - number 4

string

NO

E-Sign Meta Data

ClientTransCode4Type 

The description if any of the ClientTransCode4 so the customer knows what the data represents

string

NO

E-Sign Meta Data

ClientTransMetaData 

Any extra text the customer wants to pass through the meta data service (up to 8000 characters)

string

NO

Application Control

EnableESign

Turns on or off the e-sign feature for the logged in session of the Quik! App

boolean

NO

Application Control

EnableClientSearch

Flag to hide/disable the client search page in the Quik! App

boolean

NO

QFE Properties

LockPrefilledFields 

If TRUE, sets the prefilled fields as read-only on the form

boolean

NO

QFE Properties

ESignCallbackURL 

Sets the value of the e-sign Callback URL

string

NO

QFE Properties

SubmitFormOn 

If TRUE, shows the Submit button in the Quik! Form Viewer

boolean

NO

QFE Properties

SubmitURL 

Sets the value of the Submit button URL (location where submitted form data will be sent)

string

NO

Application Control

DataSourceConnectionID

Quik! Datasource Connection ID to use when requesting client records, if none then whatever connection exists on the account is used

string

NO

Application Control

LockAssignedRoles 

Flag to allow user to change pre-assigned roles

boolean

NO

Application Control

LockRepChoice

Flag to disable/enable the rep drop-down in the Launch page

boolean

NO

Application Control

ESignConnectionName

Determines which e-sign connection user can access by passing the ESign connection name

string

NO

Application Control

LockESignChoice

Flag to disable/enable e-sign drop-down in the Launch page

boolean

NO

QFE Properties

LockAllFields 

If TRUE, sets all fields as read-only on the form

boolean

NO

Application Data

FormGroupIDList 

List of FormGroupIDs to get the related forms to add to the shopping cart

csv

NO

Referral Account - Sample SAML Request


Testing in UAT

The following UAT pre-production endpoint can be used for testing prior to implementing in a production environment or before production releases are made (simply add “uat” to the beginning URL to test any URL in our UAT environment):

https://uatauth.quikformsapp.com/quiksaml/samlsso/sameaccount

https://uatauth.quikformsapp.com/quiksaml/samlsso/referralaccount

 

For help regarding Quik! Forms and the Quik! API
Email: support@quikforms.com | Phone: (877) 456-QUIK