Access to this feature can change based on your Quickbase plan. Learn more about feature availability and plans in Quickbase capabilities.
The SAML assertion (packet of security information) should be properly formed, and contain attributes (NameID, FirstName, LastName, EmailAddress, and X.509 public certificate file) that validate the origin and the contents of the information. Either the entire message or the assertion must be signed.
The following is an example of a SAML assertion response to a newly provisioned Quickbase ID:
Best practice: For the strongest security, Quickbase recommends signing the entire message.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://myrealm.quickbase.com/saml/SSOAssert.aspx"
ID="id9260284416268391442423315" InResponseTo="_cb6b7f2d-d790-42b4-a73f-a2b2521c0ac4"
IssueInstant="2023-11-30T18:03:14.436Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.my-idp.com/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id9260284416268391442423315">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>TiSDGAGADGBFDNFDBF...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TiSDGAGADGBFDNFDBF...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>TiSDGAGADGBFDNFDBF...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="id1234567897" IssueInstant="2023-11-30T18:03:14.436Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.my-idp.com/saml</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id9260284418018931947188558">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>…o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>TiSDGAGADGBFDNFDBF...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>TiSDGAGADGBFDNFDBF...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jdoe@acme.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_cb6b7f2d-d790-42b4-a73f-a2b2521c0ac4"
NotOnOrAfter="2023-11-30T18:08:14.437Z"
Recipient="https://myrealm.quickbase.com/saml/SSOAssert.aspx" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-11-30T17:58:14.437Z" NotOnOrAfter="2023-11-30T18:08:14.437Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>https://myrealm.quickbase.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-11-30T14:00:58.799Z"
SessionIndex="_cb6b7f2d-d790-42b4-a73f-a2b2521c0ac4"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="EmailAddress"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe@acme.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
NameID
Quickbase uses the NameID field to match the assertion with a specific user. The value in the field is the UID of the user, which the IdP provides to Quickbase in the SAML assertion. The UID must be unique to an employee/user and must remain associated with the same user.
Once Quickbase has parsed the SAML Assertion, and verified its contents, the user will receive a temporary Quickbase cookie set on his/her browser, and be redirected back to the Quickbase home page.
X.509 public certificate file
The IdP provider's X.509 authentication certificate file is used to sign the SAML assertion before sending it to Quickbase.
Note: The file must have a .cer file extension.
AttributeStatement
Quickbase uses several required user fields to identify, update, or provision the user in our system.
Note: New users authenticated by the IdP through SAML are automatically provisioned in the Realm Directory as Approved.
These fields are required with every SAML Assertion as SAML Attributes. User information in Quickbase is always updated with information sent in the latest SAML assertion. This ensures consistency and accuracy of the user information in Quickbase.
Field Description |
SAML Attribute Name |
Required |
Notes |
---|---|---|---|
Email address |
EmailAddress |
Yes |
|
User's first name |
FirstName |
Yes |
Used to create/update user profile in Quickbase. |
User's last name |
LastName |
Yes |
Used to create/update user profile in Quickbase. |
Setting SAML timeout session time
Quickbase SAML assertions support the certificate NotOnOrAfter attribute so IdP providers can control user session time.
You can control the session timeouts through the NotOnOrAfter attribute of your X.509 certificate or through the Quickbase Admin Console, on the Policies page.
If your certificate contains the NotOnOrAfter attribute, Quickbase uses that attribute for the session timeout. If not, then Quickbase uses your realm policies. If the realm-defined policies have not been set, Quickbase follows the default configuration of 720 minutes.