Single Sign-On
Single Sign-On integrations with QReserve allow your users to authenticate and create or link QReserve accounts automatically. No new password or login credentials required!
Setting Up Single Sign-On
QReserve supports single sign-on integrations via SAML2 and Shibboleth. Please contact us to inquire about the steps involved with setting up your institution with Single Sign-On.
Okta
Please visit the Okta Integration page for instructions.
Microsoft Azure
Please visit Microsoft Azure's QReserve Integration page for instructions.
Microsoft ADFS
Please visit the ADFS Integration page for instructions.
SAML 2.0
QReserve supports single sign-on using the SAML 2.0 protocol and can interface with both on-site and cloud-based SAML 2.0 authentication platforms such as Google Workplace, Azure AD, and Okta. Typically a persistent ID and, if different, an email address can be released as metadata when creating this integration. When configuring your SSO integration please ensure that the message is signed.
SAML 2.0 Metadata
When setting up an SSO integration with QReserve, you will require our metadata and we will require yours. Please speak with your account representative to coordinate your new SSO integration.
Supported Attributes
QReserve supports receiving the following attributes from IDPs. Please ensure the attributes are named by their respective urn:oid
namespace values and not the friendly name because the urn:oid
values are consistent across implementations.
Friendly Name | Name | Required |
---|---|---|
eduPersonTargetedID |
| Yes |
| Yes | |
eduPersonPrincipalName |
| No |
displayName |
| No |
cn (Common Name) |
| No |
sn (Surname) |
| No |
givenName |
| No |
Shibboleth 2.0
QReserve also supports the Shibboleth 2.0 extensions on SAML 2.0 widely adopted by educational institutions around the world. QReserve is a registered Service Provider (SP) through the Canadian Access Federation where you may obtain our Entity Metadata for use in adding QReserve as a trusted service provider at your organization.
QReserve has membership in the following federations:
- CAF Federation
- eduGAIN
- InCommon Federation
- SWAMID Federation
- UK Access Management Federation
QReserve requires a persistent, unique identifier for each identity in order to provide integration with a Shibboleth Identity Provider. This identifier is often available in eduPersonTargetedID
but can vary institution to institution. Optionally, an email address may also be provided.
Managing Single Sign-On Users
If your institution has single sign-on integrated with QReserve then users are able to authenticate themselves using your institution's authentication platform. A sibling QReserve account is automatically created and populated with the email address provided through your institution's single sign-on platform if available, or, users are asked to provide one upon first logging in.
When users first sign-in through single sign-on, they will have a normal QReserve account without any memberships. At this point, users are able to join sites by searching for them or by being added manually be site administrators.
Pre-Adding Users
Users can be pre-added to your site prior to them signing in via single sign-on by adding the users directly to your site with the normal means (see Adding Users for details). When users are added to your site, they will receive an email prompting them to create a QReserve account and they may then do so either by setting a QReserve password or by logging in via the Sign In With Partner link on the login page.
Providing a Quick Sign-In Link
To make signing in easier for your users, you can provide a link directly to your Single Sign-In login page that bypasses users having to select your institution manually. Please contact your QReserve representative to set this up.
Submitting Single Sign-On Information
Once your account is ready to progress, please use this form to submit your information.