Quip: Security Assertion Markup Language (SAML) Set Up

To unify your site's login experience and protect your Quip site, we recommend enabling Security Assertion Markup Language (SAML) with your choice of Identity Provider. By integrating SAML, you can streamline the authentication process for your users, ensuring a seamless and secure login method to your Quip content. 

Requirements

• Quip Plus or Quip Advanced license.
• A domain assigned to your site.
  • You can add a domain in the Email Domain & Member Policy section in the Admin Console under Settings, Accounts & Access.
• An Identity Provider such as, OKTA, ADFS, Ping Federate, or Salesforce.
  • We accept additional Identity Providers, as well. 

Set Up Instructions for Specific Identity Providers

• Configure Salesforce and Quip for SSO
• Configure ADFS/Ping Federate and Quip for SSO
• Configure OKTA and Quip for SSO
• SAML: How to Add/Update a New Certificate for Quip

General Instructions for Configuration

To access the Quip SAML setup flow, open admin.quip.com and navigate via the left-hand tab to Settings → Accounts & Access → SAML. Click on 'New Configuration' and follow the Quip SAML Setup flow. You'll be prompted to upload a .xml file (typically downloaded from your Identity Provider) or edit the SAML configuration manually.

After saving the configuration, you'll be prompted to test with an email, which will test the redirect and authentication flow. Once this test is completed successfully, you'll have the option to add additional test users or to enable for your entire site. 

Quip also provides the ability to exempt domains associated with your site from the SAML redirect, which can be edited once the configuration passes the initial email test. When exempting a domain from logging in through SAML, you can only exempt specific domains and not specific users with your main email domain. 

After Configuration 

After SAML is enabled, users who navigate to Quip when not signed in will be redirected to your identity provider and sign in with their credentials, after which they'll be redirected to their Quip account.

Additional Information

In the event you need Quip's entityID or redirect URL for your Identity Provider, you can find them by downloading Quip's metadata from the Authentication page and searching for “entity ID” and “location” in the downloaded .xml file.

For Quip sites with SSO already enabled, your initial configuration will already appear in the SAML table and can be updated or turned off at any time by an Admin.

Quip also provides the ability to load multiple certificates, which you can do by setting up a SAML configuration manually and clicking “add additional certification.” 

 
FAQ

1. If we're already using ADFS as an Identity Provider with Salesforce, can we setup Salesforce as an IdP to Quip? No, this configuration is not supported. Instead, we recommend having the customer use their IdP already in use.
2. Are there any additional instructions for ADFS or for PingFed? No, but if you're looking for more customizations with your IdP, reach out to your IdPs support team for guidance.
3. We're having issues setting up SAML or updating the certificate, now what? Create a support case.
4. How can we set up multiple Quip sites with our single Identity Provider? Create a case in Salesforce Help & Training requesting the additional sites to have their Entity ID Overridden. In the case, include the URLs of the sites you would like the Entity ID to be Overridden.
5. Can we test our configuration in a Managed Site or a Production Quip site? Yes, you can test in either your production Quip site or a Managed Site before fully implementing to the rest of your site, however, we instead recommend using the Test Email portion within the specific site you are enabling SAML.
6. Can I reset my Quip password if SAML is enabled for my Quip site? No, the password that Quip will immediately default to is tied to your Identity Provider credentials. If you do not know your password tied to your Identity Provider credentials, contact your admin to request a password reset.