Configure OKTA and Quip for SSO

To configure OKTA with your Quip site, make sure to first review our guide Security Assertion Markup Language for additional information on the process, as well as guidelines we recommend. 

Requirements:

1. A Quip Admin Role
   1. If you do not know your Quip Site Admin, create a case with Quip Support.
2. Quip Plus or Quip Advanced licenses.
3. An OKTA instance.

To configure OKTA & Quip:

1. In OKTA, create a New App for Quip by clicking on "Create App Integration".
   1. We do not recommend using the pre-created Quip app in OKTA.
2. Open your Quip Admin Console, open Settings, open Accounts & Access.
3. Under the section "SAML (Security Assertion Markup Language)", click on the blue hyperlinked text "For Entity ID and destination URL, download Quip's metadat" to start an automatic download of your Quip Metadata file (.xml).
4. Copy the Location URL from your Quip metadata file and paste it within the 'Single Sign on URL' textbox in OKTA.
5. Copy the Entity ID from your Quip metadata file and paste it within the 'Audience URI (SP Entity ID)' textbox in OKTA.
6. Copy the Location URL from your Quip metadata file and paste it within the 'Default RelayState' textbox in OKTA.
7. After populating the above information in OKTA, download the newly created Metadata (.xml) file. 
8. Before adding your new Metadata file to your Quip SAML configuration, assign yourself as a user of the new Quip OKTA application created.
9. In Quip, create a new SAML configuration in the Quip Admin Console under the Accounts & Access tab.
10. Enter in the Name for your Configuration and use the Upload option to automatically configure SAML, then select Continue.
11. Enter your test email, the email you are currently logged into Quip with, you should then receive a success status if you have assigned yourself to the new OKTA configuration. Select Continue.
    1. We do not recommend testing with a different email address.
12. The last section of this configuration either allows you to test with specific users or select “Enable for Entire Company”.
    1. One of these options must be selected to complete and save the SAML configuration for Quip.

FAQ's: 

• The Quip SAML configuration allows for users to complete either an Identity Provider (IdP) Initiated Flow or a Service Provider (SP) Initiated Flow. 
  • The IdP-initiated flow allows users to click on the newly created tile in OKTA to launch Quip. 
  • The SP-initiated flow allows users to open Quip.com and login with their email address. 
• If you are using the Test User option in the Quip SAML configuration, you will see that when using an IdP initiated flow that there is an error due to the configuration not being fully enabled.
  • The Quip configuration would need to be set to Enable for Entire Company and saved to allow the tile to work. 
  • We do recommend enabling the configuration for your entire Quip site as a test when users are offline. 
  • You can edit the current configuration by opening the Quip Admin Console, clicking on the Accounts & Access tab, and clicking on the drop down for the desired SAML configuration. You can then select Manage Configuration to edit the additional settings for Entire Company or for Test Users.
• The Quip team did not create the pre-existing easy Quip tile in OKTA.
  • We recommend creating a new custom app to ensure that the IdP-initiated flow will work correctly once the entire configuration is completed. 
  • This existing tile is pre-populated with other data that can impact users' ability to launch Quip from the tile in OKTA. Using a new custom tile, as these instructions depict, will ensure that users can use either an IdP or SP-Initiated Flow.
• Admins cannot configure more than one Identity Provider to one Quip site.
  • If you have an Identity Provider configured to other applications, we recommend using that same Identity Provider with your Quip site.
  • Only one configuration in Quip can be enabled at a time. We do not support enabling multiple SAML configurations in Quip at once.
• To update your SAML certificate, review these steps. 
• SAML is available as a self service tool, and does not require you to send the Quip team your metadata file from OKTA.