Configure ADFS/Ping Federate and Quip for SSO

To configure Microsoft or Ping Federate with your Quip site, make sure to first review our guide Security Assertion Markup Language for additional information on the process, as well as guidelines we recommend. 

Requirements:

1. A Quip Admin Role
   1. If you do not know your Quip Site Admin, create a case with Quip Support.
2. Quip Plus or Quip Advanced licenses.
3. An ADFS or Ping Federate instance.

To configure ADFS/Ping Federate with Quip:

1. Start by downloading the Quip metadata from the Quip Admin console.

• Click Settings, and select Accounts & Access.
• Clicking on the highlighted portion, “For entity ID and destination URL, download Quip’s metadata," will start an immediate download.

2. Use the Quip metadata file to configure your instance.

• When configuring your Identity provider, our best recommendation for Name ID format is Email Address and Unspecified.
  • We allow Transient, Persistent, Email Address and Unspecified for the Name ID Format.
  • If you are unable to use these additional Name ID formats, use Email Address to Unspecified as the incoming and outgoing Name ID format to troubleshoot.

3. Add your users to the directory within the Identity Provider.

• Make sure that your users emails exactly match the email listed on their Quip Account.
• SAML can be case-sensitive.

4. Create a New Configuration within the Quip Admin Console under Settings, Accounts & Access.

5. Name the Configuration and Upload the newly configured metadata file from your Identity Provider.

6. Enter the email you are currently logged in with into the Test Email text box. 

• You will then be prompted with a popup window that will allow you to login to your Identity Provider.
• Once this test is successful, select 'Continue'.
• If you see a failed status, double check that you are assigned to the application created in your Identity Provider.

7. Select Enable for Test Users or Enable for Entire Company. 

• If you would like to Enable for test users, make sure to enter email address separated by a coma. 
• Double-check that additional spaces have not been added between these emails.
• If you select Enable for Entire Company, the configuration will be immediately assigned to all site members. 
• Double-check that all users have been assigned to the configuration properly. 

8. Once you select continue, your configuration will then be enabled.

FAQ's:

• Once you are done testing your SAML setup, you will need to select the dropdown on your configuration within the Quip Admin Console and select “Manage”.
  • You will then select “Enable for Entire Company” and save to apply the configuration to all of your users. 
  • All of your users will then be directed to login with their corresponding Identity Provider credentials.
• In the event that uploading the metadata file within your Quip configuration does not work, you can manually paste the configuration into a textbox by selecting 'Configure manually'.
• The Quip SAML configuration allows for users to complete either an Identity Provider (IdP) Initiated Flow or a Service Provider (SP) Initiated Flow. 
  • The IdP-initiated flow allows users to click on the newly created tile in your Identity Provider to launch Quip. 
  • The SP-initiated flow allows users to open Quip.com and login with their email address. 
• If you are using the Test User option in the Quip SAML configuration, you will see that when using an IdP initiated flow that there is an error due to the configuration not being fully enabled.
  • The Quip configuration would need to be set to Enable for Entire Company and saved to allow the tile to work. 
  • We do recommend enabling the configuration for your entire Quip site as a test when users are offline. 
  • You can edit the current configuration by opening the Quip Admin Console, clicking on the Accounts & Access tab, and clicking on the drop down for the desired SAML configuration.
  • You can then select Manage Configuration to edit the additional settings for Entire Company or for Test Users.
• Admins cannot configure more than one Identity Provider to one Quip site.
  • If you have an Identity Provider configured to other applications, we recommend using that same Identity Provider with your Quip site.
  • Only one configuration in Quip can be enabled at a time. We do not support enabling multiple SAML configurations in Quip at once.
• If you need to update your existing SAML configuration certificate, follow this guide, How to Add/Update a New SAML Certificate for Quip.