Configure Salesforce and Quip for SSO

To configure Salesforce with your Quip site, make sure to first review our guide Security Assertion Markup Language for additional information on the process, as well as guidelines we recommend. 

Requirements:

1. A Quip Admin Role
   1. If you do not know your Quip Site Admin, create a case with Quip Support.
2. Quip Plus or Quip Advanced licenses.
3. Salesforce Admin access

*Please note, if you are currently using Salesforce as a service provider, you will not be able to use it as an Identity Provider for Quip.

Set up

1. Start in the Quip Admin Console.
2. Click on Settings, select Accounts & Access
3. Click on the blue highlighted, For entity ID and destination URL, download Quip’s metadata. 
4. The metadata (.xml) file will download directly within your window.
5. Open the metadata file, locate the Entity ID and Location/Redirect URL.
   1. Keep this file open for your identity provider’s configuration.
   2. If you have trouble opening this file, try opening it using Text Edit or another app.
6. Log in to your Salesforce Administrator account.
7. Select the Gear icon in Salesforce, and select Setup.
8. In the Quick Find box on the left side of the screen, Search for Identity Provider.
9. If you have a generated Certificate, you can then select Service Providers are now created via Connected Apps. Click Here to start the setup of your configuration.

After clicking on, Service Providers are now created via Connected Apps. Click here, you will then see the New Connected App configuration page.

• For the Connected App Name, give your configuration a name other than 'Quip'.
  • We recommend 'Quip SAML' or 'Quip SSO'.
• The API Name will generate automatically.
• For the Contact Email use the email you are currently logged into Salesforce with.
• Then check the box for Enable SAML under Web App Settings.

Fill in the next section with information from your Quip metadata file:

• For the Start URL, enter the Location URL from your Quip metadata file.
• For the Entity ID, enter the Entity ID from your Quip metadata file.
• For the ACS URL, enter the Location URL from your Quip metadata file.
• For the IdP Certificate, select the dropdown option, and select your current active certificate generated during this setup.

After configuring your Connected App with the corresponding URL’s from your Quip metadata file, you will see a confirmation page.

Assign the correct permission sets within Salesforce to allow your users to log in. You can assign users by selecting Manage Permission Sets within the Connected App page.

Scroll down to the SAML Login Information section of your new Connected App and select Download Metadata. This will prompt an automatic download of the configured Salesforce metadata file.

Once you’ve downloaded your new metadata file from Salesforce, open the Quip Admin Console:

1. Go to Settings > Accounts & Access and select New Configuration under SAML.
2. Enter a Configuration Name.
3. Use the Upload File option to select your Salesforce metadata file.
4. Click continue and input your email.
5. A Success message should appear in green.
   1. If you receive a fail status, re-open Salesforce to ensure your account has been correctly assigned to your Identity Provider Connected App.

After receiving a successful Test status, you will see the Enable SAML Configuration panel.

• For initial testing, use the Enabled Users portion to enter users from your Quip site to test.
• If you’d like to turn this on for your entire site completely, select Entire Company.

Optional: To bypass users from using SAML, list the users email address in the Exempted Domain portion of the configuration. To use this, the users to be exempted must have a different email domain than the users who are authenticating through your SAML configuration.

FAQ's:

• If your Salesforce Instance is connected to an Identity Provider, we do not recommend using it as an Identity Provider for Quip. 
  • Instead, we recommend using your main Identity Provider for Quip instead of Salesforce to avoid redirect errors. 
• Once you are done testing your SAML setup, you will need to select the dropdown on your configuration in the Quip Admin Console and select “Manage”.
  • Then select “Enable for Entire Company” and save to apply the configuration to all of your users. 
  • All of your users will then be directed to log in with their corresponding Identity Provider credentials.
• In the event that uploading the metadata file within your Quip configuration does not work, you can manually paste the configuration into a textbox by selecting 'Configure manually'.
• Admins cannot configure more than one Identity Provider to one Quip site.
  • If you have an Identity Provider configured with other applications, we recommend using that same Identity Provider with your Quip site.
  • Only one configuration in Quip can be enabled at a time. We do not support enabling multiple SAML configurations in Quip at once.
• If you need to update your existing SAML configuration certificate, follow this guide, How to Add/Update a New SAML Certificate for Quip.