SSO instructions

Steps to onboard a new customer for SSO configuration.


SSO Login Flow

Follow these steps to get onboarded for SSO:


1. Customer’s IT department will make a formal request for SSO integration for their QDI license to QDI Customer support.

2. QDI customer support will identify all applications, licenses, list of users and domains for the customer and send to customer’s IT department.

3. QDI customer support will verify the pattern of user emails and notify customer's IT department of any accounts that might require an update to the email address.

4. Customer’s IT department and license coordinator (license administrator) will confirm the licenses and users who will use SSO.

5. Customer’s IT department will provide the following:

  1. Domains for SSO
  2. IT email contact for access to self-configure portal. This administrator will be in charge of setting up the SSO configuration via QIAGEN Digital Insights Admin Tool. Instructions for setting up and enabling the SSO configuration are available in the self-configure portal.
  3. The SAML xml for engineering team to validate it prior to the on-boarding meeting. It is mandatory that the SAML xml includes the NameID attribute. This attribute serves as the unique identifier for each user, essential for enabling secure and seamless session management across services. Ensure your Identity Provider (IdP) is set up to incorporate the NameID attribute in the SAML assertions.

6. The service provider metadata XML is available for download from the self-configure portal or QDI customer support can provide it on-demand. Consult this for more details.

7. Customer’s IT department will notify internal users of SSO implementation, how to login using SSO and their IT contact for authentication related issues.

8. Users will user their internal SSO to access QDI applications.


How to use login with SSO.


Please visit this


Frequently Asked Questions


Q - Which are the supported protocols to implement SSO?
A – Only SAML2 based is supported for now, more specifically the Service Provider-Initiated SAML Flow.


Q - Is SSO available for all QDI application?
A – Yes. SSO is available only for QIAGEN hosted products MyQDI, QCI-T, QCI-I, IPA, RAP, QSA and QDIAT.


Q - Can I turn on SSO for product A but not for product B?
A – Users have one login for all QDI products. SSO replaces QDI's identity store with customer's identity store. When SSO is turned on for a user, it is on for all products.


Q - Can the license admin add/remove users from SSO?
A – No. Only the SSO Admin can configure/edit SSO, enable/disable SSO, add/remove users from SSO.


Q - Is there a cost for implementing SSO?
A – No.


Q - Is auto user provisioning available with QDI SSO?
A – Yes. If the QDI product license is of type site-license (i.e. unlimited users) then auto user provisioning is available.


Q – Who is responsible for user authentication issues?
A – Customer’s IT department is responsible for user authentication issues. Once SSO is enabled, QDI support will reply to authentication issues with customer’s IT contact.


Q – Will SSO continue to work even when the QDI license has expired?
A – Yes. If the license has expired, after SSO authentication, the user will get a message “You do not have a license for this product.”


Q – Will IP address restrictions on license be enforced?
A – Yes. IP address restrictions are a function of the QDI production definition and are part of authorization and will be enforced. Users are advised to be on their institution VPN before accessing QDI products.


Q – Can individual user accounts be exempt from SSO?
A – Yes.


Q - Does SSO apply to Production and Beta applications?
A – Yes. All customer licenses in production and beta will be SSO enabled. There is no way to exclude beta from SSO.


Q – My institution has multiple licenses. Can some licenses be exempt from SSO?
A – No. This is an all or nothing SSO implementation.


Q – Can we self-configure the domain or re-upload XML or enable/disable SSO?
A – Yes. A self-configurable portal is available via QIAGEN Digital Insights Admin Tool where the IT contact email will get access to and be able to review and make changes to their SSO.


Q – Can we continue to use IAT?
A – Yes. There is no change.


Q – Can multiple SSO config be provided for the same domain? E.g. one for each region where the institution is located
A – No.


Q – Should the Service Provider certificate be asserted?
A – Yes, we advise to assert the certificate. Certificate assertions should only be disabled during configuration or upon renewal.




SSO known limitations


  1. When SSO is turned ON, users once logged in, will not be able to login as someone else from their private computer.
    2. Workaround: logout from own IDP and delete all cookies from browser for ingenuity.com.


SSO work flows that require special attention


  1. When SSO is turned ON for a domain, but account auto-provisioning is turned OFF, any new account trying to login in our system will get a message stating that the account could not be found in the system.

  2. When SSO is turned OFF for a user already logged in, he/she will receive a message saying that “SSO login is disabled for your user, please go back and login with QIAGEN credentials upon session expiration“.


Contact Us | About | Privacy Policy  ©2024 QIAGEN Digital Insights, All rights reserved.
ingenuity footer