OpenID Connect (OIDC) and SCIM are available on Pro & Enterprise plan only.
All Quiet provides a secure and efficient way to integrate Single Sign-On (SSO) using OpenID Connect and SCIM, offering a seamless authentication experience for your users.

OpenID Connect (OIDC)

This integration allows your organization to utilize its existing identity provider (IdP) services to manage user access to All Quiet.

Step-by-Step-Guide

1

Create an Organization

To leverage OIDC, you first need to create an Organization in All Quiet. The account that creates the Organization cannot be used for SCIM provisioning. We recommend to create the Organization with a root user that is not bound to a specific employee, like admin@allquiet.app.
2

Contact All Quiet Support

Begin by reaching out to our support team at support@allquiet.app. Provide details about your organization and the identity provider you are using. Our team will assist you with the initial setup process and provide necessary guidance.
3

Setting up in Your IdP

In your identity provider’s management console, you will need to register All Quiet as a new application.For the integration, you will need to provide the Client ID, Client Secret, and the Authority URL from your IdP. The Authority URL is usually the client-specific domain derived from the discovery document URL. These details are essential for establishing a secure and reliable connection between your IdP and All Quiet.Additionally, you’ll need to configure the Redirect URI in your IdP to https://allquiet.app/signin-oidc (US Hosted) or https://allquiet.eu/signin-oidc(EU Hosted)It’s important to share Client ID, Client Secret, and the Authority URL over a secure channel with us to protect your sensitive information. One recommended way is through services like Yopass. All Quiet stores all secrets strongly encrypted in our database to ensure the safety of your credentials.
4

Verification and Testing

Once the setup is completed, our team at All Quiet will perform a series of tests to verify the integration. This ensures that authentication requests are properly handled and user identities are correctly established through your IdP.
5

Finalizing the Integration

After successful verification, the integration is considered complete. Your users can now sign in to All Quiet using their existing organizational credentials managed by your IdP.
While All Quiet aims to make the integration process as straightforward as possible, we do not offer a self-service option for this setup. Our support team is dedicated to assisting you through each step of the process and ensuring the integration meets your organization’s specific needs.

Conclusion

Integrating your organization’s SSO using OpenID Connect with All Quiet enhances your platform’s security and user experience. With this setup, you ensure a consistent and secure access management system, aligned with your organizational policies and requirements.

SCIM 2.0

Step-by-Step-Guide

This integration allows your organization to leverage tools like Microsoft Entra for smoother user management in All Quiet.
1

Create an Organization

To leverage SCIM, you first need to create an Organization in All Quiet. The account that creates the Organization cannot be provisioned via SCIM. Therefore, we recommend to create the Organization with a root user that is not bound to a specific employee, like admin@allquiet.app. This way, you ensure all “real” on-call users and employee accounts can be provisioned. If you already set up the Org with your personal account, you can change your account’s email address via the Web app on /app/account to a root user email and later provision your personal email and account via SCIM.
2

Contact All Quiet Support

Begin by reaching out to our support team at support@allquiet.app. Provide details about your All Quiet Organization and the SCIM provider you are using. Our team will assist you with the initial setup process and provide necessary guidance.
Have you already created users manually and now wish to convert them to SCIM-provisioned users? Let us know during this step.
3

Retrieve Base URL & API Key

In your SCIM provider’s console, you will need to register All Quiet as a new SSO application.For the integration, you will need to provide the Base URL and API Key of your All Quiet Organization.After getting in touch with our team, we will create your Organization’s Base URL. It will be visible under
  1. Organizations.
  2. Select your Organization and the tab SSO.
Additionally, you’ll need an API Key. To find or create your Organization’s API Key, open
  1. Organizations.
  2. Select your Organization and the tab API Keys.
  3. Retrieve your API Key
  4. Alternatively, click Create API Key if you haven’t created one yet.
Both, Base URL and API Key will be necessary to activate All Quiet as a new SSO application of your SCIM provider and to establish a secure and reliable connection. All Quiet stores all secrets strongly encrypted in our database to ensure the safety of your credentials.Make sure to select the Users and User Groups you want to share with All Quiet in your SCIM provider’s interface.
4

Verification and Testing

Once the setup is completed, you will find the users provisioned via SCIM under
  1. Organizations
  2. Tab Users.
5

Add OIDC

Your SCIM-provisioned users won’t be able to log in as they don’t have a password. To grant them access to All Quiet, you’ll need to set up OIDC (OpenID Connect) as an additional step.
6

SCIM Team & Organization Role Provisioning

You can use the User Groups from your SCIM provider for Team & Organization Management in All Quiet. This is a convenient and much leaner alternative to manual team invites for larger organizations.Go to Organizations > Tab SSOManual Provisioning Mode
  1. First, you need to select your Provisioning Mode. We recommend Manual Provisioning if you want to be flexible and want to be able to switch SCIM User Groups between All Quiet Teams.
    Switching the Provisioning Mode between Manual and Auto will remove all previously provisioned users from their teams, as this action resets the existing mappings. To avoid disruptions, we recommend choosing a provisioning mode and sticking with it.
  2. Map your SCIM User Groups to your Teams in All Quiet. For Manual Provisioning Mode, there have to be existing teams for you to be able to map them.
    Changing an existing mapping will add Users to other All Quiet Teams and / or remove them from their old Teams, depending on your selection. If you use the Teams section to invite Users from your SCIM Groups to your All Quiet Teams, those users will remain in the Team, even if you later remove their SCIM Group from the Team.
  3. Choose whether provisioned users should be assigned Member or Administrator roles within the teams. You can update these roles via the Teams section at any time for each User. Learn more about team roles here.
  4. Optionally, you can also assing Organization Member, Organization Administrator or Organization Owner roles to the provisioned users.
  5. Save your settings. You will find the Users from your SCIM User Groups in your All Quiet Teams.
Auto Provisioning from Groups
  1. In this case, we’ve selected Auto Provisioning from Groups as provisioning mode. For this mode you don’t have to create All Quiet teams in advance. However, it’s also much stiffer.
  2. Auto Provisioning options:
    1. Group Provisioning Filter: You can use this field if you only want certain SCIM User Groups to be auto provisioned to All Quiet Teams.
    2. Default Team Role: Choose whether provisioned users should be assigned Member or Administrator roles within the Teams.
    3. Default Organization Role: You can additionally assign Member,Administrator or Owner roles within the Organization.
  3. A preview showing which SCIM User Groups will create which All Quiet Teams.
  4. Again, safe to create the teams through auto provisioning mode.

Provisioned Users Cannot Be Edited via Web App.

To ensure that the resources managed via your SCIM provider stay in sync with your setup, we lock provisioned resources within the Web App. This means these resources cannot be edited or deleted directly through the Web App’s interface. Provisioned resources are marked with an icon, and hovering over it will display a message explaining why the resource is locked and cannot be modified via the Web App.
Exception: Depending on your organization’s settings, SCIM provisioned users can still add / change their phone number via the Web App.
Your current settings can be found on the SSO page of your organization. If you want to change your settings, please contact support@allquiet.app.