SAML Frequently Asked Questions (FAQ)

Document created by Parag Baxi on Oct 9, 2013Last modified by Andrew Kellman on Jan 6, 2020
Version 49Show Document
  • View in full screen mode


The purpose of this document is to provide a reference for frequently asked questions regarding Qualys SAML support.


Getting Started


The SAML 2.0 single sign-on integration requires acceptance of the New Data Security Model.


Please provide the following, using the SAML 2.0 Integration Request Form, to Contact Support - Technical Assistance Form to initiate SAML onboarding:

  • EntityID string from IdP (SAML Identity Provider)
  • Public key certificate for the IdP (your organization's IdP base64 cert in .txt format)
  • Organization's SAML IdP SSO URL (SP initiated authentication requests)
  • Subscription (such as abcd_ef)
  • Custom exit URL for a subscription (Optional)


Is my Platform supported?

Our plan is to extend SAML support to all public Qualys platforms (Identify your Qualys Platform). The current SAML status for each platform follows:


Qualys PlatformIn Development
Open BetaGeneral Availability
US Platform 1X
US Platform 2X
US Platform 3X
EU Platform 1X
EU Platform 2X
IN Platform 1X



SAML connector is free.



What is the current lead time is to get a SAML enabled for my subscription?

The lead time is 5-7 business days.


What SAML versions are supported?

Qualys supports SAML 2.0 for Single Sign-On. Qualys does not support SAML 1.0.


When enabled, is SAML required for all users in my subscription?

No. Qualys SAML offers user granularity. Subscription Managers can turn SAML on or off for individuals. There must always be at least one Manager user in the subscription without SAML enabled.


How do I enable for a User?

Once SAML is enabled for the subscription, any Manager can enable for a User.

Enable SAML SSO for user


Secondly, insert a unique string in the “External ID” field in the user settings. Here's an example using an email address. **This field is case-sensitive**

External ID field for user account


I am a Manager. Why can I not edit the External ID field?

If you are not the primary manager, permission will have to be given to edit the External ID field. The primary manager can do this by going to Users > Setup > Security and choosing the option "Allow other users to manage external IDs".

Security option to allow other users to manage external IDs


My IdP broke! Can I still log into Qualys?

Yes. A password reset must be requested by the subscription manager. Support is then able to disable SAML for a user without affecting any other users in the subscription. A new password is automatically sent to the email for that account.



Specs and capabilities?


Qualys EntityIDQualysGuard_SharedPlatform-SAML20-SP
Qualys ACS URL (Shared Platforms)

US Platform 1:

US Platform 2:

US Platform 3:

EU Platform 1:

EU Platform 2:

IN Platform 1:

CAN Platform 1:

Qualys public certificate


It's recommended you use qualysguard_external_id – returned to ACS with same value as in External ID field within user's account. Optionally, you could use any standard SAML attribute name. Contact Support to do this.

Binding ProfileSP-Initiated SSO: HTTP-Redirect URL
Federation processIdentity Provider (IDP) initiated and Service Provider (SP) initiated.
Identity MappingTransient
LogoutLogout link is provided by Customer, by default it is redirected to
Metadata exchangeNot supported
Response SigningYes
Response EncryptedYes
Security hashSHA-1 and SHA-256
Target URLNot supported – user is directed to QualysGuard# dashboard after successful login
VersionSAML 2.0 for Single Sign-On


How do the regular session timeout and logout features work?

We log out the user from Qualys after 1 hr of inactivity. We delete the Qualys session's cookie but do not modify the IdP's cookie. When the user wants to access Qualys again, we follow the same procedure: contact the IdP to authenticate the user, and upon successful authentication, log the user into Qualys.


Which types of certificates are supported?

Only base64 certificates (used for signing and reading the signature) are supported.


Is the Federation process IDP initiated or SP initiated?

We support both Identity Provider (IDP) initiated and Service Provider (SP) initiated.


Qualys Interoperability

Is API supported?

Yes. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.


Is API supported for a SAML enabled user?

No. Qualys supports API functionality at a subscription level, but only for users that are not SAML enabled.


Is VIP (two factor authentication) supported?

No. VIP and SAML SSO do not work together and cannot be enabled on the same user account.


Partner interoperability

These documents provide information on integrations with other single sign on services.

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief
Microsoft Active Directory Federation Services (ADFS) Integration - Microsoft ADFS is currently supported for authentication. Qualys doesn't provide the build for the client side ADFS trust. However, we do provide the configuration screenshots in the linked document.
Okta Integration - Okta is currently supported for authentication.
OneLogin Integration

Azure Active Directory Integration with Qualys Cloud Platform using SAML2.0

7 people found this helpful