Connecting Microsoft Azure AD / Entra ID and Q.wiki (SAML)

Modified on Thu, 2 Apr at 4:21 PM

This guide is intended for IT professionals. It supports the independent integration of Q.wiki with Microsoft Entra ID. If you have questions, documentation from Microsoft or Q.wiki Support can help you.

Tip: We strongly recommend using SCIM and OIDC for user provisioning and single sign-on. SCIM provisions all selected users "just in time" and enables you to assign content and permissions to users in Q.wiki before they first log in. This is not possible with SAML and "just in time" provisioning.

Prerequisite: You need Key User rights to perform the following steps.

Recommendations and General Information

Limitations

This guide covers SAML authentication. Note the differences between SAML and SCIM/OIDC for provisioning in the introduction above.

Migrating Existing Users

When you integrate Entra ID, existing Q.wiki users with matching email addresses are automatically migrated. Migrated users are updated with data from Entra ID and are managed by this system from that point forward.

Migrated users log in using the Use Enterprise Login button. Login with username and password is no longer available.

Set Up an Emergency Account

If Entra experiences a malfunction or the secret token expires, access is only possible through user accounts manually created in Q.wiki. For this reason, we recommend adding a manually managed account to the KeyUserGroup. This account must have a valid email address and must not be provisioned via Azure – an impersonal email address like "service@" or "it-support@" works well.

If the token has already expired, read the article 401 Unauthorized Error When Logging In.

Integrate Entra ID – Users and Groups (SAML Provisioning and Authentication)

Provisioning

With SAML authentication configured, just-in-time provisioning is active. User accounts are automatically created in Q.wiki when they first log in. You can disable provisioning in User Management > Three-Dot Menu > Configure Provisioning:

Authentication

Create a new Enterprise Application in Microsoft Entra ID.
Start Create your own application.
Enter the app name and select Non-gallery.
Click Create.
Select Single Sign-On > SAML in the newly created app.
Edit the basic configuration:
The Q.wiki SAML metadata (XML) is available at https://tenant.qwikinow.de/saml/sp/metadata.

Copy the ACS URL from the Q.wiki dialog:

Paste it as the Entity ID and Reply URL in Entra:
Download the certificate from Entra and upload it to Q.wiki.
Select the users under Users and Groups who should have access to Q.wiki.
The Name ID is explicitly expected with the attribute name "email" – this is standard for Entra, but may require custom mapping in other IdPs. The Name ID format is not specified.
To correctly display the user display name, mapping "name" to "displayname" is required: