SAML Public Authentication Certificate for Signed Authn Requests
June 21st, 2024 Update: We have created a Quickbase app to host the Quickbase SAML Zip File. Access the app to download the zip. For Quickbase Realm and Account Administrators As a Quickbase Realm or Account Administrator, you are probably aware of how your users authenticate (login) to the Quickbase platform. Many Quickbase customers use our SAML authentication feature. Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services, such as Quickbase, that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications. To help you understand what you may be using at your company, some examples of SAML, SSO or IdP (Identity Provider) vendors are Okta, OneLogin, Microsoft, Duo, and there are many others. Some customers using the SAML authentication feature may also choose to use an extra layer of security whereby each authentication request from the Quickbase platform to your company’s SSO directory (or IdP) is signed by Quickbase using a public authentication certificate configured on the Quickbase platform. Quickbase refers to this extra security feature as the “SAML Authn Requests” option. It has that name because there is a feature in the Quickbase SAML configuration settings named “SAML Authn Requests”. Only Quickbase staff can see this option or change it. It is only enabled when a customer informs Quickbase of the customer's intention to configure their IdP to require signing of authentication requests made by the Quickbase platform to the customer's IdP as part of the SAML authentication process. If a customer wants to know if they are using the “Signed Authn Requests” option, or would like the option enabled or disabled, they can open a support case with Quickbase Technical Support. When the “SAML Authn Requests” feature is enabled by Quickbase, and the customer has configured their IdP to require signing of authentication requests made by the Quickbase platform to the customer's IdP as part of the SAML authentication process, both Quickbase and the customer’s IdP must use the same public authentication certificate in order for Quickbase authentication to work successfully. If they do not match, Quickbase authentication (logins) will fail and the customer will be unable to use Quickbase. Once a year, Quickbase is required to rotate the public authentication certificate. The certificate rotation will occur on a specific date/time within a 15 minute maintenance window. Therefore, the certificate rotation process requires careful coordination between Quickbase and all customers who have chosen to use the “SAML Authn Requests” feature. Typically, about 2 weeks prior to the annual rotation, Quickbase will communicate to Realm and Account Administrators for customers using the “SAML Authn Requests” feature via in-product messaging and possibly also e-mail. We also post a notice on the Quickbase service page. We provide a link to this Community post which specifies in a section below the date and time of the rotation and provides a link to download the new public authentication certificate. The Realm and Account Administrators need to contact the person or team at their company responsible for administering their IdP/SSO/SAML system, typically their IT department, in order to ensure that the new public authentication certificate from Quickbase is also installed in the customer’s IdP/SSO/SAML system during the 15 minute maintenance window announced by Quickbase. The public authentication certificate CANNOT be changed in your company’s IdP prior to the announced maintenance window or logins to the Quickbase platform will break. If the certificate is not changed in your company’s IdP during the 15 minute maintenance window announced by Quickbase, logins to the Quickbase platform will be broken until the certificate is updated in the IdP. For Single Sign-On (SSO) or Identity Provider (IdP) Administrators NOTE: The remainder of this Quickbase Community post is highly technical and should be reviewed by the person or team responsible for administering the Single Sign-On (SSO) or identify provider (IdP) system used to control access to the Quickbase platform. Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials (username and password). An identity provider (IdP) system is a directory of usernames, passwords, groups, roles, etc. that is typically used to manage access to the applications used by a company. Another acronym commonly associated with Single Sign-On is SAML. Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications. Many customers use Quickbase's SAML authentication feature. A subset of customers may have the “Signed Authn Requests” option selected in their Quickbase SAML configuration. That option is a security enhancement that results in Quickbase signing the authentication requests made to the customer’s identify provider (IdP). Use of this option also requires the customer to configure their IdP to require signing of authentication requests made by the Quickbase platform to the customer's IdP as part of the SAML authentication process. Please note that customers who choose to use the “Signed Authn Requests” option and enable signing of authentication requests on their IdP must be prepared to manage the annual public authentication certificate update process described below. The option itself offers only marginal security benefit so customers should decide for themselves if that marginal security benefit is worth the effort required to coordinate and execute the update of the certificate and potentially incur several minutes or more of down time for their use of the Quickbase platform while the public authentication certificate on their IdP may not match the certificate used on the Quickbase platform. The “Signed Authn Requests” option is only visible to Quickbase staff and can only be changed by Quickbase staff. It should only be enabled when a customer informs Quickbase of the customer's intention to configure their IdP to require signing of authentication requests made by the Quickbase platform to the customer's IdP as part of the SAML authentication process. If a customer wants to know if they are using the “Signed Authn Requests” option, or would like the option enabled or disabled, they can open a support case with Quickbase Technical Support. In order to validate that the signed authentication requests actually come from Quickbase, we provide the customer with a public authentication certificate. Customers using the “Signed Authn Requests” option must ensure their IdP is configured with the public authentication certificate currently being used by the Quickbase platform to sign authentication requests made by the Quickbase platform to the customer's IdP as part of the SAML authentication process. If the public authentication certificate configured in the customer’s IdP does not match the public authentication certificate being used by Quickbase, the customer will not be able to authenticate successfully to the Quickbase platform. Please note that Quickbase has no ability to know if or how a customer has configured their IdP. We therefore cannot tell a customer if their IdP is requiring Quickbase to sign authentication requests and we cannot tell a customer if the public authentication certificate Quickbase is using matches the certificate the customer has configured in their IdP. Quickbase rotates the public authentication certificate every year and distributes it to applicable customers inside a certificate file via this Quickbase Community post. Quickbase determines the applicable customers based on which have the “Signed Authn Requests” option enabled in their Quickbase SAML configuration. During the period of time starting on the date that we announce our intention to update the certificate, and ending after the date/time we actually update the certificate on the Quickbase platform, we make both the current and new certificates available in this Community post. After we update the certificate on the Quickbase platform, we then remove the now out-of-date certificate from this Community post. Prior to the annual public authentication certificate rotation period, Quickbase will communicate via in-product messaging and possibly also e-mail to Quickbase realm and account administrators at the applicable customers the specific date/time on which we intend to update the certificate on the Quickbase platform. When Quickbase updates the certificate, we do so during a 15 minute maintenance period on the announced date/time. We strive to provide customers with enough notice of this maintenance period for them to notify their responsible staff, typically their IT department or whichever group within the customer’s organization is responsible for administering their identify provider (IdP) system. The customer’s IdP administrator should plan to update the public authentication certificate provided by Quickbase during the 15 minute maintenance period announced by Quickbase. Doing so will minimize the chance of the customer experiencing any interruption of their use of the Quickbase platform. NOTE: For any customer using the “Signed Authn Requests” option, i.e., requiring signing of authentication requests made by the Quickbase platform to the customer's IdP, any time the public authentication certificate used by Quickbase does not match the public authentication certificate configured in the customer's IdP, logins to the Quickbase platform will fail. It is therefore essential that the customer update the public authentication certificate in their IdP during the 15 minute maintenance period announced by Quickbase annually. Quickbase Public Authentication Certificate Rotation Maintenance Window Quickbase plans to update the public authentication certificate on Wednesday, November 15, 2023, between 8:00 PM and 8:15 PM Eastern US Time. Current and New Public Authentication Certificates The NEW public authentication certificate is provided below for you to download and install on your identify provider during the 15 minute maintenance period. The zip file contains both the metadata (with certificate contained inside) as well as the certificate itself. CURRENT (Expires November 25, 2023): QB_SAML_Exp11-25-2023.zip NEW (Expires November 24, 2024): QB_SAML_Exp11-24-2024.zip Additional Information on SAML Public Authentication Certificate Configuration Scenarios and Expected Outcomes This section describes several scenarios that could exist specific to a Quickbase customer using SAML authentication for access to the Quickbase platform. Quickbase SAML configuration option “Signed Authn Requests” is disabled, and Customer does not configure their IdP to require signing of SAML authentication requests. In this case, logins to the Quickbase platform will work normally assuming there are no other SAML configuration issues. There is no use of public certificates in this scenario. Quickbase SAML configuration option “Signed Authn Requests” is disabled, and Customer configures their IdP to require signing of SAML authentication requests, and has the currently applicable public authentication certificate from Quickbase installed in their IdP. In this case, logins to the Quickbase platform will fail because the Customer's IdP is expecting authentication requests from Quickbase to the IdP to be signed and Quickbase is not signing them because the “Signed Authn Requests” option is disabled. Quickbase SAML configuration option “Signed Authn Requests” is enabled, and Customer configures their IdP to require signing of SAML authentication requests, and has the currently applicable public authentication certificate from Quickbase installed in their IdP. In this case, logins to the Quickbase platform will work normally because the Customer's IdP is expecting authentication requests from Quickbase to the IdP to be signed using the currently applicable public authentication certificate and Quickbase is signing them with that same public authentication certificate. Quickbase SAML configuration option “Signed Authn Requests” is enabled, and Customer configures their IdP to require signing of SAML authentication requests, and has a public authentication certificate installed in their IdP that is either expired, or does not match the public authentication certificate currently being used by Quickbase. In this case, logins to the Quickbase platform will fail because the Customer's IdP is expecting authentication requests from Quickbase to the IdP to be signed using the public authentication certificate they have configured in their IdP and Quickbase is signing them with a different public authentication certificate. Quickbase SAML configuration option “Signed Authn Requests” is enabled, and Customer does not configure their IdP to require signing of SAML authentication requests. In this case, logins to the Quickbase platform may or may not work normally depending on the IdP and how it handles a signed request. Quickbase cannot anticipate how different IdPs may handle this scenario. The solution is to open a case with Quickbase Technical Support and request that the “Signed Authn Requests” option be disabled.399Views2likes0CommentsLive Chat with Others in The Qrew in Discord
You may have missed my blog a ways back on The Discord Qrew...you can learn about ways people are helping each other out clicking the above link. If you're looking to engage in a real time chat experience, with other Quickbase professionals, the community-led Discord Qrew is a great spot to do this. Come connect with RossonLong1 and others as they tackle challenges in real time! Click here to access!249Views2likes8CommentsSam Trachy's Daily Office Hours 1pm EST
Quickbase Solution ConsultantSamTrachy offers an Office Hours to anyone in The Qrew to join! This is a great resource even if you don't have a question and want to join and listen in. All questions are welcome! Beginner, Intermediate, Advanced, it doesn't matter. Whatever Quickbase question is on your mind, bring it to Office Hours and go over it with a Quickbase Pro. Sign up for as many Office Hours sessions as you like here!199Views1like3CommentsQuickbase approach to accessibility
Go to our help center to read an updated version of this post and learn more aboutQuickbase accessibility. Quickbase is a mature platform, having been developed and iterated on for 20+ years. The platform currently receives over 2 billion requests per month and has hundreds of thousands of active users. We are committed to ensuring Quickbase is an accessible platform for all of these users, a value you’ll see reflected in the product areas we modernize. As we continue to invest in adding features and making it more usable and delightful, it is important Quickbase is accessible and inclusive to everyone. This may include users with physical disabilities, motor or vision impairments. This is often referred to as “Accessibility”. As the head of the User Experience team here at Quickbase, my team of designers and I work closely with a dedicated team of developers that are trained in WCAG 2.1 AA standards. Collectively, we support all our development teams and continue to drive progress in this area. Quickbase aims to meet WCAG 2.1 AA standards in our new and upgraded features that are designed to be consumed by end-users. Improvements are also expected incrementally for builder and app management features. You’ve recently seen innovation in reports and dashboards, and 2022 will bring a major overhaul of our forms experience. We recognize that accessibility is a process, not a project. Committing to accessibility benefits all our users; not just with a disability. 2020 was a year spent laying the foundation for future accessibility work, much of which came to light in features released in 2021. This foundation included several strategic updates such as building a base layer of accessible components to be utilized in many types of features, adding automated testing tools, and establishing a manual testing workflow. For example, below - the image shows one of our reusable toolbar component specs. You can see this in many areas of the product where we provide controls for smaller user actions like filtering for reports. Most recently, we upgraded the report settings to be in a panel on Kanban reports. The toolbar is documented with keyboard access for getting in and out using your keyboard. Each of our reusable components is documented in this way starting at the design phase. Keyboard navigation is a critical aspect of accessibility and something that many power users rely on. This level of detail in our design and development ensures a thoughtful and consistent experience throughout Quickbase. The video below shows how our date picker component can be navigated using your keyboard. Having the specs for new components allows our dev team to build with accessibility in mind. Before/after feature examples Our commitment toaccessibilityis aligned with our General Availability (GA) dates for a given new feature. While a portion of the feature may have enhancedaccessibilityduring beta, audits and further tweaks occur during our final release readiness processes. Bugs, defects, and enhancement requests surroundingaccessibilitywill be addressed in order of priority. Below are some example features that illustrate what it means for a feature to be accessible. Dashboards/pages Adding a filter to a dashboard Before After Early in the development process, we had not yet finalized our accessibility standards. Initially, users could not use their keyboard in an accordion. This meant that they could not fill out the required fields to add a filter to a dashboard. Users can now use their keyboard to navigate into the accordion and through the entire filter page. The underlying accessibility updates allow all users to access the needed form fields to add a filter. Administration Manage users dialog Before After Previously, when a dialog was opened, the focus remained on whatever element triggered the dialog and users did not have a way to move focus to the dialog. Dialogs now follow the recommended accessibility pattern and have focus manually moved to them when they are opened, easily allowing users to interact with and navigate through them. Table report Updated toolbar button labeling for screen readers Before After The toolbar in the old table report had several accessibility issues including labels not being associated with buttons or elements being styled to look like buttons but not being keyboard accessible, interactive page elements. In the new table report, toolbar icon buttons were given ARIA labels to surface their functionality to screen-reader or other assistive technology users and all interactive elements are keyboard navigable. More actions menu access Before After Previously the more actions menu was in the page tab order, but the menu could not be opened or interacted with via the keyboard. Users are now able to navigate to and interact with the more actions menu using only their keyboard. When they are done using the menu, focus returns to the more actions button and users can continue moving through the page. Pagination access and navigation Before After The pagination in the legacy table report style was difficult to navigate to and not all elements were in the page tab order. The pagination in the new table report was updated to allow greater keyboard navigation and interaction. All elements are accessible and operable via keyboard. Additionally, more properties were added to the pagination to allow screen reader “rotor” features to find and navigate directly to it from anywhere on the page. Timeline report Keyboard navigation in timeline reports Before After The original grid that included the timeline report was not accessible via the keyboard. Users were not able to navigate through the table to access timeline range bars or other elements. When developing the new timeline report, the team manually tested to ensure that users were able to access and interact with timeline bars as needed. Users can move through the timeline report using their arrow keys and trigger additional information using their spacebar or enter keys. FAQs What standards does Quickbase follow for coding of interfaces (if 508, what parts, if WCAG 2.0, which level)? Quickbase aims to meet WCAG 2.1 AA standards in our new and upgraded features that are designed to be consumed by end-users. What is the Quickbaseaccessibilityconformance testing process? Ouraccessibilitytesting process includes automated testing, manual testing with our QA team, and External 3 rd party audits. Does Quickbase have clients who require accessibility (Federal government, international, local company policies)? If so how are they ensuring Quickbase meets their requirements? We have thousands of customers that use Quickbase in many different ways with varying needs with respect to accessibility. We engage with customers on accessibility questions by sharing our roadmap and working with their account teams to understand and prioritize their requests. While the Quickbase platform is not required to be compliant with specific accessibility laws, we arecommitted to promoting and improving accessibility for our users with disabilities. Quickbase is addressing accessibility for the platform in our new developments by including features that support specifications of the Web Content Accessibility Guidelines (WCAG) 2.1 AA. For example,updates have been made to features within the dashboards/pages, administration, and various reports, which users may access and use.Upon request, Quickbase will provide its most recent Voluntary Product Accessibility Template for its service(s).With respect to accessibility, Quickbase is open to discussing areas of particular importance to our customers and helping to identify solutions to meet their needs. Does Quickbase do testing with users with disabilities? If so, can you explain the process and identify, roughly, the range of disabilities and access technologies used? Our team is currently partnering with an outside vendor to ensure we get coverage with real users with a wide range of disabilities. The assistive devices that our vendor uses are: Screenreaders -JAWS, NVDA, VoiceOver, TalkBack, Narrator Magnification -ZoomText, iOS Zoom, Android Zoom, Browser Zoom Alternative navigation -Dragon NaturallySpeaking, Switch systems, Headmouse, On-screen keyboard The process includes our trained team members putting together a request with this vendor to have an item, a user flow, or a combination of the two tested. This vendor makes provides detailed reporting on testing means and methods, and is available to help the team to understand the feedback. What experience coding for accessibility do Quickbase developers have? We have a dedicated team of developers, QA, and designers that are trained in the WCAG 2.1 AA standards. Not only do they work on developing new features and components for Quickbase, but they each are also designated mentors across all our engineering teams. Does Quickbase have a roadmap for accessibility going forward? Yes, we have areas of the product that we are actively working on with new designs and features that will be made accessible to the WCAG 2.1 AA standards. Other areas of the product are not being actively worked on, or are in our roadmap to redesign in the upcoming years. That being said, as a company we take critical accessibility gaps and weigh them with our ongoing efforts for improvement on a regular basis. Please reach out to your account team to discuss this in detail. Has Quickbase tested and/or developed your mobile apps with accessibility in mind? Mobile is an area that we are working on more in-depth in the coming year. Our existing team members will be working closely with them as we assess the roadmap for this team. Like other areas of the product accessibility for new features, these updates will follow our WCAG 2.1 AA standards. If customers find that there are changes that need to be made to web/mobile interfaces/apps, what guarantee can they have that these will be implemented to their satisfaction prior to go-live/going forward? Quickbase has strict quality standards that we adhere to and accessibility issues are assessed by their severity against WCAG 2.1 AA standards. We take feedback from customers seriously and weigh feedback against all customers and all priorities. If there are specific concerns blocking implementation, we encourage you to work directly with your account team. Is the process for enabling the accessibility mode or alternate interface accessible to a person using assistive technology such that a user would be able to independently enable the mode or access the alternate interface? No enabling or use of alternate is required becauseQuickbase automatically uses the builder-defined schema of the application (like field names and report names) to inform elements like aria labels. No enabling or use of alternate is required. The accessibility of an application will ultimately depend on how a builder incorporates accessible features into the overall design of an application. Specifically describe the extent to which Quickbase is accessible to people with disabilities, including people who are blind or have low vision, are Deaf or hard of hearing, have mobility or dexterity limitations, and who have speech impairments. We are actively working with new designs and features that will be made accessible to the WCAG 2.1 AA standards. Other areas of the product are not being actively worked on currently or are in our roadmap to redesign in upcoming years. That being said, as a company, we take critical accessibility gaps and weigh them with our ongoing efforts for improvement on a regular basis. What methods did Quickbase use to determine the accessibility of the product? We used our internal teams that consist of our Quality Assurance (QA) and System Quality (SQ) teams, and our team of trained designers and developers. For ongoing design work of new areas of the product, see the answer above. To what extent is Quickbase willing to work with customers to improve your product’s accessibility? We are always looking for feedback from customers on our ongoing and existing product and designs. This goes for accessibility feedback and usability in general. In the course of designing features, we'd be happy to get direct feedback. Where is the most recent Quickbase VPAT? Quickbase aims to meetWCAG 2.1 AAstandards in our new and upgraded features that are designed to be consumed by end-users on the web. For specific details on how Quickbase complies with WCAG 2.1 AA standards, refer to our latestVoluntary Product Accessibility Template (VPAT). This report assumes applications are built for end users using the most recent features and user interface components provided by Quickbase.Our goal is to incrementally improve accessibility in our builder features, app management features, and mobile platform. Customers can consult with their account team for review. Learn more about howQuickbase approaches accessibility in our help center. Problems or Questions? If you think there is a specific bug or issue, please open a Tech Support case If you’d like to discuss your account, accessibility plans, and how we can help you be successful, please reach out to your account team For further information, or if you’d like to chat about accessibility, the design team would love to talk to you. Reach out to me to set something up - lsawyer@quickbase.com137Views0likes0CommentsLet's Test the Email Notifications
Hey Everyone, Our vendor was able to make some changes and we can now access our email notifications page in My Settings. (Go to My Settings > Notifications and Follows). Can we use this thread to test it? Adjust your email notification settings and let's see if this is working or still having issues. Prayers up. -Ben105Views1like27CommentsHow to Resolve QuickBooks Desktop Error C 343?
Has anyone dealt with QuickBooks Desktop Error C 343? I'm encountering this error when trying to launch the application. I've tried updating QuickBooks and checking my system files, but nothing seems to work. Any advice or detailed steps on how to fix this issue would be greatly appreciated!100Views0likes1CommentFormula URL - Edit then Add
Hello Everyone, I'm trying to create a single button that will allow our users to add an effective end date to a record on form ID 11 and then when that is saved redirect to the add record api using form ID 10 populated with data from the previous record. Since I haven't been able to get it to work in a single button I created 2 buttons. Indivually both buttons work but combining them isn't. Any ideas? Step 1 code: URLRoot() & "db/" & Dbid() & "?a=er&rid=" & [Record ID#] &"&dfid=11" & "&rdr=" Step 2 code: URLRoot() & "db/" & Dbid() & "?act=API_GenAddRecordForm&dfid=10" & "&_fid_6=" & [Paragraph] & "&_fid_7=" & [Publication] & "&_fid_8=" & [Description] & "&_fid_11=" & URLEncode([Staff Contact]) & "&_fid_17=" & [Effective End Date] & "&_fid_19=" & [Record ID#] When I combine the code I'm using this URLRoot() & "db\n/" & Dbid() & "?a=er&rid=" & [Record ID#] &"&dfid=11" & "&rdr=" &URLEncode(URLRoot() & "db/" & Dbid() & "?act=API_GenAddRecordForm&dfid=10" & "&_fid_6=" & [Paragraph] & "&_fid_7=" & [Publication] & "&_fid_8=" & [Description] & "&_fid_11=" & URLEncode([Staff Contact]) & "&_fid_17=" & [Effective End Date] & "&_fid_19=" & [Record ID#]) I feel like I need a pause before the & "&rdr=" in the third line as I get an error saying something went wrong. For now I will keep it 2 separate buttons but it would be great to combine them and using the save function on the edit record to trigger the second step.Solved100Views0likes4CommentsCopy Single Table from One App to Another
Hi there, deploy question here. I have a production version and a development version of an app. I have added a new table to the development app and created fields and forms. Is it possible to copy the single new table from development app to production app? Is there a better way to deploy changes to a prod environment? Thanks, BrianSolved85Views0likes2Comments