Single sign-on

Medallia Agent Connect supports Security Assertion Markup Language (SAML) version 2.0 for authenticating users during inbound single sign-on (SSO). These instructions detail how to configure your environment using SAML to authenticate users through your company's SSO identity provider (IdP).

Note: SAML 2.0 supports authentication of existing users only. New users cannot be automatically created by logging in through a SAML 2.0 provider. A Agent Connect Admin must create and invite new users in Agent Connect before those users can use your SSO configuration.

Agent Connect supports SSO through any provider using SAML 2.0.

Process overview

To implement SSO with Agent Connect, follow the process outlined in the following steps.

Configure your IdP — Configure your IdP, as described in IdP configuration, below.
Provide security credentials — Provide your Medallia representative an IdP SSO/ sign-in URL and an X.509 certificate. If you are using multiple IdPs, provide this information for each IdP.
Test your connection — After your Medallia representative has imported the security credentials you provided, test your connection by opening https://<company_subdomain>.stellaconnect.net/employees/sign_in?sso=true in a browser, and then clicking Sign in with provider. If you need help identifying your company subdomain, contact your Medallia representative.
Go live — When you have finished testing, contact your Medallia representative to make your SAML configuration the default and only login option for all users. All users visiting the Agent Connect sign-in screen are redirected to your IdP.

IdP configuration

You must configure general settings for a new app in your IdP, regardless of the provider. You might also need additional configuration settings specific to your IdP.

General configuration

Configure the following IdP settings, regardless of your provider:


Setting	Value
Audience URI/Entity ID	https://<company_subdomain>.stellaconnect.net/
Assertion Consumer Service (ACS) URL	https://<company_subdomain>.stellaconnect.net/employees/auth/saml/callback Note: This is the same for the Recipient and Destination URLs.
Name ID format	Email Address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
Application username or Subject Type	Username or email Note: Choose the field in your IdP containing the email address or custom employee ID used to identify users in Agent Connect.
Start URL	https://<company_subdomain>.stellaconnect.net
Signed Response	On

Provider-specific documentation

Consult your provider's documentation for details about using that provider. Common providers used with Agent Connect include:

External SAML tools

Medallia recommends the following tools to help you integrate SAML in your company's tech stack:

Browsers for SAML schemas — Web services for browsing XML Schemas related to SAML. For more information, see the Assertion, Metadata, and Protocol pages on the Datypic site.
Fiddler — A free web debugging proxy for any browser, system, or platform. For more information, see the Telerik site.
SAML Chrome Panel — A Chrome add-on that extends the Developer Tools, adding support for SAML requests and responses to be displayed in the Developer Tools window. For more information, see the Chrome web store.
SAML DevTools — A Chrome developer tools extension for viewing SAML messages in Chrome. For more information, see the Chrome web store.
SAML Raider — a Burp Suite extension for testing SAML infrastructures. For more information, see the SAML Raider GitHub page.
SAML-tracer — A Firefox add-on for viewing SAML messages sent through the browser during single sign-on and single logout. For more information, see the Firefox Browser Add-ons site.
XML Digital Signature Verifier — A CGI script that demonstrates how to use XML Security Library in real applications. For more information, see the XMLSec Library.