SAML SSO deep-link authentication

SAML SSO deep-link authentication or IdP-initiated SSO is an alternative to standard IdP authentication in which the company IdP sends a URL associated with an application to Medallia Experience Cloud (the SP), and the verified user is then redirected to that URL to run the application. This is useful for companies that use multiple Experience Cloud applications because the user chooses the application from a list provided by the IdP. (The IdP may present only those apps the user is permitted to use.)

Note: Use SSO deep-link authentication to allow different users access to different applications served by the same SP. Standard IdP-initiated authentication sends all users to the same, fixed URL. SP-initiated authentication does not allow the IdP to determine a specific Medallia Experience Cloud application to authorize: it's all or nothing.

SSO deep-link authorization redirects to the IdP, which then redirects back to the SP while including a Client URL that identifies the authorized application.

When using SSO deep-link authentication:

  1. A user application starts with the company IdP home page, which authorizes the user.

  2. The authorized user identifies the application from a list provided by the IdP. Each Experience Cloud application has a unique Client URL that identifies it. This is provided to the IdP by the person who sets up the Experience Cloud instance.

    Tip: The Client URL can redirect to a dashboard or report in Medallia Web reporting by including the URI to the report. For example, a Client URL might look similar to this to access a dashboard:
    https://instance.medallia.com/company/homepage.do?id=4923

    The URL can also tell a mobile device to load the Medallia Mobile application, like this:

    medallia://idp?companyid=<company>?sb
  3. After the user chooses the application, the IdP provides a SAML assertion that includes the Client URL in the relayState parameter. The IdP then redirects the user to the SSO endpoint: the Experience Cloud SSO SP server.

  4. The application sends the assertion to the SSO endpoint.

  5. The Experience Cloud server acknowledges the authorization, and verifies the Client URL by comparing the URL to an allow-list of authorized URLs. And then redirects the user to the application identified by the URL.

Restriction: To use deep-link authentication, the IdP must support and include the SAML relaystate parameter in the SAML authorization response. The parameter includes a Client URL that identifies the user application to the Medallia Experience Cloud servers. For information about this relayState, see https://en.wikipedia.org/wiki/SAML_2.0, and review the section titled "Redirect to IdP SSO Service".