Service Provider Config screen

Integration > Security > Inbound SSO > Service Provider Config

Warning: This screen is in transition and can be called Single sign-on screen on your instance. When you see this screen, you can only configure one protocol, SAML 2.0 or OIDC SSO, at a time.

This screen turns on Single sign-on (SSO) for the company's instance, identifies the type of SSO protocol to use, and configures the service provider (SP) settings for the instance.

Use this screen to configure both, SAML 2.0 and OIDC SSO protocols. Medallia Experience Cloud does not use both protocols simultaneously: the Service Provider Config screen is enabled for instances with IdPs that use either protocol

As a reminder, when using an external mechanism to authenticate users, the external system is the identity provider (IdP) and the Medallia application is the service provider (SP).

SSO authentication is performed by the IdP

Common properties

Display SSO login information
Displays a single sign-on (SSO) link on the web sign-on page. To use this feature this option must be turned on for the company instance.
Suppress noisy SSO Event Tickets
Suppresses Event tickets caused by SSO failures. This option does not affect messages on the Single sign-on failed attempts screen: those messages always appear.

Turn this on when the system is receiving frequent SSO Event Tickets caused by bad requests from SSO users or Identity Providers, and the issues cannot be fixed by configuration changes.

These messages are suppressed by default:

  • SAML authentication failed on the IDP side.

  • SAML Assertion expired.

  • SAML Assertion processing failed.

  • Account not found - cannot create the token.

  • No account was affected by the Auto Importer processing.

  • There were issues while processing the SAML permission attributes. Please contact your administrator.

The list of messages to be suppressed can be configured by request to Medallia.

Session timeout in minutes (15 -30)
Count of minutes a session may remain inactive before Experience Cloud automatically signs the user out. The default value is 30 minutes; range is 15 to 30 minutes inclusive. See Single sign-on (SSO) for details about session timeout behaviors. 
Max session duration in minutes (>30)
Count of minutes a session may be active before forcibly being signed out. Default is zero (0) or empty: no limit. The minimum duration is 30 minutes. When this property has a duration, all SSO users are automatically signed out after the specified number of minutes. They may immediately sign back in.

SAML 2.0 SP Configuration (MEC-side)

These properties configure Medallia Experience Cloud as a service provider (SP) when the type of SSO protocol is SAML.

SP Issuer

The URL to access the company's SSO instance on the Experience Cloud web portal. The URL will include "sso/" before the company ID, like this:

https://INSTANCE.medallia.com/sso/COMPANY
                                
                                
Note: The SP destination URL is the one the IdP uses when sending the assertion to Medallia. It is the same as the SP Issuer URL, except the target will include logonSubmit.do, like this
https://INSTANCE.medallia.com/sso/COMPANY/logonSubmit.do
Medallia Certificate

Identification information about the keys and certificate to be used in the SAML authentication flow. This property is only visible when Medallia Operations has configured the instance to encrypt requests to the IdP.

Description of a certificate

Depending on configuration, this key will be used as follows:

  • If response-encryption is enabled, the key is used to decrypt the SAML response from the IdP.

  • If request-signing is enabled, the key is used to sign the authN request to the IdP during the SP-initiated SAML flow.

The certificate information is included in the SP-metadata file provided to the IdP; it is never exposed in communications.
Generate SAML Metadata File
Generates an XML metadata file that contains the information the IdP needs to configure the connections with the Experience Cloud. The file contains the SP Issuer URL, and the certificate or key information the IdP needs, and some other metadata. The IdP uses this data to configure the connection.
Generate SAML Metadata File with secondary certificate
Same as the Generate SAML Metadata File option except this is only available when there is a secondary certificate configured for the instance. Use this option to share the configuration for the secondary certificate.
Original URL expiration (secs)
(optional) Count of seconds to remember the original URL the user used to connect to the Medallia application during SP-initiated sessions. A user might use a URL that goes to a specific report. If the sign-on process takes longer than this number of seconds, they will be directed to their default page instead, which is typically the Dashboard. Default is 600 seconds.
Allowed external redirect URLs
Approved URLs which the user may be redirected to. The IdP must send the URL in the SAML relaystate parameter. See SAML SSO deep-link authentication for information on using this. 
Use these URLs are for SSO deep-linking to these Medallia applications:
medallia://                  Medallia Mobile 
com.medallia.mobile://       Medallia Voices
Allowed Referrers
List of referral hosts used by Referrer Test, one per line. Wildcards are valid, such as *.example.com.
Referrer Test

Users must sign-in from a host listed in the Allowed Referrers list.

OIDC SP Configuration (MEC-side)

These properties configure Medallia Experience Cloud as a service provider (SP) when the type of SSO protocol is OIDC.

OIDC Redirect URL
Redirect URL to use when configuring the OIDC IdP for clients to send OIDC responses to.
State Information expiration (secs)
How long to retain the stateinfo for OIDC requests. When the IdP login takes longer, the user is redirected to their default page (usually the homepage). Default is 600 (10 minutes).

Error Messages

These properties are the error message to show users when single sign-on fails. Not all messages are available for all protocols.

Session Expired Message
The user's session has expired.
Note: The user does not see this message for SP-initiated SSO because an expired session automatically redirects to the IdP for reauthentication.
Logout Message
Instructions to the user telling them what to do after they signed-out of Medallia Experience Cloud. Typically this tells the user to close the browser window.
Referrer Null Message
No referrer value could be retrieved from the request and the referrer check is enabled.
Referrer Not Permitted Message
The referrer is not allowed and the referrer check is enabled.
Parameter mapping error message
A required parameter was not included in the request.
Account not found or inactive message
(Not applicable to SAML) The username does not have an account.