Service Provider Config screen
Integration > Security > Inbound SSO > Service Provider Config
This screen turns on Single sign-on (SSO) for the company's instance, identifies the type of SSO protocol to use, and configures the service provider (SP) settings for the instance.
Use this screen to configure both, SAML 2.0 and OIDC SSO protocols. Medallia Experience Cloud does not use both protocols simultaneously: the Service Provider Config screen is enabled for instances with IdPs that use either protocol
As a reminder, when using an external mechanism to authenticate users, the external system is the identity provider (IdP) and the Medallia application is the service provider (SP).
Common properties
- Display SSO login information
- Displays a single sign-on (SSO) link on the web sign-on page. To use this feature this option must be turned on for the company instance.
- Suppress noisy SSO Event Tickets
- Suppresses Event tickets caused by SSO failures. This option does not affect messages on the Single sign-on failed attempts screen: those messages always appear.
Turn this on when the system is receiving frequent SSO Event Tickets caused by bad requests from SSO users or Identity Providers, and the issues cannot be fixed by configuration changes.
These messages are suppressed by default:
-
SAML authentication failed on the IDP side.
-
SAML Assertion expired.
-
SAML Assertion processing failed.
-
Account not found - cannot create the token.
-
No account was affected by the Auto Importer processing.
-
There were issues while processing the SAML permission attributes. Please contact your administrator.
The list of messages to be suppressed can be configured by request to Medallia.
-
- Session timeout in minutes (15 -30)
- Count of minutes a session may remain inactive before Experience Cloud automatically signs the user out. The default value is 30 minutes; range is 15 to 30 minutes inclusive. See Single sign-on (SSO) for details about session timeout behaviors.
- Max session duration in minutes (>30)
- Count of minutes a session may be active before forcibly being signed out. Default is zero (0) or empty: no limit. The minimum duration is 30 minutes. When this property has a duration, all SSO users are automatically signed out after the specified number of minutes. They may immediately sign back in.
SAML 2.0 SP Configuration (MEC-side)
These properties configure Medallia Experience Cloud as a service provider (SP) when the type of SSO protocol is SAML.
- SP Issuer
-
The URL to access the company's SSO instance on the Experience Cloud web portal. The URL will include "sso/" before the company ID, like this:
https://INSTANCE.medallia.com/sso/COMPANY
Note: The SP destination URL is the one the IdP uses when sending the assertion to Medallia. It is the same as the SP Issuer URL, except the target will includelogonSubmit.do
, like thishttps://INSTANCE.medallia.com/sso/COMPANY/logonSubmit.do
- Medallia Certificate
Identification information about the keys and certificate to be used in the SAML authentication flow. This property is only visible when Medallia Operations has configured the instance to encrypt requests to the IdP.
Depending on configuration, this key will be used as follows:
-
If response-encryption is enabled, the key is used to decrypt the SAML response from the IdP.
-
If request-signing is enabled, the key is used to sign the authN request to the IdP during the SP-initiated SAML flow.
-
- Generate SAML Metadata File
- Generates an XML metadata file that contains the information the IdP needs to configure the connections with the Experience Cloud. The file contains the SP Issuer URL, and the certificate or key information the IdP needs, and some other metadata. The IdP uses this data to configure the connection.
- Generate SAML Metadata File with secondary certificate
- Same as the Generate SAML Metadata File option except this is only available when there is a secondary certificate configured for the instance. Use this option to share the configuration for the secondary certificate.
- Original URL expiration (secs)
- (optional) Count of seconds to remember the original URL the user used to connect to the Medallia application during SP-initiated sessions. A user might use a URL that goes to a specific report. If the sign-on process takes longer than this number of seconds, they will be directed to their default page instead, which is typically the Dashboard. Default is 600 seconds.
- Allowed external redirect URLs
- Approved URLs which the user may be redirected to. The IdP must send the URL in the SAML
relaystate
parameter. See SAML SSO deep-link authentication for information on using this.Use these URLs are for SSO deep-linking to these Medallia applications:medallia:// Medallia Mobile com.medallia.mobile:// Medallia Voices
- Allowed Referrers
- List of referral hosts used by Referrer Test, one per line. Wildcards are valid, such as
*.example.com
. - Referrer Test
-
Users must sign-in from a host listed in the Allowed Referrers list.
OIDC SP Configuration (MEC-side)
These properties configure Medallia Experience Cloud as a service provider (SP) when the type of SSO protocol is OIDC.
- OIDC Redirect URL
- Redirect URL to use when configuring the OIDC IdP for clients to send OIDC responses to.
- State Information expiration (secs)
- How long to retain the stateinfo for OIDC requests. When the IdP login takes longer, the user is redirected to their default page (usually the homepage). Default is 600 (10 minutes).
Error Messages
These properties are the error message to show users when single sign-on fails. Not all messages are available for all protocols.
- Session Expired Message
- The user's session has expired. Note: The user does not see this message for SP-initiated SSO because an expired session automatically redirects to the IdP for reauthentication.
- Logout Message
- Instructions to the user telling them what to do after they signed-out of Medallia Experience Cloud. Typically this tells the user to close the browser window.
- Referrer Null Message
- No referrer value could be retrieved from the request and the referrer check is enabled.
- Referrer Not Permitted Message
- The referrer is not allowed and the referrer check is enabled.
- Parameter mapping error message
- A required parameter was not included in the request.
- Account not found or inactive message
- (Not applicable to SAML) The username does not have an account.