Configuring SAML for survey authentication
Integrations > Security > Survey Authentication > SAML Survey Identity Providers
An Identity provider (IdP) is an external system that companies use to host and authenticate user account information for single-sign on. The first step for survey authentication is to configure the IdPs, so that they can be later assigned to specific surveys.
To create a new SAML IdP manually:
-
Collect the requisite information necessary to complete the implementation as defined in Before you begin.
-
On the SAML Survey Identity Providers screen, click New SAML Survey Identity Provider.
-
Enter a name for the IDP (do not use a duplicate name).
-
Fill in the rest of the data, such as the SSO endpoint, Issuer name, and Certificate.
-
Optionally, click on Choose file next to Metadata file and upload the file.
-
Click Save.
The instance is now configured to use SAML for survey authentication.
Before you begin
Before setting up SAML survey IdPs, collect this information:
Information | Description |
---|---|
SSO Endpoint | IdP SSO URL to which Experience Cloud sends the SAML authentication request. |
SAML Survey Identity Providers screen
The SAML Survey Identity Providers screen configures IdPs for survey authentication.
Properties
- Download SAML Metadata file
- Generates an XML file with the SAML metadata of the survey authentication service. It is the same across all IdPs in this screen. For external IdPs (not Medallia Experience Cloud), provide this file to IdP administrators so that the IdP can interact with the survey authentication service.
- IdP Name
- (required) Name of this IdP to present on the sign-in page and in the configuration list of IdP settings.
- SSO Protocol
- SSO protocol for this IdP. At this time only SAML is supported.
- Metadata file
- IdP-metadata file that describes the connection properties needed to communicate with the IdP. Uploading the file automatically fills in the values for the required properties in this section. For more information, see Obtaining the metadata file.
- SSO Endpoint
- URL Experience Cloud uses to connect and send requests to the IdP.Warning: Unless otherwise agreed to with the IdP, the SSO service URL should be to the service that provides SP-initiated authorizations. It is important that you provide the correct URL, because some IdPs have multiple URLs and using the wrong one does not always fail in obvious ways.
- Issuer Name
- Identity of the IdP to appear in the SAML Assertion the IdP sends in response.
- X.509 Certificates
- IdP certificate (public key). Base64-encoded string of the certificate in CER format. Use semicolon ; to enter multiple certificates.
- Certificates info
- Identifying information about the IdP signing certificate.
- Sign SAML AuthnRequest sent to IdP
- Sign the SSO authentication request sent to the IdP using the configured Experience Cloud SAML private key.
- Signing Algorithm
- Algorithm to use to sign SAML certificates. Change this in coordination with the client administrator.
- Process encrypted assertions in SAML response
- Look for an encrypted response and try to use it. Otherwise, if not present, or if this option is off, use the plain assertion.
Use this option only when the IdP is sending encrypted assertions in the SAML responses.
- Log failed attempts
- Save information associated with failures when users fail to authenticate to the IdP because of an error.
- Preload survey records
- The survey authentication service pre-loads survey records.
- Clock skew
- Seconds before or after the assertion timestamp that the assertion is considered valid. Default is 10 (seconds). Use this property to account for clock-drift between the IdP and SP host machines.