Single sign-on with ADFS and SAML
There are two main parts to setting up AD FS 2.0 with Medallia Ideas.
First: AD FS 2.0 must be configured with certain rules and metadata provided by your Medallia Ideas community.
Second: Medallia Ideas must be given metadata from your AD FS 2.0 server so that various endpoints can be determined.
Setting up AD FS 2.0 / 3.0
You can retrieve the desktop metadata for your community here:
https://<your-community-URL-here>/saml/module.php/saml/sp/metadata.php/crowdsaml2
You can retrieve the mobile metadata for your community here- the URL depends on the region your community is hosted in:
UK: https://mobile.crowdicity.com/entityDescriptor.xml
Australia: https://mobile.crowdicity.com.au/entityDescriptor.xm
Ireland: https://mobile.crowdicity-ie.medallia.com/entityDescriptor.xml
US: https://mobile.crowdicity-us1.medallia.com/entityDescriptor.xml
Alternatively, the metadata can be downloaded by visiting your community, and going to the "Crowd Management" area. Once inside, Select "Settings" > "Authentication". Scroll down to the SAMLv2 box, and choose "Get our metadata".
In the popup window, click Click here to download SP metadata. Use this XML when configuring AD FS.
The following rules are also required for functioning with Crowdicity:
How to create the required rules
Create a rule to send LDAP attributes as claims with the following choices:
Create a rule to "Transform an Incoming Claim"
Set the incoming claim type to "EMail Address", the "Outgoing claim type" to "Name ID" and the "Outgoing name ID format" to "Transient Identifier".
Setting up Medallia Ideas for SAML2‐based login
First, you'll need to collect your AD FS metadata from your server. The address is usually something like
https://<your-idp-url>/FederationMetadata/2007-06/FederationMetadata.xml
but consult your documentation if this differs for your server.
Once you have the required metadata, follow the steps below:
From the Medallia Ideas Admin menu, select Community Settings then Authentication. On this screen, you can select the authentication methods your community will use, and the order that they are presented in.
Click Submit your metadata to pop up a new window, and then click Submit new metadata.
Paste your XML metadata into this box, and click submit. If the metadata is accepted, the screen will refresh and your endpoints will be listed, as in the example below.
Click Enable for the SAMLv2 option, and then to click Save at the bottom of the page.
Once this has been done, the Crowdicity login screen will present Organization login as an option for users on the log in page:
Using this option will redirect users to your ADFS login screen and return them to Crowdicity upon a successful login.
Required assertions
Information about what assertions are required and the naming of them can be found here.
Troubleshooting
In most cases, if there is a problem with Single Sign On, Medallia Ideas will show an error page. The small text near the middle of the page will provide more details. Below are the most common errors.
Error: SimpleSAML_Error_Error: UNABLE TO VALIDATE SIGNATURE
Cause: This is caused by out of date or updated certificates.
Solution 1: Crowdicity updates certificates each year. To prevent having an out-of-date copy of Crowdicity's certificate, we recommend you set your identity provider track our metadata via the URL rather than copying the XML directly. If that isn't possible, you can re-download our metadata from the address specified in our set-up guide, and re-apply it.
Solution 2: If your certificate has changed, please retrieve an updated copy of your metadata and resubmit it to Crowdicity by following those steps in the set-up guide.
Error: sspmod_saml_Error: Responder
Cause: This is caused by an error on the Identity Provider. We're unable to get any details on the error since it did not happen on our system.
Solution: Check the logs on your IdP for more detail.
Further Support
If you haven't found the answer you're looking for, please contact your Customer Support Manager or email us help.medallia.com with your community URL and the type of connection you're trying to establish.