Configuring SAML single sign-on

SAML is a standard protocol for authenticating users during inbound single sign-on (SSO). These instructions detail how to configure Medallia Experience Cloud as a service provider (SP) using SAML to authenticate users via the company's single sign-on identity provider (IdP).

The general steps to implement SAML single sign-on are:

  1. Collect the requisite information necessary to complete the implementation. See Prerequisites.

  2. Configure the service provider (SP) settings in the instance, including the URL users use to connect to the Medallia instance, and the public key portion of the trusted certificate.

  3. Provide the above information to the identity provider (IdP) so the IdP will recognize communications from, and know how to communicate to the instance.

  4. IdP provides metadata describing how the instance will communicate with the IdP and interpret the authorization information the IdP provides.

  5. Configure the IdP settings in the instance based on the above information.

  6. Configure the verification mechanism on the instance based on the information the IdP will provide in each authorization. See Processing the assertion to identify the account.

  7. Test the process.

Prerequisites

Before setting up SAML inbound single sign-on, collect this information:

RequisiteDescription
IdP support for SAML relayState query parameter Verify the IdP can handle the SAML relayState query parameter when processing the authentication request. On Medallia Mobile If this is not set up properly, the app will show the Medallia Web reporting default page after completing the sign-in.
Note: For information about this situation, see https://en.wikipedia.org/wiki/SAML_2.0, and review the section titled "Redirect to IdP SSO Service".
SP issuer The URL users use to connect to the Medallia Web reporting instance.
Error Redirect URL (optional) The URL, if any, to send the user to after an authentication error.
Logout Redirect URL The URL to send the user to after signing out.
(SAML) Assertion Attribute Name The name of the assertion attribute in the SAML response that identifies the user's account. This is used to create an account, and to sign the user into the application.

Processing the assertion to identify the account

When the IdP sends an authorization, the Experience Cloud instance interprets the assertion to verify the account, and to optionally create or update an account if needed. There are two ways to process accounts based on the value in the assertion:

Verify existing accounts based on the Username or Company ID. This method only works when the value in the <AttributeName> value matches (case-insensitive) the value of an existing Username or Company Id.

Verify, update, and/or create accounts using an Auto Importer specification. This option is more flexible and can be used to process the ID value before performing the authorization activity. For example, the Username value must be lowercase, and an Auto Importer specification can process the assertion value to make it lowercase before performing a verification.