SAML SSO deep-link authentication or IdP-initiated SSO is an alternative to standard IdP authentication in which the company IdP sends a URL associated with an application to Medallia Experience Cloud (the SP), and the verified user is then redirected to that URL to run the application. This is useful for companies that use multiple Experience Cloud applications because the user chooses the application from a list provided by the IdP. (The IdP may present only those apps the user is permitted to use.)

When using SSO deep-link authentication:

1. A user application starts with the company IdP home page, which authorizes the user.

2. The authorized user identifies the application from a list provided by the IdP. Each Experience Cloud application has a unique Client URL that identifies it. This is provided to the IdP by the person who sets up the Experience Cloud instance.

   Tip: The Client URL can redirect to a dashboard or report in Medallia Web reporting by including the URI to the report. For example, a Client URL might look similar to this to access a dashboard:

   https://instance.medallia.com/company/homepage.do?id=4923

   The URL can also tell a mobile device to load the Medallia Mobile application, like this:

   medallia://idp?companyid=<company>?sb

3. After the user chooses the application, the IdP provides a SAML assertion that includes the Client URL in the relayState parameter. The IdP then redirects the user to the SSO endpoint: the Experience Cloud SSO SP server.

4. The application sends the assertion to the SSO endpoint.

5. The Experience Cloud server acknowledges the authorization, and verifies the Client URL by comparing the URL to an allow-list of authorized URLs. And then redirects the user to the application identified by the URL.