Configuring OIDC for survey authentication

Integrations > Security > Survey Authentication > OIDC Survey Identity Providers

An Identity provider (IdP) is an external system that companies use to host and authenticate user account information for single-sign on. The first step for survey authentication is to configure the IdPs, so that they can be later assigned to specific surveys.

To create a new OIDC IdP manually:

Collect the requisite information necessary to complete the implementation, as defined in Before you begin.
On the OIDC Survey Identity Providers screen, click New OIDC Survey Identity Provider.
Enter a name for the IDP (do not use a duplicate name).
Fill in the rest of the data, such as Client ID, Issuer and JWK URL.
Optionally, enter the discovery endpoint.
Enable Fetch metadata from discovery endpoint.
Click Save to get the URLs automatically populated.

The instance is now configured to use OIDC for survey authentication.

Before you begin

Get connection information from the IdP administrator.


Information	Description
Client ID	Client ID used to connect to the OIDC IdP.
Client Secret	Client secret used to connect to the OIDC IdP.

When the IdP supports for a "discovery endpoint", collect that URL from the IdP administrator:


Information	Description
Discovery endpoint	URL to the IdP discovery endpoint. For more information endpoints, see OpenID Connect Discovery 1.0 incorporating errata set 2.

When the provider does not support a discovery endpoint, collect this information from the IdP administrator:


Information	Description
Issuer	URL to the IdP issuer.
JWK URL	URL to request the IdP's public key. Medallia Experience Cloud uses the key to verify the signature on the JWT ID token.
Authorization endpoint	URL to perform OAuth authentication request of the user, and to provide the user with authorization.
Token endpoint	URL to request an ID token from the OIDC server The token authenticates the user and includes information about the users, which can be used to create and/or identify the user's account.
User information endpoint	Determine how and what user information the IdP will provide. There are two ways for Experience Cloud to get the information: Retrieve it from the authorization the ID token provided by the Token Endpoint. Request it from the User Info Endpoint (if the service provides it) By default, Experience Cloud identifies the user by a unique ID called a sub claim in the ID token. Optionally, the configuration may request the user's profile or email information, and if the server provides it, use that information to create and identify the account. OIDC profile information may include names and other personal information. To request the profile and/or email information, use the Email scope and Profile scope properties.

OIDC Survey Identity Providers screen

The OIDC Survey Identity Providers screen configures IdPs for survey authentication.

Properties

IdP Name: (required) Name of this IdP to present on the sign-in page and in the configuration list of IdP settings.
Client ID: Client ID used to connect to the OIDC IdP.
Discovery endpoint: URL to the IdP discovery endpoint. When the IdP supports connection discovery, enter the IdP's discovery endpoint here, tic on the Fetch OpenID metadata from discovery endpoint options, and click Save. The remainder of the options in this section will automatically be filled in based on the information supplied by the provider. For more information, see OpenID Connect Discovery 1.0 incorporating errata set 2.
Fetch metadata from discovery endpoint: Initiate new or updated provider metadata when clicking Save. The rest of the options in this section only update, either from a new discovery or from an update, when this option is on. Otherwise, they do not automatically update from the discovery endpoint.
Issuer: URL to the IdP issuer.
JWK URL: URL to request the IdP's public key. Experience Cloud uses the key to verify the signature on the JWT ID token.
Authorization endpoint: URL to perform OAuth authentication request of the user, and to provide the user with authorization.
Email scope: Whether or not to request the user account's email (when available).
Profile scope: Whether or not to request the user account's profile, such as name, first, and last (when it is available).
Log failed attempts: Save information associated with failures when users fail to authenticate to the IdP because of an error.
Preload survey records: The survey authentication service pre-loads survey records.
Clock skew: Seconds before or after the assertion timestamp that the assertion is considered valid. Default is 10 (seconds). Use this property to account for clock-drift between the IdP and SP host machines.