Setting up AD FS 2.0 / 3.0

You can retrieve the desktop metadata for your community here:

https://<your-community-URL-here>/saml/module.php/saml/sp/metadata.php/crowdsaml2

You can retrieve the mobile metadata for your community here- the URL depends on the region your community is hosted in:

• UK: https://mobile.crowdicity.com/entityDescriptor.xml

• Australia: https://mobile.crowdicity.com.au/entityDescriptor.xm

• Ireland: https://mobile.crowdicity-ie.medallia.com/entityDescriptor.xml

• US: https://mobile.crowdicity-us1.medallia.com/entityDescriptor.xml

Alternatively, the metadata can be downloaded by visiting your community, and going to the "Crowd Management" area. Once inside, Select "Settings" ­> "Authentication". Scroll down to the SAMLv2 box, and choose "Get our metadata".

In the popup window, click Click here to download SP metadata. Use this XML when configuring AD FS.

The following rules are also required for functioning with Crowdicity:

How to create the required rules

1. Create a rule to send LDAP attributes as claims with the following choices:

   

2. Create a rule to "Transform an Incoming Claim"

3. Set the incoming claim type to "E­Mail Address", the "Outgoing claim type" to "Name ID" and the "Outgoing name ID format" to "Transient Identifier".

   

Setting up Medallia Ideas for SAML2‐based login

First, you'll need to collect your AD FS metadata from your server. The address is usually something like

https://<your-idp-url>/FederationMetadata/2007­-06/FederationMetadata.xml

but consult your documentation if this differs for your server.

Once you have the required metadata, follow the steps below:

1. From the Medallia Ideas Admin menu, select Community Settings then Authentication. On this screen, you can select the authentication methods your community will use, and the order that they are presented in.

   

2. Click Submit your metadata to pop up a new window, and then click Submit new metadata.

   

3. Paste your XML metadata into this box, and click submit. If the metadata is accepted, the screen will refresh and your endpoints will be listed, as in the example below.

   

4. Click Enable for the SAMLv2 option, and then to click Save at the bottom of the page.

   

Once this has been done, the Crowdicity login screen will present Organization login as an option for users on the log in page:

Using this option will redirect users to your ADFS login screen and return them to Crowdicity upon a successful login.

Required assertions

Information about what assertions are required and the naming of them can be found here.

Troubleshooting

In most cases, if there is a problem with Single Sign On, Medallia Ideas will show an error page. The small text near the middle of the page will provide more details. Below are the most common errors.

1. Error: SimpleSAML_Error_Error: UNABLE TO VALIDATE SIGNATURE​​

   • Cause: This is caused by out of date or updated certificates. ​​

   • Solution 1: Crowdicity updates certificates each year. To prevent having an out-of-date copy of Crowdicity's certificate, we recommend you set your identity provider track our metadata via the URL rather than copying the XML directly. If that isn't possible, you can re-download our metadata from the address specified in our set-up guide, and re-apply it.

   • ​​Solution 2: If your certificate has changed, please retrieve an updated copy of your metadata and resubmit it to Crowdicity by following those steps in the set-up guide.​​

2. Error: sspmod_saml_Error: Responder​

   • Cause: This is caused by an error on the Identity Provider. We're unable to get any details on the error since it did not happen on our system. ​​

   • Solution: Check the logs on your IdP for more detail.

Further Support

If you haven't found the answer you're looking for, please contact your Customer Support Manager or email us help.medallia.com with your community URL and the type of connection you're trying to establish.