HMAC-SH1 (Single Sign On)

HMAC- SHA1( Single Sign-On) is a session and user authentication service that permits a user to use one set of login credentials to access multiple applications. Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by hashing the request data with the private keys and sending it as part of a request. What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps.

How do I set up SSO for my community?

we use HMACSH1 for this and the authentication works by passing tokens to a pre-specified endpoint using which the community admin can grant access to their members to the community portal.

While setting up the authentication, the user has to enter in the QuestionPro interface (check the image below):

  1. Key: 8 characters key that is used for hashing the time in seconds.
  2. Timestamp: The time window for which the survey URL will be valid.

In order to initiate the handshake, the admin will have to pass the following tokens to the endpoint:

  1. ID_STRING: encryptDES(Current_Timestamp_In_Seconds|First_Name|Last_Name|Member_Email_Address)
  2. SIGNATURE: HMAC-SHA1 hash of (Current_Timestamp_In_Seconds|First_Name|Last_Name|Member_Email_Address)
  3. id: Panel_Id

The DES encryption and the HMAC-SHA1 hash will be generated using the preset key.

Once the system receives the tokens, it checks if the ID_STRING matches the Signature. If there's a match, the handshake is authenticated and the member will be logged in.

Example: encryption String&SIGNATURE=HMAC-SHA1 string&id=panel ID

Survey Software Help Image


To get the pricing, please email us at

For more details on QuestionPro Communities, click here

Was this article helpful?
Sorry about that
How can we improve it?