Setting up SAML authentication

What is SAML?

SAML stands for Security Assertion Markup Language.

It is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

QuestionPro provides SAML based Single Sign-On (SSO) which allows users in your organization to use their corporate login credentials to log in to the QuestionPro platform. Thus they don’t need to maintain a separate username and password for the QuestionPro platform.

Note: QuestionPro supports IdP Initiated SSO.

How to set up SAML SSO for login authentication?

For enabling SAML authentication for your account please go to:

User Profile >> Global Settings

Survey Software Help Image

Select SAML (Signed) under SSO Authentication. There are three ways of setting up SSO:
  1. Metadata URL
  2. Metadata File
  3. Manual Settings

How can you set up SSO using Metadata URL?

The easiest way to configure SSO is to use a link to your identity provider's metadata file if they provide one. Simply select Metadata URL, enter the URL, and click Save. QuestionPro will download the configuration file, parse it, and configure everything.

Survey Software Help Image

How can you set up SSO using Metadata File?

Some identity providers require you to download the metadata file instead of giving you a link. In that case, select the Metadata File option, choose the file you downloaded from your identity provider, and click Save. This sends the file to QuestionPro, where it is parsed and the crucial information is extracted. It is important to note that QuestionPro does not save the metadata file. If you must make any configuration changes, you will need to upload the file again or make changes using the Manual Settings option.

Survey Software Help Image

How can you set up SSO using Manual Settings?

In order to manual set up the configuration, you will need to provide two things:

  1. Entity ID / User
  2. X509 Certificate

User Attributes

The SAML identity provider must be configured to provide only one attribute: emailAddress.

This attribute allows QuestionPro to properly identify the user and automatically provision access.

Can we map new users to a specific Business Unit/ Team in QuestionPro?

Yes. It is possible to map new users to a specific Business Unit/ Team, to do that add the user attribute named "teamName" in your SAML assertion which will contain the team name from your QuestionPro account or add the user attribute named "businessUnitID" in your SAML Assertion which will contain the business unit ID (Team ID) from your QuestionPro account. This will add the new user under a specific Business Unit/ Team whose ID/Name is present in the user's profile field.

Can we restrict users to login via SSO only?

Yes, you can do that by enabling the Restrict login to SSO option

Survey Software Help Image

If Restrict login to SSO is disabled all users will be able to log in via both the IdP and QuestionPro

If the Restrict Login to SSO is enabled, any users that attempt to login directly via QuestionPro will not be able to and will see the following message: "This account is restricted to Single Sign-On only. Please contact your account admin for assistance."

What is Logout URL?

If you want the users to be redirected to a specific page once they logout from QuestionPro, you can use the Logout URL option.

Survey Software Help Image

Please note that this is a simple redirection and not Single Log-Out.

Can we authenticate user via SSO before accessing report links?

Yes. It is possible to enable SSO authentication on Report links. To enable SSO for report links

  • Go to: User Profile >> Global Settings
  • Under your existing SSO Authentication set up, switch the Restrict Report Links to SSO only toggle ON.
  • This will make the report links accesible via SSO only.
Survey Software Help Image

License

This feature is available with the following license:

Enterprise

Was this article helpful?
Sorry about that
How can we improve it?
Submit