SSO Best Practices

Following are the best practices that every organization must follow while implementing Single Sign-On with QuestionPro.

Gather necessary details about the application:

How companies decide to implement SSO will depend on the applications they plan to access from the SSO. Initially, know about QuestionPro’s SAML SSO set up and then pick the Identity Provider to connect with QuestionPro.

Choose the Identity Provider (IDP):

It is important to determine the best framework for your SSO implementation. The Security Assertion Markup Language (SAML) is a set of open standards and protocols for sharing security information about identity, authentication and authorization across different systems, and it is designed specifically for web applications. Hence it is important to choose an Identity Provider which is more reliable and secure to implement SAML SSO with QuestionPro. Instead of developing your own IDP you can use third party IDPs like Okta, OneLogin, etc. to set up SAML SSO with QuestionPro.

Verify that the identity directory is accurate:

All SSO solutions require authoritative directories that contain accurate information of the users. Since organizations will be consolidating user’s identity across the enterprise, they have to match up their user’s identity i.e., the email address of the user. Companies must ensure that the correct email address is populated for each user in the application or users won't be able to sign in after the switch to SSO.

Secure all the components of the SSO system:

Since SSO can be a single point of authentication failure, all the components of the SSO system need to be secured within the enterprise. If a malicious user gets a hold of the SSO login credentials, all the applications registered with the system will be at risk.

Consider user privileges:

Before deploying single sign-on, enterprises need to think about privileges and who is allowed to do what. Companies must decide which users of their organization are authorized to access QuestionPro platform and grant the privileges accordingly.

Disallow username/password login:

Organizations should ensure that their SSO systems can disable employees' ability to sign in using passwords which can be easily done in your QuestionPro account by enabling “Restrict to SSO only” feature.

Enforce session timeouts:

Don't allow users to stay signed in indefinitely. Rather, expire idle user sessions. Have a setting per account or use the session timeout value from the SAML response. When an employee click on the link in the application after the session has expired, the app should send a SAML request to the identity provider to determine if the user is still authorized to sign in.

Force sign in:

If an app receives a sign in request, but the user's browser already has an active session, that session should be replaced with a new session for the new user. This decreases the risk that one user will inadvertently see another user's data. This also helps employees who use SSO portals to sign in to different accounts in the same application.

Was this article helpful?
Sorry about that
How can we improve it?