QuestionPro - SSO

What is SSO?

SSO stands for "single sign-on". SSO allows you to authenticate your QuestionPro account or your survey against a third-party system. You can verify whether respondents have a legitimate user ID at your web application and then authenticate them to access the QuestionPro.

This Wikipedia article covers SSO in more detail

QuestionPro supports two basic types of SSO authentication:


2. HMAC-SHA1 (Single Sign-On)


SAML stands for Security Assertion Markup Language. It is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML authentication requires that the third-party application has a working SAML Identity Provider implemented. The identity provider acts as a producer of SAML assertions while the service provider acts as a consumer of assertions.

A SAML assertion element generally contains the following child elements:
Element Description / Value
Contains the unique identifier of the identity provider.
Identifies the authenticated principal (but in this case the identity of the principal is hidden behind an opaque transient identifier, for reasons of privacy).
Gives the conditions under which the assertion is to be considered valid.
Describes the act of authentication at the identity provider.

QuestionPro implements SAML authentication through the following process:

1. SAML authentication can be set up from My Account >> Authentications.

2. While setting up the authentication, you will have to enter the issuer .

3. For authentication, the third party application will have to submit SAML Assertion to the following endpoint:

4. QuestionPro will read the X509 certificate in the SAML assertion and check for the issuer. If the issuer matches the issuer set under Security, the authentication will succeed.


HMAC stands for hash-based message authentication code. This authentication is a product of a hash function applied to the body of a message along with a secret key. So rather than sending the authentication data via a Web service request, you send some identifier for the private key and an HMAC. When the server receives the request, it looks up the user's private key and uses it to create an HMAC for the incoming request. If the HMAC submitted with the request matches the one calculated by the server, then the request is authenticated.

The security identifiers / tokens will be sent to QuestionPro via the survey URL parameters. The token's data will be part of the query string.

HMAC-SHA1 authentication can be set up for your survey from Edit Survey >> Security

While setting up the authentication, you will have to enter:

1. Key: A 36 character key that is used for hashing the time in seconds.

2. Timestamp: The time window for which the survey URL will be valid.

You'll need to pass the following security token fields via the URL:

Name Description / Value Required
surveyID Survey ID &#10004
ts When the token was created in UTC time (seconds). &#10004
hash HMAC-SHA1 hash of the seconds (UTC) &#10004
mode Value for this parameter is always hmacSha1 &#10004

Sample code:

public String getAuthURL(String surveyID, String hashKey){ long ms = getUTCMillis(); long seconds = (ms/1000); String hash = hmacSha1(String.valueOf(seconds),hashKey); String params = "surveyID="+surveyID+"&ts=" + seconds + "&hash=" + hash + "&mode=hmacSha1" return ""+params; }

DES Encrypted Custom Variables

This security option allow you to pass additional data to the survey using DES encryption. You can pass data through the survey URL in encrypted format, the data will be decrypted and saved as part of the response.

DES Encryption can be set up for your survey from Edit Survey » Security

You'll need to enter a 8 character key which will be used to encrypt / decrypt the custom variables. You can refer the sample code given below to encrypt the variables:

Sample code:

public static String encriptDES(String passPhrase, String value) throws Exception { SecretKey key = new SecretKeySpec(passPhrase.getBytes(), "DES"); Cipher ecipher = Cipher.getInstance(key.getAlgorithm()); ecipher.init(Cipher.ENCRYPT_MODE, key); byte[] utf8 = value.getBytes("UTF8"); byte[] enc = ecipher.doFinal(utf8); return base64Encode(enc); }

Facebook Connect

Facebook Connect SSO allows respondents to log in to the survey with their Facebook credentials. The system stores Facebook details on who took the survey as custom variables. You can capture the following details:

  • Custom Variable 1: Facebook UID (numeric user id)
  • Custom Variable 2: First / Last Name
  • Custom Variable 3: Language
  • Custom Variable 4: Gender
  • Custom Variable 5: Date Of Birth

Facebook Connect SSO can be set up for your survey from Edit Survey » Security

QuestionPro is the leader in online surveys, polls and questionnaires