Loading...
  • Customer Experience
    Customer Experience
  • Employee Experience
    Employee Experience
  • Brand Experience
    Brand Experience
  • Product Experience
    Product Experience
  • Core XM
    Core XM

Configuring SAML as an Identity Provider

What's on This Page:


Was this helpful?


The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!


About Configuring SAML as an Identity Provider

Qualtrics has the ability to connect with any Identity Provider (IdP) system that meets the SAML Technical Requirements. The system-specific instructions provided here are not all-inclusive; only IdP systems that are most often configured with Qualtrics have instructions publicly available. If your system is not included, more detailed settings will be provided by Qualtrics during the implementation process.

Generally, we have two metadata links that we give out:

  1. Metadata containing only SHA2 certificates:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/sha2-metadata
  2. Metadata containing both SHA1 and SHA2 certificates:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/metadata

Depending on your IdP, you may need to use one metadata file over the other.

SAML Certificate Rotation

Qualtrics is deprecating SHA1 certificates on March 31, 2020 and is deprecating our existing SHA2 certificate on September 30, 2020. All organizations using SSO should rotate their certificate to our new SHA2 certificate that remains valid until 2029.

We have two sets of instructions that will help you rotate your certificates: one for those who use InCommon to configure SAML, and one for those who do not use InCommon.

Attention: The troubleshooting steps described in the section can only be performed by a Brand Administrator.

Organizations using InCommon

Qualtrics takes care of adding the new certificate to InCommon. For a period of time, both the new and the old certificates will be accepted. When the old certificate is deprecated, it will be removed from InCommon as well.

You will need to update your metadata if your Identity Provider is not configured to automatically pull in the changes to the metadata.

Optionally, if you would like to test out the new certificate, you can force the use of the updated certificate in AuthN request signatures, click on the Use Updated Certificate checkbox found in  Organization Settings under SAML Settings. If this is not done, we will continue to use the older certificate to sign AuthN requests until the deprecation deadline.

In the Organization Settings page, at the very bottom, under SAML Settings, a check box next to the phrase Use Updated Certificate

Organizations not using InCommon

Where to find the new SAML certificate

Brand Administrators can access this information from their Admin page. Specifically, go to your Organization Settings and look under SAML Settings.

In the Organization Settings page, at the very bottom, under SAML Settings, a check box next to the phrase Use Updated Certificate

If you don’t manage to rotate the certificate before the due date, you may lose access to Qualtrics. You can still download your brand’s metadata and our new certificate using the following URL after replacing <brandId> with the brand ID associated with your Qualtrics license.

https://ca1.qualtrics.com/login/v1/sso/saml2/metadata?brandId=<brandId>

If you just need our new certificate without the rest of the metadata, you can find it at the below URL:

https://ca1.qualtrics.com/login/v1/sso/saml2/metadata/cert/sha2

Certificate Rotation Steps

  1. Go to Admin.
    Upper-right of page: Admin selected at top, then organization settings
  2. Go to the Organization Settings.
  3. Scroll all the way down and look under SAML Settings.
    Bottom of page. Heading says SAML settings. Two links and a checkbox
  4. Download the new certificate and use it to update your organization’s Identity Provider. In the SAML Settings section, you will see two links:
    • The first link is for an updated version of the metadata. The metadata contains certificates for both signing and encryption. These might be the same certificate. If you see multiple certificates in the metadata for a given use (signing or encryption), the first certificate provided is the most recent certificate and should always be preferred. Any other certificates listed below these are in the process of being rotated out. If Qualtrics has determined a date by which we will stop supporting a certificate, that date will be provided in the keyName attribute for that certificate.
    • The second link provides you with just the certificate. Some identity providers only require the new certificate and don’t need the entire metadata. For this reason, we provide just the PEM formatted certificate for your convenience.
  5. Select the Use Updated Certificate checkbox.
  6. Save the settings.
    Back at the top of the page, in upper-right, is a Save button
  7. Without ending your current session, attempt to login from an incognito or private browser window. If you can log in, you have successfully completed the certificate rotation.

Rollback steps

If you encountered a login failure after committing to the above steps, follow these steps to rollback your changes while diagnosing the problem:

  1. Go back to your current session and unselect the Use Updated Certificate checkbox in Admin –> Organization Settings –> SAML Settings.
  2. Save the settings.
  3. After saving the settings, if needed, use the metadata or certificate links to retrieve your old metadata and certificate.
  4. Update your Identity Provider to use the old certificate and metadata.
  5. Please have your IT team debug the problem and then repeat the Certificate Rotation steps. If you still encounter login failures after rolling back your changes and repeating the certificate rotation, contact Qualtrics Support for further assistance.

What does the Use Updated Certificate checkbox do?

When Qualtrics sends your Identity Provider an AuthN request, this might include a signature to verify our identity. This signature is created using the signing certificate we have exchanged with your Identity Provider.

During a certificate rotation it is no longer clear which certificate we should use for your Identity Provider. Checking the Use Updated Certificate checkbox tells us you have configured the new certificate in your Identity Provider and that we should use this when we sign the request.

What about encryption certificates?

During the rotation period, we will support SAML Responses encrypted with any encryption certificate listed in our metadata. Once a certificate is deprecated on the date communicated with you or provided in the keyName attribute in the metadata, we will no longer use that certificate to decrypt responses. The Use Updated Certificate option does not affect this behavior.

Active Directory Federation Service (ADFS)

GENERAL SETTINGS

Qualtrics has the ability to connect with Microsoft Active Directory Federation Service (ADFS). When configuring a trust within ADFS, this is our SHA2 metadata link:

https://datacenter.qualtrics.com/login/v1/sso/saml2/sha2-metadata?showDeprecated=false

This link can be uploaded into the Set-up Wizard to pre-populate the following settings:

  • Relying Party Trust Identifier (SP Entity ID):
    https://datacenter.qualtrics.com
  • Endpoint (Assertion Consumer Service URL):
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp

Qtip: If you would like users to be able to login to the platform via IdP-initiated SSO, your IT team will have to build an IdP link, including the Qualtrics Relay State (https://brandID.datacenter.qualtrics.com). If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Relay State.

By default, the Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize
Attention: If you are unsure of how to do this, please reach out to Microsoft ADFS support.

ATTRIBUTES

Qualtrics requires LDAP Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

LDAP configuration in a table

Qtip: Qualtrics is only able to consume attributes passed within the Attribute Statement of the SAML response. For that reason, please do not select “Name ID” as the Outgoing Claim Type for any of your LDAP Attributes.

Azure

Qualtrics has the ability to connect with Microsoft Azure via the Qualtrics Enterprise Application or a custom application.

ENTERPRISE APPLICATION SETTINGS

When configuring the Qualtrics Enterprise Application within Azure, the settings below can be used:

The fields where you enter this info in Azure

  • Sign on URL (SP base URL):
    https://brandID.datacenter.qualtrics.com
  • Identifier (SP Entity ID):
    https://datacenter.qualtrics.com
  • Reply URL (Assertion Consumer Service URL):
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
Attention: The Qualtrics enterprise application doesn’t support IdP-initiated SSO. If you’d like to support an IdP-initiated login, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics custom application within Azure, the settings below can be used:

Fields in Azure

  • Identifier (SP Entity ID):
    https://datacenter.qualtrics.com
  • Reply URL (Assertion Consumer Service URL):
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Sign On URL (SP base URL):
    https://brandID.datacenter.qualtrics.com
  • Relay State:
    https://brandID.datacenter.qualtrics.com

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Relay State.

By default, the Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Centrify

Qualtrics has the ability to connect with Centrify via the Qualtrics default web application or a custom application.

DEFAULT WEB APPLICATION SETTINGS

When configuring the Qualtrics default application within Centrify, the settings below can be used:

Info for Qualtrics entered into Centrify

Attention: The Qualtrics Enterprise Application doesn’t support IdP-initiated SSO. If you’d like to support IdP-initiated logins, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Centrify, the settings below can be used:

Centrify

  • SP Entity ID / Issuer / Audience:
    https://datacenter.qualtrics.com
  • Assertion Consumer Service (ACS) URL:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Recipient:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Relay State.

By default, the Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

G-Suite

Qualtrics has the ability to connect with Google G-Suite via the default application or a custom application.

DEFAULT APPLICATION SETTINGS

When configuring the default application within G-Suite, the settings below can be used:

G-Suit screenshot showing the fields for ACS URL, Entity ID, and Start URL

  • ACS URL (Assertion Consumer Service URL): https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Entity ID (SP Entity ID): https://datacenter.qualtrics.com
  • Start URL (Relay State): https://brandID.datacenter.qualtrics.com

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Start URL.

By default, the Start URL will take users to the Projects page within their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Custom Application SETTINGS

When configuring a custom application within G-Suite, the settings below can be used:

GSuite fields

  • ACS URL (Assertion Consumer Service URL):
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Entity ID (SP Entity ID):
    https://datacenter.qualtrics.com
  • Start URL (Relay State):
    https://brandID.datacenter.qualtrics.com

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Start URL.

By default the Start URL will take users to the Projects page within their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional. 

primary email, first name, and last name fields on g-suite

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Okta

Qualtrics has the ability to connect with Okta via the Qualtrics SAML default application or a custom application.

DEFAULT APPLICATION SETTINGS

When configuring the Qualtrics SAML default application within Okta, the settings below can be used:

Grey modal of Okta

Qtip: The Default Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Default Relay State.

By default the Default Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Okta, the settings below can be used:

Attribute fields in okta

  • Single sign on URL (Assertion Consumer Service URL):
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
    Qtip: Be sure that Use this for Recipient URL and Destination URL is checked.
  • Audience URI (SP Entity ID):
    https://datacenter.qualtrics.com
  • Default Relay State:
    https://brandID.datacenter.qualtrics.com

Qtip: The Default Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Default Relay State.

By default the Default Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

OneLogin

Qualtrics has the ability to connect with OneLogin via the Qualtrics default application or a custom application.

ENTERPRISE APPLICATION SETTINGS

When configuring the Qualtrics default application within OneLogin, the settings below can be used:

  • SAML Audience (SP Entity ID): https://datacenter.qualtrics.com
  • SAML Consumer URL (Assertion Consumer Service URL): https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • SAML Recipient (Assertion Consumer Service URL): https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Relay State: https://brandID.datacenter.qualtrics.com

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Relay State.

By default, the Relay State will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics enterprise application within OneLogin, the settings below can be used:

OneLogin fields in white

Qtip: The RelayState is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the Relay State.

By default, the RelayState will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the RelayState. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize
  • Audience (SP Entity ID):
    https://datacenter.qualtrics.com
  • Recipient:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • ACS (Consumer) URL Validator:
    ^https:\/\/datacenter.qualtrics.com\/login\/v1\/sso\/saml2\/default-sp*
  • ACS (Consumer) URL:
    https://datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  • Login URL (SP Entity ID):
    https://datacenter.qualtrics.com

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

PingFederate

GENERAL SETTINGS

Qualtrics has the ability to connect with PingFederate. When configuring a trust within PingFederate, the settings below can be used:

The greys, oranges, and whites of the ping federate website

  • Partner’s Entity ID / Connection ID (SP Entity ID):
    https://datacenter.qualtrics.com
  • Base URL (Beginning of ACS URL / Entity ID):
    https://datacenter.qualtrics.com
  • Assertion Consumer Service (ACS) URL (End of the ACS URL):
    /login/v1/sso/saml2/default-sp
  • TargetResource (Relay State):
    https://brandID.datacenter.qualtrics.com

Qtip: The TargetResource is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the TargetResource.

By default the TargetResource will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the TargetResource. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Salesforce

Qualtrics has the ability to connect with Salesforce when Salesforce is used as an Identity Provider. You’ll need to configure the settings in your Single Sign-On Settings and in a Connected App in the Identity Provider Organization.

SINGLE SIGN-ON SETTINGS

When configuring the Single Sign-On Settings, the settings below can be used:

on the saml sso window in salesforce, the entity ID is on the right

CONNECTED APP IN THE IDENTITY PROVIDER ORGANIZATION

When configuring the connected app in the identity provider organization, the settings below can be used:

all the fields listed here are towards the bottom of the window in the section labeled web app settings

Qtip:  The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://brandID.datacenter.qualtrics.com” for the START URL.

By default, the Start URL will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
CoreXM ControlPanel
Employee Experience 360
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

NetIQ

Qualtrics has the ability to connect with NetIQ Access Manager from Micro Focus when a SAML 2.0 Trusted Service Provider is created. This is our SHA2 metadata link:

https://datacenter.qualtrics.com/login/v1/sso/saml2/sha2-metadata

Please use the below information to populate the Metadata section of your Trust:

Image of the Metadata configuration for NetIQ

Configuration

Under the Authentication Response Section, please apply the following settings:
image of the Authentication Response Section of the NetIQ Configuration

Attributes

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).