Configuring SAML as an Identity Provider

Suite
Customer Experience Employee Experience Strategy & Research
Product
Qualtrics
What's on this page

About Configuring SAML as an Identity Provider

Qualtrics has the ability to connect with any Identity Provider (IdP) system that meets the SAML Technical Requirements. The system-specific instructions provided here are not all-inclusive; only IdP systems that are most often configured with Qualtrics have instructions publicly available. If your system is not included, more detailed settings will be provided by Qualtrics during the implementation process.

You can find our full metadata file in your Organization SSO settings. However, please find our Assertion Consumer URL and Entity ID below:

Assertion Consumer URL (ACS URL): https://OrganizationID.datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
Entity ID: https://OrganizationID.datacenter.qualtrics.com

Depending on your IdP, you may need to use one metadata file over the other.

Qtip: Don’t know your OrganizationID or datacenter? Click the hyperlinks in either this Qtip or any of the sections on this support page for directions to find them.

Active Directory Federation Service (ADFS)

GENERAL SETTINGS

Qualtrics has the ability to connect with Microsoft Active Directory Federation Service (ADFS). You can find our full metadata file in your Organization SSO settings.

The link found in the Organization settings can be uploaded into the Set-up Wizard to pre-populate the following settings:

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize
Attention: If you are unsure of how to do this, please reach out to Microsoft ADFS support.

ATTRIBUTES

Qualtrics requires LDAP Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

LDAP configuration in a table
LDAP configuration in a table
Qtip: Qualtrics is only able to consume attributes passed within the Attribute Statement of the SAML response. For that reason, please do not select “Name ID” as the Outgoing Claim Type for any of your LDAP Attributes.

Microsoft Entra

Qualtrics has the ability to connect with Microsoft Entra via the Qualtrics Enterprise Application or a custom application.

Qtip: Please note that within Microsoft Entra, the name of the Qualtrics Enterprise Application is SAP Qualtrics.

ENTERPRISE APPLICATION SETTINGS

When configuring the Qualtrics Enterprise Application within Microsoft Entra, the settings below can be used:

The fields where you enter this info in Microsoft Entra
The fields where you enter this info in Microsoft Entra
Attention: The Qualtrics enterprise application doesn’t support IdP-initiated SSO. If you’d like to support an IdP-initiated login, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics custom application within Microsoft Entra, the settings below can be used:

Fields in Azure
Fields in Azure

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Below are the usual attributes:

Field in Qualtrics Attribute Name
Email Address http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Centrify

Qualtrics has the ability to connect with Centrify via the Qualtrics default web application or a custom application.

DEFAULT WEB APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics default application within Centrify, the settings below can be used:

Info for Qualtrics entered into Centrify
Info for Qualtrics entered into Centrify
Attention: The Qualtrics Enterprise Application doesn’t support IdP-initiated SSO. If you’d like to support IdP-initiated logins, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Centrify, the settings below can be used:

Centrify
Centrify

more fields for adding SAML
more fields for adding SAML

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

G-Suite

Qualtrics has the ability to connect with Google G-Suite via the default application or a custom application.

DEFAULT APPLICATION SETTINGS

When configuring the default application within G-Suite, the settings below can be used:

G-Suit screenshot showing the fields for ACS URL, Entity ID, and Start URL
G-Suit screenshot showing the fields for ACS URL, Entity ID, and Start URL

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Start URL will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Custom Application SETTINGS

When configuring a custom application within G-Suite, the settings below can be used:

GSuite fields
GSuite fields

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Start URL will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional. 

primary email, first name, and last name fields on g-suite
primary email, first name, and last name fields on g-suite
Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Okta

Qualtrics has the ability to connect with Okta via the Qualtrics SAML default application or a custom application.

DEFAULT APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics SAML default application within Okta, the settings below can be used:

Grey modal of Okta
Grey modal of Okta

SAML settings
SAML settings

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Okta, the settings below can be used:

Attribute fields in okta
Attribute fields in okta

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

adding SAML attributes
adding SAML attributes
Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Below are the usual attributes:

Field in Qualtrics Attribute Name
Email Address email
User Name user
First Name firstName
Last Name lastName

OneLogin

Qualtrics has the ability to connect with OneLogin via the Qualtrics default application or a custom application.

ENTERPRISE APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics default application within OneLogin, the settings below can be used:

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics custom application within OneLogin, the settings below can be used:

OneLogin fields in white
OneLogin fields in white

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

PingFederate

GENERAL SETTINGS

Qualtrics has the ability to connect with PingFederate. When configuring a trust within PingFederate, the settings below can be used:

The greys, oranges, and whites of the ping federate website
The greys, oranges, and whites of the ping federate website

Qtip: The TargetResource is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the TargetResource will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the TargetResource. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

adding username and email attributes
adding username and email attributes
Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Salesforce

Qualtrics has the ability to connect with Salesforce when Salesforce is used as an Identity Provider. You’ll need to configure the settings in your Single Sign-On Settings and in a Connected App in the Identity Provider Organization.

SINGLE SIGN-ON SETTINGS

When configuring the Single Sign-On Settings, the settings below can be used:

on the saml sso window in salesforce, the entity ID is on the right
on the saml sso window in salesforce, the entity ID is on the right

CONNECTED APP IN THE IDENTITY PROVIDER ORGANIZATION

When configuring the connected app in the identity provider organization, the settings below can be used:

all the fields listed here are towards the bottom of the window in the section labeled web app settings
all the fields listed here are towards the bottom of the window in the section labeled web app settings

Qtip:  The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://OrganizationID.datacenter.qualtrics.com” for the START URL.

By default, the Start URL will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics ControlPanel
Employee Experience ee/dashboards
360 EX/ParticipantPortal
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

NetIQ

Qualtrics has the ability to connect with NetIQ Access Manager from Micro Focus when a SAML 2.0 Trusted Service Provider is created. You can find our full metadata file in your Organization SSO settings.

Please use the below information to populate the Metadata section of your Trust:

Image of the Metadata configuration for NetIQ
Image of the Metadata configuration for NetIQ

Configuration

Under the Authentication Response Section, please apply the following settings:

image of the Authentication Response Section of the NetIQ Configuration
image of the Authentication Response Section of the NetIQ Configuration

Attributes

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Was this helpful?

The feedback you submit here is used only to help improve this page.

That's great! Thank you for your feedback!

Thank you for your feedback!