Skip to main content
Skip to article
  • Qualtrics Platform
    Qualtrics Platform
  • Customer Journey Optimizer
    Customer Journey Optimizer
  • XM Discover
    XM Discover
  • Qualtrics Social Connect
    Qualtrics Social Connect

Configuring SAML as an Identity Provider

Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About Configuring SAML as an Identity Provider

Qualtrics has the ability to connect with any Identity Provider (IdP) system that meets the SAML Technical Requirements. The system-specific instructions provided here are not all-inclusive; only IdP systems that are most often configured with Qualtrics have instructions publicly available. If your system is not included, more detailed settings will be provided by Qualtrics during the implementation process.

You can find our full metadata file in your Organization SSO settings. However, please find our Assertion Consumer URL and Entity ID below:

  1. Assertion Consumer URL (ACS URL): 
    https://OrganizationID.datacenter.qualtrics.com/login/v1/sso/saml2/default-sp
  2. Entity ID: 
    https://OrganizationID.datacenter.qualtrics.com

Depending on your IdP, you may need to use one metadata file over the other.

Qtip: Don’t know your OrganizationID or datacenter? Click the hyperlinks in either this Qtip or any of the sections on this support page for directions to find them.

Active Directory Federation Service (ADFS)

GENERAL SETTINGS

Qualtrics has the ability to connect with Microsoft Active Directory Federation Service (ADFS). You can find our full metadata file in your Organization SSO settings.

The link found in the Organization settings can be uploaded into the Set-up Wizard to pre-populate the following settings:

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize
Attention: If you are unsure of how to do this, please reach out to Microsoft ADFS support.

ATTRIBUTES

Qualtrics requires LDAP Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

LDAP configuration in a table

Qtip: Qualtrics is only able to consume attributes passed within the Attribute Statement of the SAML response. For that reason, please do not select “Name ID” as the Outgoing Claim Type for any of your LDAP Attributes.

Azure

Qualtrics has the ability to connect with Microsoft Azure via the Qualtrics Enterprise Application or a custom application.

Qtip: Please note that within Microsoft Azure, the name of the Qualtrics Enterprise Application is SAP Qualtrics.

ENTERPRISE APPLICATION SETTINGS

When configuring the Qualtrics Enterprise Application within Azure, the settings below can be used:

The fields where you enter this info in Azure

Attention: The Qualtrics enterprise application doesn’t support IdP-initiated SSO. If you’d like to support an IdP-initiated login, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics custom application within Azure, the settings below can be used:

Fields in Azure

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Centrify

Qualtrics has the ability to connect with Centrify via the Qualtrics default web application or a custom application.

DEFAULT WEB APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics default application within Centrify, the settings below can be used:

Info for Qualtrics entered into Centrify

Attention: The Qualtrics Enterprise Application doesn’t support IdP-initiated SSO. If you’d like to support IdP-initiated logins, you will need to configure a custom application.

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Centrify, the settings below can be used:

Centrify

more fields for adding SAML

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

G-Suite

Qualtrics has the ability to connect with Google G-Suite via the default application or a custom application.

DEFAULT APPLICATION SETTINGS

When configuring the default application within G-Suite, the settings below can be used:

G-Suit screenshot showing the fields for ACS URL, Entity ID, and Start URL

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Start URL will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Custom Application SETTINGS

When configuring a custom application within G-Suite, the settings below can be used:

GSuite fields

Qtip: The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Start URL will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional. 

primary email, first name, and last name fields on g-suite

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Okta

Qualtrics has the ability to connect with Okta via the Qualtrics SAML default application or a custom application.

DEFAULT APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics SAML default application within Okta, the settings below can be used:Grey modal of Okta

SAML settings

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the custom application within Okta, the settings below can be used:

Attribute fields in okta

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

adding SAML attributes

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

OneLogin

Qualtrics has the ability to connect with OneLogin via the Qualtrics default application or a custom application.

ENTERPRISE APPLICATION SETTINGS

Attention: Please use the custom application when configuring SAML settings in the Organization SSO tab.

When configuring the Qualtrics default application within OneLogin, the settings below can be used:

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

CUSTOM APPLICATION SETTINGS

When configuring the Qualtrics custom application within OneLogin, the settings below can be used:

OneLogin fields in white

Qtip: The Relay State is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the Relay State will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Relay State. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

PingFederate

GENERAL SETTINGS

Qualtrics has the ability to connect with PingFederate. When configuring a trust within PingFederate, the settings below can be used:

The greys, oranges, and whites of the ping federate website

Qtip: The TargetResource is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. By default, the TargetResource will take users to the Homepage of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the TargetResource. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The endpoint should be added to the endpoint URL as follows:

https://OrganizationID.datacenter.qualtrics.com/endpoint?ssoConfigId=

The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics /ControlPanel
Employee Experience /ee/dashboards
360 /EX/ParticipantPortal
Customer Experience /Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

adding username and email attributes

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

Salesforce

Qualtrics has the ability to connect with Salesforce when Salesforce is used as an Identity Provider. You’ll need to configure the settings in your Single Sign-On Settings and in a Connected App in the Identity Provider Organization.

SINGLE SIGN-ON SETTINGS

When configuring the Single Sign-On Settings, the settings below can be used:

on the saml sso window in salesforce, the entity ID is on the right

CONNECTED APP IN THE IDENTITY PROVIDER ORGANIZATION

When configuring the connected app in the identity provider organization, the settings below can be used:

all the fields listed here are towards the bottom of the window in the section labeled web app settings

Qtip:  The Start URL is only needed if you would like users to be able to login to the platform via IdP-initiated SSO. If your Qualtrics brand has a vanity URL, you can use the vanity URL in place of “https://OrganizationID.datacenter.qualtrics.com” for the START URL.

By default, the Start URL will take users to the Projects page of their account. If you would like to more directly control where users land when they enter their account, you can append an endpoint to the Start URL. The endpoint will vary depending on the platform you would like users to redirect to upon successful authentication. The table below summarizes what the endpoint should be set to for each platform:

Platform Endpoint
Standard Qualtrics ControlPanel
Employee Experience ee/dashboards
360 EX/ParticipantPortal
Customer Experience Vocalize

ATTRIBUTES

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).

NetIQ

Qualtrics has the ability to connect with NetIQ Access Manager from Micro Focus when a SAML 2.0 Trusted Service Provider is created. You can find our full metadata file in your Organization SSO settings.

Please use the below information to populate the Metadata section of your Trust:

Image of the Metadata configuration for NetIQ

Configuration

Under the Authentication Response Section, please apply the following settings:
image of the Authentication Response Section of the NetIQ Configuration

Attributes

Qualtrics requires SAML Attributes to be released for use in the Username and Email Address Qualtrics fields. All other attributes are optional.

Qtip: The Username attribute must contain values that are unique, unchanging, and not confidential. The Email Address attribute must contain values in the format of an email (i.e., value@email.com).