SSO Implementation Considerations
What's on this page
About SSO Implementation Considerations
Qualtrics is able to implement Single Sign-On (SSO) or change the SSO type used for any existing brand. There are many factors that are considered when determining whether or not to implement SSO on a Qualtrics brand.
Attention: This page describes steps for paid SSO implementations, which may be an add-on for your license. Contact your account team if you have questions about what’s included in your license. For information on setting up your own SSO connection without assisted Qualtrics implementation, see Configuring Organization SSO Settings.
Qualtrics SSO Implementation Process
Enabling SSO on an Established Brand
Enabling SSO on a newly created Qualtrics brand is considerably less complex than enabling SSO on an established brand. Established brands have existing accounts, and when SSO is enabled those accounts must be updated in order to ensure that SSO authentication will work.
Changing your brand to an SSO-enabled brand can cause Qualtrics usernames to change in 2 ways:
If a small number of accounts exist on the brand prior to enabling SSO, Qualtrics can work with your Brand Administrators and IT department to manually update these accounts.
If a large number of accounts exist on the brand prior to enabling SSO, Qualtrics will run one of our public API calls to update usernames to SSO-compatible values.
SSO in Most Qualtrics Setups
When SSO is enabled in a brand that does not have EX, CX, or 360, the following may be affected.
MANUAL USER CREATION
Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
QUALTRICS API USER CREATION
Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, the API caller should append the “#brandID” suffix to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
SELF-ENROLLMENT USER CREATION
Users can self-enroll when Just-in-time User Provisioning is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”
ACCOUNT ACCESS
Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Login Page | URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login Credentials to use: Qualtrics username and password | Not available |
| Brand-Specific Login Page | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: Qualtrics username and password | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: SSO username and password |
SURVEY TAKING
Regardless of whether or not SSO is enabled for a brand, respondents are only required to authenticate via SSO prior to taking a survey if there is an SSO Authenticator configured in the survey flow. Otherwise, no SSO authentication is needed to just take a survey.
Attention: A Shibboleth (SAML) SSO Authenticator can only be configured if the brand has SAML SSO configured and support SP-initiated logins.
FILE UPLOAD DATA IN DATA and ANALYSIS
Survey owners and collaborators have the ability to require permission to view uploaded files to prevent others from viewing user submitted files. When this is enabled, survey owners and collaborators can always view the File Upload data in the Data & Analysis tab. However, if direct links to the user submitted files are used to try to access the file the following will be true:
SSO is Disabled:
| Generic File Upload Data Link | URL to use: https://datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1 Credentials to use: Qualtrics |
|---|---|
| Brand-Specific File Upload Data Link | URL to use: https://brandID.datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1 Credentials to use: Qualtrics |
SSO is Enabled:
| Generic File Upload Data Link | Not available |
|---|---|
| Brand-Specific File Upload Data Link | URL to use: https://brandID.datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1 Credentials to use: SSO |
SSO and Employee Experience
When SSO is enabled in a brand that has Employee Experience projects like Engagement, Lifecycle, and Pulse, the following may be affected. (For 360, see next section instead.)
MANUAL USER CREATION
Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
CSV IMPORT USER CREATION
Brand Administrators can bulk import users in the Directories tab. When SSO is enabled, a “UserName” column should be added to the CSV file. The “UserName” column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “UserName” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.
QUALTRICS API USER CREATION
Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
SELF-ENROLLMENT USER CREATION
Users can self-enroll when Just-in-time User Provisioning is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”
ACCOUNT ACCESS
Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Login Page | URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login Credentials to use: Qualtrics | Not available |
| Brand-Specific Login Page | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: Qualtrics | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: SSO |
SURVEY TAKING
Regardless of whether or not SSO is enabled for a brand, respondents are only required to authenticate via SSO prior to taking a survey if there is an SSO Authenticator configured in the survey flow. Otherwise, no SSO authentication is needed to just take a survey.
Attention: A Shibboleth (SAML) SSO Authenticator can only be configured if the brand has SAML SSO configured and support SP-initiated logins.
DASHBOARD ACCESS
Users may be required to authenticate via SSO prior to viewing the dashboard, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Dashboard Login Page | URL to use: https://datacenter.qualtrics.com/ee/dashboards Credentials to use: Qualtrics | Not available |
| Dashboard-Specific Invite Link | URL to use: See Dashboard Invite Link Credentials to use: Qualtrics | URL to use: See Dashboard Invite Link Credentials to use: SSO |
SSO and 360
When SSO is enabled in a brand that has 360, the following may be affected.
MANUAL USER CREATION
Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
CSV IMPORT USER CREATION
Brand Administrators can bulk import users in the Directories tab. When SSO is enabled, a “UserName” column should be added to the CSV file. The “UserName” column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Qtip: The suffix “#brandID” will automatically be appended, by the Qualtrics system, to the value in the “UserName” column when the CSV file is uploaded.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “UserName” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.
QUALTRICS API USER CREATION
Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
SELF-ENROLLMENT USER CREATION
Users can self-enroll when Just-in-time User Provisioning is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”
ACCOUNT ACCESS
Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Login Page | URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login Credentials to use: Qualtrics | Not available |
| Brand-Specific Login Page | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: Qualtrics | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: SSO |
PARTICIPANT ACCESS
Subjects and Internal Evaluators must authenticate via SSO prior to accessing their portal when SSO is enabled. The direct survey link can be sent to Internal Evaluators and External Evaluators to allow survey-taking without requiring participants to authenticate via SSO.
SSO and CX Dashboards
When SSO is enabled in a brand that has CX Dashboards, the following may be affected.
MANUAL USER CREATION
Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
CSV IMPORT USER CREATION
Brand Administrators can bulk create dashboard users by importing a file in the User Admin tab. When SSO is enabled, a Username column should be added to the CSV file. The Username column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Qtip: The suffix “#brandID” will be appended to the value in the “Username” column when the CSV file is uploaded. The brandID value will vary depending on the Qualtrics brand.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “Username” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.
QUALTRICS API USER CREATION
Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”
SELF-ENROLLMENT USER CREATION
Users can self-enroll when Just-in-time User Provisioning is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”
AUTOMATIC ROLE ENROLLMENT
When a user logs into Qualtrics via SSO, they can send over additional information about their account from your system. Qualtrics has the ability to use this information to assign and update an account’s CX Dashboards Role via Automatic Role Enrollment.
Attention: CAS 2.0 is not compatible with this feature because they cannot pass over additional attributes to the Qualtrics system. Google OAuth 2.0 can only pass over attributes with a custom OAuth 2.0 connection.
USER ATTRIBUTES
When a user logs into Qualtrics via SSO, they can send over additional information about their Qualtrics account from your system. Qualtrics has the ability to pass and update this information into CX Dashboards to be stored as User Attributes.
Qtip: User Attributes derived from SSO attributes are updated each time a user logs into the platform via SSO.
ACCOUNT ACCESS
Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Login Page | URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login Credentials to use: Qualtrics | Not available |
| Brand-Specific Login Page | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: Qualtrics | URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL Credentials to use: SSO |
DASHBOARD ACCESS
Users may be required to authenticate via SSO prior to viewing the dashboard, depending on the brand’s settings.
| SSO is Disabled | SSO is Enabled | |
|---|---|---|
| Generic Dashboard Login Page | URL to use: https://datacenter.qualtrics.com/vocalize Credentials to use: Qualtrics | Not available |
| Dashboard-Specific Invite Link | URL to use: See Sharing your Dashboard Credentials to use: Qualtrics | URL to use: See Sharing your Dashboard Credentials to use: SSO |
Logging in through Mobile Apps
LOGGING INTO THE QUALTRICS XM APP
Users must authenticate via SSO prior to gaining access to the Qualtrics XM App when SSO is enabled. This login process is explained on the Logging In with Your Organization ID support page.
Attention: Certain SSO types are not compatible with the Qualtrics XM App: 1) Google OAuth 2.0 configurations are not supported and 2) IdP-initiated logins are not supported, so SP-initiated logins must work for Shibboleth/SAML configurations.
Attention: The Qualtrics XM App is included in some Customer Experience and Employee Experience licenses. Talk to your Account Executive to see if you’re eligible.
OFFLINE APP
Users must use their full Qualtrics username and password to login to the Offline App, regardless of whether or not SSO is enabled. This login process is explained on the Entering Your Qualtrics Credentials support page.
Attention: Certain SSO types are not compatible with the Offline App: 1) Google OAuth 2.0 configurations are not supported and 2) IdP-initiated logins are not supported, so SP-initiated logins must work for Shibboleth/SAML configurations.
Attention: Qualtrics Offline Surveys is an add-on feature for your Qualtrics license and will need to be enabled before you can use the app. Check with your Qualtrics representative to see if this feature is already included in your license.
That's great! Thank you for your feedback!
Thank you for your feedback!