Survey Platform - SSO Authentication | Qualtrics

SSO Authenticator

Introduction

The Authenticator feature in Qualtrics is typically used to verify that respondents are found on a contact list that you have uploaded into Qualtrics. With the Single Sign-On (SSO) Authenticator, you can go beyond this and authenticate against a third-party system (e.g., verify that they have a legitimate user ID at your university or have a Facebook account).

The Authenticator feature supports six basic types of SSO authentication:

  • Token: The third-party generates a secure token that allows the respondent (if validated) to automatically login.
  • CAS (Central Authentication Service): Respondents authenticate against a CAS server.
  • LDAP (Lightweight Directory Access Protocol): LDAP is used to authenticate users.
  • Shibboleth: Respondents authenticate via SAML.
  • Google OpenID: Respondents authenticate with their Google username.
  • Facebook: Respondents authenticate with their Facebook username.

Below is a brief description of how to set up each method given a basic knowledge of how to use Contact List Authenticators. For further details about SSO, please see our SSO specification document.

Qtip: If you are going to authenticate using Token, CAS, LDAP, or Shibboleth, you will need to contact your IT department to obtain information on your SSO authenticator setup. If you use Google OpenID or Facebook as your SSO authenticator type, then you won’t need any extra information; the setup is automatic.

Token

Token SSO allows you to generate a secure token for authentication (see our SSO specifications). A Token Authenticator allows you to pass encrypted embedded data into the survey where it then be decrypted and stored as Embedded Data.

Qtip: This SSO type may not function properly with Preview Survey.

To set up a Token Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here.
    image19
  3. Select Authenticator.
    image09
  4. Change Authentication Type to SSO.image00
  5. Change SSO Type to Token.
    image06
  6. Specify the Encryption Method, Mac Method, and Leeway (we suggest 300 as the leeway.) You can also generate a secure key, or enter in your own key.
    image01
  7. Click Save Flow.
    image05
Attention: You must save the Survey Flow before using the generated token.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.
    image08
  2. Enter your Embedded Data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.
  3. Insert the parameter name from the encrypted token into the “Field From SSO” text entry box.
    image31
  4. Click Save Flow.
    image05
  5. Go back into the Survey Flow and generate a token to test it out. You should see the Embedded Data values in the response results.

For more information on generating SSO tokens with Embedded Data, please contact your IT team.

CAS

CAS provides enterprise Single Sign-On service and is supported by the JA-SIG Central Authentication Service. More information about CAS can be found at their website. Qualtrics can act as a CAS client, allowing the user to authenticate via CAS and log into the Qualtrics system. A CAS Authenticator allows you capture and store a participant’s CAS username as Embedded Data.

Qtip: This SSO type may not function properly with Preview Survey.

To set up a CAS Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here or Add Below.
    image19
  3. Select Authenticator
    image09
  4. Change Authentication Type to SSO.
    image00
  5. Change SSO Type to CAS.
    image26
  6. Specify the Hostname, Port, and URI.
    image12
  7. Click Test CAS Connection to check the integration.
    image39
  8. Click Save Flow.
    image05

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.image33
  2. Enter your Embedded Data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.
  3. Insert the username parameter into the “Field From SSO” text entry box.
    image35

    Qtip: CAS only passes back the username attribute, so any field specified to capture attributes will return the username.
  4. Click Save Flow.
    image05

You will now see the Embedded Data value in the response results.

LDAP

LDAP allows users to authenticate directly against your LDAP servers when logging in to the survey. You can capture four attributes of the authenticated user.

Attention: Due to the sensitive nature of LDAP server information, you must contact your IT department to get the necessary setup information. Qualtrics Support will not be able to distribute LDAP server information.

To set up an LDAP Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here.
    image19
  3. Select Authenticator
    image09
  4. Change Authentication Type to SSO.
    image00
  5. Change SSO Type to LDAP.
    image18
  6. Specify the Hostname, Port, Base DN, Bind DN, Bind Password, and Filter.
    image20

    Qtip: The Filter field should be left in the format ([filter]=%1), e.g., (sAMAccountName=%1) or (uid=%1).
  7. Click Test LDAP Connection to check the integration.
    image10
  8. Click Save Flow.
    image05

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.
    image25
  2. Create four lines of fields.
    image13
  3. Enter your Embedded Data field names into the “Embedded Data to Set…” text entry boxes on the left of the equals sign.
    image04
  4. Insert the following parameters into the “Field From SSO” text entry boxes: FirstName, LastName, Email, and ExternalDataReference.
    image23
  5. Insert the attribute names into the respective fields.
    image37
  6. Click Save Flow.
    image05

You will now see the Embedded Data values in the response results.

Shibboleth

Shibboleth allows users to to authenticate via SAML. SAML is a two way connection, which is why this option is only available to those who already have Shibboleth set up on their brand. To find out if your brand has a Shibboleth SSO setup, contact your Qualtrics Administrator.

Qtip: This SSO type may not function properly with Preview Survey.

To set up a Shibboleth Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here.
    image19
  3. Select Authenticator.
    image09
  4. Change Authentication Type to SSO.
    image00
  5. Change SSO Type to Shibboleth.
    image24
  6. Click Save Flow.
    image05

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.image15
  2. Enter your Embedded Data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.
    image34
  3. Insert the formal or friendly names of the attributes that are being passed via SAML into the “Field From SSO” text entry box (you can click the plus sign to add additional fields).
    image27
  4. Click Save Flow.
    image05

You will now see the Embedded Data values in the response results.

Google OpenID

Google OpenID SSO allows respondents to log in to the survey with their Google OpenID credentials in order to capture Google parameters.

Qtip: This SSO type may not function properly with Preview Survey.

To set up a Google OpenID Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here or Add Below.
    image19
  3. Select Authenticator.
    image09
  4. Change Authentication Type to SSO.
    image00
  5. Change SSO Type to Google OpenID.
    image16
  6. Click Save Flow.
    image05

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.image11
  2. Enter your Embedded Data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.image17
  3. Insert the parameter field from Google OpenID into the “Field From SSO” text entry box. You can select fields from the following list:
    attribute
    value
    FirstName
    John
    LastName
    Doe
    Username
    johndoe@email.com

    image14

  4. Click Save Flow.
    image05
  5. Log in to the survey with your Google credentials to test it out. You will now see the Embedded Data value in the response results.
    image29

Facebook

Facebook SSO allows respondents to log in to the survey with their Facebook credentials in order to capture Facebook parameters.

Qtip: This SSO type may not function properly with Preview Survey.

To set up a Facebook Authenticator

  1. Navigate to the Survey module and open the Survey Flow.
    image14
  2. Click Add a New Element Here in the Survey Flow and select Authenticator.
    image19
    image09
  3. Change Authentication Type to SSO and SSO Type to Facebook.
    image00
  4. Click Save Flow.
    image05

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.
    image28
  2. Enter your Embedded Data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.
    image36
  3. Insert the parameter field from Facebook into the “Field From SSO” text entry box. You can select fields from the following list:
    attribute
    value
    name
    John Doe
    first_name
    John
    last_name
    Doe
    link
    http://www.facebook.com/johndoe
    username
    johndoe
    gender
    male
    email
    johndoe@email.com
    timezone
    -6
    locale
    en_US

    image03

  4. Click Save Flow.
    image05
  5. Log in to the survey with your Google credentials to test it out. You will now see the Embedded Data values in the response results.
    image32

Associate Respondent with Contact List

The SSO Authenticator has an option called “Associate Respondent With Panel.” This option forces participants to be a member of the selected contact list in order to take the survey. The identifying field in the contact list must match the username attribute from the SSO setup. For example, if the SSO is passing student IDs as usernames, you will need need to include student IDs on your contact list. The only identifying fields to choose from are First Name, Last Name, Email, and External Data Reference.

image21

By default, SSO Authenticators allow participants to take the survey multiple times. The advantage of associating participants with a contact list is that you can prevent this behavior and allow participants to only take the survey once.