Loading...
  • Customer Experience
    Customer Experience
  • Employee Experience
    Employee Experience
  • Brand Experience
    Brand Experience
  • Product Experience
    Product Experience
  • Core XM
    Core XM
  • Design XM
    Design XM

SSO Authenticator

What's on This Page:


Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!


About SSO Authenticators

The authenticator feature in Qualtrics is typically used to verify that respondents are found on a contact list that you have uploaded into Qualtrics. With the Single Sign-On (SSO) authenticator, you can go beyond this and authenticate against a third-party system (e.g., verify that they have a legitimate user ID at your university or have a Facebook account).

The authenticator feature supports six basic types of SSO authentication:

Below is a brief description of how to set up each method given a basic knowledge of how to use contact list authenticators. For further details about SSO, view our Single Sign-On Technical Documentation.

Qtip: If you are going to authenticate using Token, CAS, LDAP, or Shibboleth, you will need to contact your IT department to obtain information on your SSO authenticator setup. If you use Google OAuth 2.0 or Facebook as your SSO authenticator type, then you won’t need any extra information; the setup is automatic.

Token

Token authenticators allow you to authenticate using the secure token generated via a third party. Token authenticators can also be used to pass encrypted embedded data into the survey where it then be decrypted and stored as embedded data.

Qtip: This SSO type may not function properly with preview survey.
Attention: For security and data privacy reasons, you must contact your IT department to get the necessary setup information. Qualtrics Support will not be able to distribute Token SSO information.

To set up a Token Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator.
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    setting the sso type to token and entering sso fields
  5. Change SSO Type to Token.
  6. Specify the Encryption Method, Mac Method, and Leeway (we suggest 300 as the leeway.) You can also generate a secure key, or enter in your own key.
  7. Click Apply.
Attention: You must save the survey flow before generating a test token.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying infoenabling capture respondent identifying info
  2. Click Add Embedded Data.
  3. Enter your embedded data field name into the “Embedded Data to Set” text entry box on the left of the equals sign.
    adding embedded data fields to capture
  4. Insert the parameter name from the encrypted token into the “Field From SSO” text entry box.
  5. If needed click the plus sign (+) to add a field and the minus sign (-) to remove a field.
  6. Click Apply.

You will now see the embedded data values in the response results after someone takes the survey.

Qtip: You can go back into the survey flow and generate a test token to try this type of authentication out.
Attention: For more information on generating SSO tokens with embedded data, please contact your IT team.

ASSOCIATE RESPONDENT WITH CONTACT LIST (OPTIONAL)

By default, Token SSO authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

SSO authenticator with the panel field dropped down

The table below indicates which identifying field from the contact list (specified with the Identified by Fields dropdown) pairs with which Token authenticator attribute.

Identified By Field Token Attribute
First Name firstname
Last Name lastname
Email email
External Data Reference id

For example, if the Identifying Field was Last Name and the respondent was passing “Doe” for the lastname attribute, the contact list would need to have “Doe” in the Last Name field.

CAS

CAS authenticators allow you to authenticate users against a CAS server. They can also be used to capture and store a participant’s CAS username as embedded data.

Qtip: This SSO type may not function properly with preview survey.
Attention: For security and data privacy reasons, you must contact your IT department to get the necessary setup information. Qualtrics Support will not be able to distribute CAS server information.

To set up a CAS Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    setting the sso type to cas and entering the sso fields
  5. Change SSO Type to CAS.
  6. Specify the Hostname, Port, and URI.
  7. Click Apply.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info.
    enabling capture respondent identifying info
  2. Click Add Embedded Data.
  3. Enter your embedded data field name into the “Embedded Data to Set” text entry box on the left of the equals sign.
    adding embedded data fields to capture
  4. Insert the username parameter into the “Field From SSO” text entry box.
    Qtip: Qualtrics only accepts the username attribute from CAS, so any field specified to capture attributes will return the username.
  5. If needed, click the plus sign (+) to add fields and the minus sign (-) to remove fields.
  6. Click Apply.

You will now see the embedded data value in the response results after someone takes the survey.

Qtip: You can take the survey via the anonymous survey link to give it a try.
Attention: For more information on what embedded data can be captured, please contact your IT team.

ASSOCIATE RESPONDENT WITH CONTACT LIST (OPTIONAL)

By default, CAS SSO authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

identified by fields dropdown

Since only the username can be consumed via CAS authenticators, the contact list field that is selected as the identifying field (using the Identified by Field dropdown) must house the CAS username to properly authenticate users.

For example, if the identifying field was First Name and the respondent was passing “johnd” for the their CAS username, the contact list would need to have “johnd” in the First Name field.

LDAP

LDAP authenticators allow you to authenticate users directly against your LDAP servers. They can also be used to capture and store LDAP attributes as embedded data.

Attention: Due to the sensitive nature of LDAP server information, you must contact your IT department to get the necessary setup information. Qualtrics Support will not be able to distribute LDAP server information.

To set up an LDAP Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator.
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    selecting ldap as the sso type and setting up the ldap fields
  5. Change SSO Type to LDAP.
  6. Specify the Hostname, Port, Base DN, Bind DN, Bind Password, and Filter.
    Qtip: The Filter field should be left in the format ([filter]=%1), e.g., (sAMAccountName=%1) or (uid=%1).
  7. Click Apply.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info.
    enabling capture respondent identifying info
  2. Click Add Embedded Data.
  3. Use the plus sign (+) to add four fields.
    adding embedded data fields to capture
  4. Enter your embedded data field names into the “Embedded Data to Set” text entry boxes on the left of the equals sign.
  5. Insert the following parameters into the “Field From SSO” text entry boxes: FirstName, LastName, Email, and ExternalDataReference.
  6. Insert the attribute names into the respective fields.
    adding the fields to the sso mapping
  7. Click Apply.

You will now see the embedded data value in the response results after someone takes the survey.

Qtip: You can preview the survey to try this setup out.

ASSOCIATE RESPONDENT WITH CONTACT LIST

By default, LDAP SSO authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

The table below indicates which identifying field (determined in the Identified by Field dropdown) from the contact list pairs with which LDAP authenticator attribute, as specified in the First Name Field, Last Name Field, Email Field, and External Data Reference in the authenticator settings.

Identified By Field LDAP Attribute
First Name First Name Field (i.e. firstname)
Last Name Last Name Field (i.e. lastname)
Email Email Field (i.e. mail)
External Data Reference External Data Reference (i.e. uid)

For example, let’s say that the identifying field was Email and the following attributes were specified in the LDAP authenticator settings:

first name field firstname, last name field lastname, email field mail, external data reference uid

If the respondent was passing “johnd@email.com” for the mail attribute, the contact list would need to have “johnd@email.com” in the Email field.

Shibboleth

Shibboleth allows users to authenticate via SAML. SAML is a two way connection, which is why this option is only available to those who already have Shibboleth set up on their brand. To find out if your brand has a Shibboleth SSO setup, contact your Brand Administrator.

Qtip: This SSO type may not function properly with preview survey.

To set up a Shibboleth Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator.
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    selecting shibboleth as the sso type
  5. Change SSO Type to Shibboleth.
  6. Click Apply.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info.
    clicking capture respondent identifying info
  2. Click Add Embedded Data.
  3. Use the plus sign (+) to add fields and the minus sign (-) to remove fields.
  4. Enter your embedded data field name into the “Embedded Data to Set” text entry box on the left of the equals sign.
    adding embedded data fields to capture
  5. Insert the formal or friendly names of the attributes that are being passed via SAML into the “Field From SSO” text entry box (you can click the plus sign to add additional fields).
  6. Click Apply.

You will now see the dmbedded data value in the response results after someone takes the survey.

Qtip: You can test the survey using the anonymous link.
Attention: For more information on what embedded data can be captured, please contact your IT team.

ASSOCIATE RESPONDENT WITH CONTACT LIST

By default, Shibboleth SSO authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

identified by fields dropdown

The table below indicates which identifying field from the contact list pairs with which SAML attribute (specified by Identified by Field dropdown), as specified in the User Name Field, First Name Field, Last Name Field, and Email Field in the Qualtrics instance’s SSO settings.

Identified By Field SAML Attribute
External Data Reference Username (i.e. uid)
First Name First Name Field (i.e. givenName)
Last Name Last Name Field (i.e. sn)
Email Email Field (i.e. mail)

For example, if the identifying was External Data Reference and the respondent was passing “johnd” for the uid attribute, the contact list would need to have “johnd” in the External Data Reference field.

user name field UID, first name field given naem, last name field SN, email field mail

Google OAuth 2.0

Google OAuth 2.0 authenticators allow respondents to authenticate with their Google credentials. They can also be used to capture and store Google account information as embedded data.

Google login page

Qtip: This SSO type may not function properly with preview survey.

To set up a Google OAuth 2.0 Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator.
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    setting the sso type to google oauth 2.0
  5. Change SSO Type to Google OAuth 2.0.
    Qtip: By default, Google OAuth 2.0 authenticators will authenticate anyone with a Google account. To restrict who can access your survey, add in approved account email domains to the Restrict Authentication to Domain(s) field. No wildcard is necessary here; you’ll just need to type in your domain without the @ symbol (e.g., “gmail.com” or “qualtrics.com”). To allow multiple domains, enter your domains as a comma-separated list (e.g., “gmail.com, qualtrics.com”).
  6. Click Apply.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info and click Add Embedded Data.
    Authenticator with Capture respondent info selected and an Add embedded Data button below
  2. Use the plus sign (+) to add fields and the minus sign (-) to remove fields. adding embedded data fields to capture
  3. Enter your embedded data field name into the “Embedded Data to Set” text entry box on the left of the equals sign.
  4. Insert the parameter field from Google OAuth 2.0 into the “Field From SSO” text entry box. You can select fields from the following list:
    attribute
    value
    FirstName
    John
    LastName
    Doe
    Email
    johndoe@email.com
  5. Click Apply.

You will now see the embedded data value in the response results after someone takes the survey.

Qtip: You can test this setup using the anonymous link.

ASSOCIATE RESPONDENT WITH CONTACT LIST

By default, Google OAuth 2.0 authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

The table below indicates which identifying field (specified under Identified by Field dropdown) from the contact list pairs with which Google OAuth 2.0 attribute.

Identified By Field Google OAuth Attribute
First Name FirstName
Last Name LastName
Email Email
External Data Reference UserName

For example, if the identifying field was First Name and the respondent was passing “John” for the Firstname attribute, the contact list would need to have “John” in the First Name field.

Facebook

Facebook authenticators allow respondents to authenticate with their Facebook credentials. They can also be used to capture and store Facebook account information as embedded data.

Facebook login screen

Qtip: This SSO type may not function properly with preview survey.

To set up a Facebook Authenticator

  1. While editing your survey, open the Survey flow.
    navigating to the survey flow and adding a new element
  2. Click Add a New Element Here or Add Below.
  3. Select Authenticator.
    choosing the authenticator element
  4. Change Authentication Type to SSO.
    setting the sso type to facebook
  5. Set the SSO Type to Facebook.
  6. Click Apply.

To capture identifying information (Optional)

  1. Enable Capture respondent identifying info.enabling capture respondent identifying info
  2. Click Add Embedded Data.
  3. Use the plus sign (+) to add fields and the minus sign (-) to remove fields.
  4. Enter your embedded data field name into the “Embedded Data to Set…” text entry box on the left of the equals sign.
    adding embedded data fields to capture
  5. Insert the parameter field from Facebook into the “Field From SSO” text entry box. You can select fields from the following list:
    attribute
    value
    name
    John Doe
    first_name
    John
    last_name
    Doe
    link
    http://www.facebook.com/johndoe
    gender
    male
    email
    johndoe@email.com
    timezone
    -6
    locale
    en_US

     

  6. Click Apply.

You will now see the embedded data value in the response results after someone takes the survey.

Qtip: You can test this survey by using the anonymous link.

ASSOCIATE RESPONDENT WITH CONTACT LIST

By default, Facebook authenticators allow participants to take the survey multiple times. You can prevent this behavior and allow participants to only take the survey once by enabling Associate Respondent With Panel. This option forces participants to be a member of the selected contact list in order to take the survey.

The table below indicates which identifying field (specified by the Identified by Field dropdown) from the contact list pairs with which Facebook parameter.

Identified By Field Facebook Attribute
First Name first_name
Last Name last_name
Email email
External Data Reference email

For example, if the identifying field was Email and the respondent was passing “johnd@email.com” for the email attribute, the contact list would need to have “johnd@email.com” in the Email field