SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need to access? If so, you can now include SurveyGizmo as a Service Provider (SP) as part of this single sign-on (SSO). At this time, we support SSO from Active Directory Federated Services (AD FS) using the SAML 2.0 protocol. Why SAML SSO? When security is of paramount importance, organizations will set up an Identity Provider (IdP) to manage all logins for all users. T his allows IT professionals at the organization to control the number of logins out there in the wild. Identity providers also allow IT professionals to set up password reset rules to increase security. If you are not already using an IdP you probably won't start just for SurveyGizmo. How Does It Work? Single sign-on allows organizations to set up a trust relationship with a service provider (SurveyGizmo in this case) that allows the IdP to send encrypted login credentials to the service provider thus preventing the user from having to login more than once, hence single sign-on. Setup If you're not an IT professional at your organization, go get one; you'll need his or her assistance to set this up. What You Will Need Before You Get Started First you'll need the below ingredients from your IdP; your IT professional can help you with this. Entity ID - T his is the globally-unique URL of your IdP entity. It's like a mailing address that we, the service provider, use to contact your IdP. Not sure where to find this? Learn more. Login URL - T his is the URL for logging in to your IdP. T he Login URL is often very similar to the Entity ID URL. T his is where we will send the SAML request. Domain that has your SSL Certificate or the SSL Certificate itself - We'll use your SSL certificate to encrypt the data being sent back and forth via SAML. You can choose to either enter the domain where SSL certificate is located and we can go and fetch it. OR, if you prefer you can upload your SSL Certificate file. Not sure where to find this? Learn more. SurveyGizmo Setup
Go to Account > Account Settings > Security and scroll to the User Authentication Method and check the Enable Single Sign-On (SSO) option. You must be an administrative user in SurveyGizmo in order to access these settings. Populate the Entity ID, Login URL and SSL Certificate from your IdP. T hese fields are required. For the SSL Certificate, you can choose to enter the domain where SSL certificate is located; and we will go fetch it. OR, if you prefer you can upload your SSL Certificate. T his is an either-or option. Restrict Login to SSO Only - If you wish to only allow users to access SurveyGizmo via your IdP, check this box. If you wish to allow users to login either way, via your IdP or SurveyGizmo, leave this unchecked. Finally, there are 2 options that control how user seats in SurveyGizmo are handled: Users must be set up in SurveyGizmo - T his means that administrative SurveyGizmo users will need to log in to SurveyGizmo via the SurveyGizmo login page and add users as described in our Add Users T utorial. Once a user is set up then the SSO via the IdP will work. Automatically create new users if they don't exist in SurveyGizmo - T his option will create SurveyGizmo users when users click the link/button to login to SurveyGizmo, if a user with those credentials doesn't already exist in SurveyGizmo. If you choose to automatically create new users, you'll need to specify a Default Role and T eam for these newly created users. Check out our T eams and User Permissions to learn more about T eams and Roles!
T he Restrict Login to SSO Only Setting and the User setting will affect both who can access SurveyGizmo and how they will access SurveyGizmo. If the Restrict Login to SSO box is unchecked all users will be able to login via both your IdP and SurveyGizmo, with the exception of users created via SSO. Administrative users that were created in SurveyGizmo will always be able to login via both your IdP and SurveyGizmo regardless of the status of the Restrict Login to SSO option. Users created via SSO will only be able to login via the IdP. When you are finished with your SAML settings click Save. After you save scroll down to the bottom of the page where the following URLs will be provided to you. SurveyGizmo Login Link - T his is the link you will use to create a link or button within your interface that users will click to login to SurveyGizmo. T his link will not work until you complete the IdP Setup below. SurveyGizmo SP Metadata - T his is the information that will be used to set up the relying party trust in the IDP as described below. IdP Setup T hese set up instructions will walk you through the basic settings for SSO setup in Active Directory (AD
FS). Launch the AD FS Management Console. T hen, go to Trust Relationships > Relying Party Trusts > Add Relying Party Trust. T his will open the Add Relying Party Trust Wizard. Click Start. Chose the Import data about the relying party published online option and copy and paste your SurveyGizmo SP Meta data URL in the Federation metadata address field. Click Next. Leave the default option selected for multi-factor authentication and click Next.
On the next screen leave the option to Permit all users to access this relying party selected and click Next.
Review your settings and click Next.
On the next screen leave the option to Open the Edit Claim Rules dialog selected and click Close.
T his will take you to the Edit Claim Rules dialog where you will need to add 2 rules. Get started by clicking Add Rule.
In the Claim rule template dropdown menu select Pass Through or Filter an Incoming Claim and click Next.
We're going to pass through the User Principal Name (UPN) so name the rule as such and select UPN from the Incoming claim type dropdown menu and click Finish.
Back on the Edit Claim Rules dialog click Add Rule. Our second rule will be used to transform an incoming claim; select this from the Claim rule template dropdown menu and click Next.
We'll be transforming the UPN to Name ID so name the rule accordingly and select UPN form the Incoming claim type dropdown menu. Select Name ID from the Outgoing claim type dropdown menu. In the Outgoing name ID format dropdown menu select Entity Identifier and click Finish.
Once you finish your IdP set up go back to SurveyGizmo and copy your SurveyGizmo Login URL. When you go to this link via a browser you will be taken to your IdP login page. Once you log in, you'll be taken to!surveygizmo. If this didn't work check out our troubleshooting tips below. If this does work now you're ready to set up a button or link for your users to access SurveyGizmo! FAQ & Troubleshooting What do I need to know to log existing SurveyGizmo users into that user via SSO? T he Name ID that you pass into SurveyGizmo to identify the user must be the same as their Username field in SurveyGizmo. In the IdP setup above we added a rule to set Name ID = UPN (the users IdP email address). If you added this rule you'll need to double check all existing users' usernames and change them to their email address where necessary.
Will users still be able to log in with their login and password? T his depends on how you set this up. If you wish to allow your users to continue to login via the SurveyGizmo with their username and password make sure to leave the option to Restrict Login to SSO Only unchecked. Will my IdP login credentials work to log me in to the SurveyGizmo login page? T his depends on a couple of factors: (1) your Restrict Login to SSO setting and (2) how the user was created. If the Restrict Login to SSO box is unchecked all users will be able to login via both your IdP and SurveyGizmo, with the exception of users created via SSO. Administrative users that were created in SurveyGizmo will always be able to login via both your IdP and SurveyGizmo regardless of the status of the Restrict Login to SSO option. Users created via SSO will only be able to login via the IdP. If your Entity ID or Login URL are incorrect you will receive an error. T he content of this error varies so, if you are receive an error during setup check that both of these fields are populated correctly. What happens if users try to log in to the SurveyGizmo login page with IdP credentials? T hey will receive incorrect login credentials error. What happens if the IdP is unavailable? Typically you'll recieve a browser message that the page cannot load. We cannot throw an error in this case. T ypically you'll recieve a browser message that the page cannot load.
What happens when a SurveyGizmo session expires? SurveyGizmo sessions expire after 2 hours of inactivity. If this happens the Continue Working link that displays in SurveyGizmo will not work. Users will need to use the login link/button to log back in to SurveyGizmo. Glossary of Terms Active Directory Federated Services (AD FS) - Microsoft's IdP software. Entity ID - T his is the globally unique URL of your IdP entity. It's like a mailing address that we, the service provider, use to contact your IdP. Your Entity ID can be found in your AD FS Management Console by right-clicking the AD FS Folder and selecting Edit Federation Service Properties. T he URL in the Federation Service identifier field.
Identity Provider (IdP) - the source of truth for usernames and passwords. Login URL - T his is the URL for logging in to your IdP. T he Login URL is often very similar to the Entity ID URL. T his is where we will send the SAML request. Name ID - Unique string to identify users. When sending Name ID to SurveyGizmo we recommend it be their email address. Service Provider (SP) - T he web-based application/s that are accessed via the IdP. Security Assertion Markup Language (SAML) - an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content. Single Sign-On (SSO) - Provides partner companies with full control over the authorization and authentication of hosted user accounts that can access web-based applications. SSL Certificate - T his is your certificate file (.crt) which can be downloaded from your SSL Issuer. NOT E: If the file you have also has the intermediate or root certificate chains in them, that s fine, as long as it has the main certificate for the domain included.
User Principal Name (UPN) - T he Name of the system user in email address format. Related Articles [template("related")]