Skip to main content
Skip to article
  • Qualtrics Platform
    Qualtrics Platform
  • Customer Journey Optimizer
    Customer Journey Optimizer
  • XM Discover
    XM Discover
  • Qualtrics Social Connect
    Qualtrics Social Connect

Managing Users & Brands with SSO

Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About Managing Users & Brands with SSO

With Single Sign-On (SSO), users can authenticate into Qualtrics using their organization’s internal login system. The three biggest advantages of this are improved security, a seamless login experience for users, and a simplified user management for Brand Administrators.

  1. Improved Security: Users cannot access their Qualtrics account unless they can successfully authenticate through SSO first.
  2. Seamless Login Experience: Users will no longer need to remember multiple sets of login credentials to get into the Qualtrics platform. Instead, one portal and login credentials can be used to access their main organization portal, Qualtrics, and any other software your IT team has integrated into your SSO.
  3. Simplified User Management: SSO makes administration easier for larger licenses because you can use information stored in your organization’s IT systems to manage Qualtrics users. For example, Qualtrics can consume user attributes that are passed over from your system for use in assigning username, first name, last name, and email values to user accounts. It can also be used to automatically assign and update user account permissions, via User Type, Division, and Group mapping. These features help to ensure that accounts always have the correct permissions and fall under the correct jurisdiction. Together, this reduces the amount of administrative work that needs to be done by a Brand Administrator, who would otherwise have to manually manage user account information and permissions.

Auto-Enrolling Users

Qualtrics has the ability to create user accounts when users successfully authenticate, but do not yet have an account in your Qualtrics brand. When a user logs into Qualtrics via SSO, the system takes the username value passed over for the user from your system and searches for it in your Qualtrics brand. If no account exists that has the username value, the Qualtrics system will create an account for the user. This process is commonly called “Just-in-Time User Provisioning.”

When users are created via self-enrollment, a suffix will be appended in the form of #brandID to the end of their Qualtrics username to prevent any issues with duplicate usernames within the Qualtrics system. The suffix will vary on a brand by brand basis, and is formed using the Brand ID of the Qualtrics instance the user is in. For example, if the brand ID is “fakeenvironment” then the suffix is “#fakeenvironment.”

We recommend that SSO enabled brands ensure that all users, SSO or non-SSO, have the #brandID suffix.

Example: If John Doe tries to log into the Qualtrics brand “fakeenvironment” via SSO, the following will occur:

  1. Once the user successfully authenticates via SSO, your system passes over several user attributes. The username value passed over is “johndoe@email.com.”
  2. The Qualtrics system then checks to see if an account already exists with the username “johndoe@email.com#fakeenvironment” in the fakeenvironment brand.
  3. If there is an account with one of the following usernames (checked in the order listed) within the fakeenvironment brand, the user will be logged into that account:
    • “johndoe@email.com#fakeenvironment”
    • “johndoe@email.com”
  4. If there is not an account with either username value listed in Step 3, and self-enrollment is enabled for the brand, the Qualtrics system will look to the value passed for the user’s email to verify that the domain of the email is accounted for in the list of Valid Email Domains. If the user’s email has a valid domain, the Qualtrics system will create an account with the username “johndoe@email.com#fakeenvironment.”

If you pass first name and last name values for users, the Qualtrics system will use those values to populate the first name and last name associated with user accounts. Otherwise, the username value will be used to populate the first name and last name fields.

Qtip: If you’d like to receive email notifications when users self-enroll through SSO, please contact Qualtrics Support. Please note that if your license uses SSO self-service, then you do not need to contact Qualtrics Support regarding self-enrollment email notifications.
Attention: When Just-in-Time-User-Provisioning is disabled for a brand, user accounts must be manually created in Qualtrics by Brand Administrators. If users try to log into your Qualtrics brand without having an account, they will be denied access to the platform.

Customizing the Login Portal

Qualtrics has the ability to display a Login Page Description when users go to login via LDAP SSO. Brand Administrators have the ability to edit the text displayed in the Organization Settings tab of the Admin page.

Attention: When CAS, SAML, or Google OAuth 2.0  are enabled for a brand, this feature will not alter the message displayed on the SSO login portal. To alter the SSO login portal for these types of SSO, you must work with your IT team.

Assigning User Permissions

USER TYPE, DIVISION, & GROUP MAPPING

When a user logs into Qualtrics via SSO, additional information about the user can be passed from their organization’s system via user attributes. Qualtrics has the ability to use this information to assign and update a user’s User Type, Division, and Group. This is commonly called mapping. If you’ve purchased SSO implementations, this User Type, Division, and Group mapping is implemented by the Qualtrics SSO team, while working closely with you and your IT team to ensure the desired attributes are included. If you’re setting up SSO on your own, you can configure the mapping for these attributes when setting up the connection.

Attention: CAS or Google OAuth 2.0 are not compatible with these features because they cannot pass over additional attributes to the Qualtrics system.
Qtip: If Just-in-Time User Provisioning is enabled for your brand, User Type and Division mapping will be applied on account creation.

Depending on your SSO settings, user attributes may update on each login, meaning any changes to a user’s User Type or Division made by Brand Administrators will be overridden on the user’s next login. This can be prevented by one of the following:

  1. The organization’s IT team updates the value being passed for the user within the User Type or Division attribute.
  2. A Brand Administrator manages users’ permissions on the user level, instead of by changing their User Type or Division.
  3. Disable the Update user attributes on every login SSO setting.

Unlike mapping User Types and Divisions, mapping Groups will not overwrite changes made by Brand Administrators to users’ Groups, since users can be part of multiple Groups at one time.

Qualtrics can only reference one attribute each for User Type, Division, and Group mapping. Values denoting which User Type or Division users should be assigned to must be passed within the same respective attribute for all users. There is some flexibility, though, as Qualtrics can configure up to fifty Group mapping conditions, each of which can use RegEx.

Example: Below are some examples of User Type mapping conditions based on a “department” attribute:

  1. If department equals HR, then User Type is Standard User Type.
  2. If department equals HR or Accounting, then User Type is Standard User Type.
  3. If department contains HR, then User Type is Standard User Type.
  4. If department is not HR, then User Type is Limited User Type.
  5. If department is not HR or Accounting, then User Type is Limited User Type.
Attention: Custom User Types, Divisions, and Groups must be created by a Brand Administrator before we can configure mapping to automatically assign users on login.
Qtip: Brand Administrator accounts are immune to User Type mapping. Brand Administrator accounts can only be altered by other Brand Administrators.
Qtip: It’s best practice to add .* before and after an expected value (i.e. .*student.*) if only one value is listed. This will prevent issues with consuming the value if it happens to be passed within a multi-value attribute.

Qualtrics applies User Type and Division mapping in order based on User Type and Division mapping conditions in Qualtrics. This means that if we configure multiple conditions for the system to consider when assigning users to a certain User Type or Division, Qualtrics will start with the top-most condition and work its way down.

Example: Imagine that we have User Type mapping set-up to assign all users in the Psychology department to the Standard User Type and all users in the Business department to the Limited User Type. If a new user logs into Qualtrics via SSO and passes over both “Psychology” and “Business” for his department, perhaps because he teaches courses in both areas, the system will assign him to whichever User Type is outlined in mapping first. The following set up would result in the user being automatically assigned the Standard User Type:

  1. If department equals Psychology, then User Type is Standard User Type
  2. If department equals Business, then User Type is Limited User Type

Qualtrics applies Group mapping in order based on user attribute values in the SAML response. This means that if we configure multiple conditions for the system to consider when assigning users to a certain Group, the system will start with the top-most condition and work its way down.

Example: Imagine that we have Group mapping set-up to assign all users in the Psychology department to the Psychology Group and all users in the Business department to the Business Group. If a new user logs into Qualtrics via SSO and passes over both “Psychology” and “Business” for his department, perhaps because he teaches courses in both areas, the system will assign him to whichever Group is outlined in his SAML response first. If the SAML response passed over the following, the user will automatically be assigned to the Psychology Group:

<AttributeStatement>

<Attribute Name="department">

<AttributeValue>Psychology</AttributeValue>

</Attribute>

<Attribute

<AttributeValue>Business</AttributeValue>

</Attribute>

</AttributeStatement>

If users pass over a value that isn’t outlined in the User Type mapping conditions, they will automatically be assigned to the brand’s Self-Enrollment (default) User Type that was configured for the brand by a Brand Administrator.

Qtip: If you would like to prevent users from being able to login to Qualtrics when they do not pass over a value outlined in the User Type mapping conditions, Qualtrics can do that via Validate User Type.

If users pass over a value that isn’t outlined in Division or Group mapping conditions, they will not be assigned to a Division or Group. Users will have to be added to a Division or added to a Group by a Brand Administrator.

Qtip: Brand Administrators can make a Group available to all users in the brand or in a specific Division when creating a new group or updating it.

CX DASHBOARDS AUTOMATIC ROLE ENROLLMENT

When a user logs into Qualtrics via SSO, they can send over additional information about their account from your system. Qualtrics has the ability to use this information to assign and update an account’s CX Dashboards’ Role via Automatic Role Enrollment.

Attention: CAS 2.0 and Google OAuth 2.0 are not compatible with this feature because they cannot pass over additional attributes to the Qualtrics system.

Saving User Information as CX Dashboards Metadata

When a user logs into Qualtrics via SSO, they can send over additional information about their Qualtrics account from your system. Qualtrics has the ability to pass and update this information into CX Dashboards to be stored as metadata. Please make sure to coordinate between your IT team and the Qualtrics SSO team to determine the attributes you want to carry over into Qualtrics.

Attention: CAS 2.0 and Google OAuth 2.0 are not compatible with this feature as they cannot pass over additional attributes to the Qualtrics system.
Qtip: Metadata derived from SSO attributes are updated each time a user logs into the platform via SSO, regardless of whether or not Update User Attributes on Every Login is enabled.

Restricting User Access

VALID EMAIL DOMAINS

If Just-in-Time User Provisioning is enabled or Google OAuth 2.0 SSO is used, Qualtrics references the Valid Email Domains listed for your Qualtrics brand when authenticating users. After users successfully authenticate via SSO and before Qualtrics creates a new account for the user, it will look at the user’s email address to verify that the domain of the email is accounted for in the brand’s list of Valid Email Domains. If the user’s email has a valid domain, the Qualtrics system will create an account for the user in your brand. If the user’s email does not have a valid domain, the Qualtrics system will deny the user access to the platform.

When asking a Qualtrics Support representative to configure your brand’s list of Valid Email Domains, you can use a wildcard (*) or specify certain email domains. The wildcard allows anyone who successfully authenticates via your SSO to create an account within your Qualtrics brand, whereas specifying certain email domains restricts who can create an account within your Qualtrics brand. Users must both successfully authenticate via your SSO and pass a Valid Email Domain to create an account within your Qualtrics brand.

Attention: Even with the wildcard enabled, users must pass a value in the format of an email address (e.g., value@example.com) in their SSO email attribute in order to login. If a value is passed that isn’t in the right format, users will be denied access.
Attention: If you specify certain email domains, you can only use domains owned by your organization for security reasons.
Qtip: Google OAuth 2.0 configurations must provide specific email domains because this SSO type cannot use the wildcard option. Users’ email addresses are authenticated against the provided email domains on each login attempt.

If you have a handful of users with a certain email domain who should have access to Qualtrics but do not want to allow all users with this domain to be able to self-enroll, a Brand Administrator can instead manually create these users’ accounts.

Validation against your brand’s list of Valid Email Domains only occurs on account creation, not on each login.

VALIDATE USER TYPE

Qualtrics has the ability to validate values passed over for the User Type mapping attribute. This means that each time a user tries to log into Qualtrics via SSO, the system evaluates the values passed over for the attribute to ensure that at least one value is accounted for in the User Type mapping conditions.

Example: Imagine that we have the following User Type mapping conditions set up:

  1. If department equals Psychology, then User Type is Psychology.
  2. If department equals Business, then User Type is Business.

If a user tries to log into Qualtrics via SSO, but passes neither “Psychology” nor “Business” for their department, Qualtrics will deny the user access.

Attention: CAS 2.0 and Google OAuth 2.0 are not compatible with this feature as they cannot pass over additional attributes to the Qualtrics system.

FAQs