Skip to main content
Skip to article
  • Qualtrics Platform
    Qualtrics Platform
  • Customer Journey Optimizer
    Customer Journey Optimizer
  • XM Discover
    XM Discover
  • Qualtrics Social Connect
    Qualtrics Social Connect

SSO Implementation Considerations

Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About SSO Implementation Considerations

Qualtrics is able to implement Single Sign-On (SSO) or change the SSO type used for any existing brand. There are many factors that are considered when determining whether or not to implement SSO on a Qualtrics brand.

Attention: This page describes steps for paid SSO implementations. For information on setting up your own SSO connection without Qualtrics implementation, see Configuring Organization SSO Settings.

Qualtrics SSO Implementation Process

  1. You and your IT team complete the SSO Implementation survey, provided by your Qualtrics Account Executive or XM Success Manager.
  2. Qualtrics prepares a temporary test environment set-up to mimic your production Qualtrics environment. This is subject to lead times depending on the volume of requests. The current lead time is noted at the end of the SSO Implementation survey.
  3. Qualtrics reaches out to you and your IT team with instructions for completing your end of the SSO configuration for the test environment.
  4. Qualtrics works with your IT team to resolve any issues seen in the test environment and discuss implementation preferences.
  5. Once the test environment has been confirmed to be fully functional, you and your IT team select a date and time to enable SSO in your production Qualtrics environment.
  6. Qualtrics works with your IT team to enable SSO in your production Qualtrics environment at the date and time chosen by your team.
  7. If any errors arise, troubleshooting can take place in production or SSO can be disabled and troubleshooting can take place in the test environment.
  8. When no errors appear for SSO logins within your production Qualtrics environment, the implementation can be considered complete.

Enabling SSO on an Established Brand

Enabling SSO on a newly created Qualtrics brand is considerably less complex than enabling SSO on an established brand. Established brands have existing accounts, and when SSO is enabled those accounts must be updated in order to ensure that SSO authentication will work.

Changing your brand to an SSO-enabled brand can cause Qualtrics usernames to change in 2 ways:

  1. All users who plan to authenticate via SSO will have a Qualtrics username value that matches the SSO username attribute value.
  2. All users will have “#brandID” appended to the end of the SSO username attribute value.

If a small number of accounts exist on the brand prior to enabling SSO, Qualtrics can work with your Brand Administrators and IT department to manually update these accounts.

If a large number of accounts exist on the brand prior to enabling SSO, Qualtrics will run one of our public API calls to update usernames to SSO-compatible values.

SSO in Most Qualtrics Setups

When SSO is enabled in a brand that does not have EX, CX, or 360, the following may be affected.

MANUAL USER CREATION

Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

QUALTRICS API USER CREATION

Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, the API caller should append the “#brandID” suffix to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

SELF-ENROLLMENT USER CREATION

Users can self-enroll when Just-in-time User Provisioning  is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.

Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”

ACCOUNT ACCESS

Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Login Page URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login

 

Credentials to use: Qualtrics username and password

 Not available
Brand-Specific Login Page URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: Qualtrics username and password

 URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: SSO username and password

SURVEY TAKING

Regardless of whether or not SSO is enabled for a brand, respondents are only required to authenticate via SSO prior to taking a survey if there is an SSO Authenticator configured in the survey flow. Otherwise, no SSO authentication is needed to just take a survey.

Attention: A Shibboleth (SAML) SSO Authenticator can only be configured if the brand has SAML SSO configured and support SP-initiated logins.

FILE UPLOAD DATA IN DATA and ANALYSIS

Survey owners and collaborators have the ability to require permission to view uploaded files to prevent others from viewing user submitted files. When this is enabled, survey owners and collaborators can always view the File Upload data in the Data & Analysis tab. However, if direct links to the user submitted files are used to try to access the file the following will be true:

SSO is Disabled:

Generic File Upload Data Link URL to use:

https://datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1

Credentials to use: Qualtrics
Brand-Specific File Upload Data Link URL to use:

https://brandID.datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1

 

Credentials to use: Qualtrics

SSO is Enabled:

Generic File Upload Data Link Not available
Brand-Specific File Upload Data Link URL to use:

https://brandID.datacenter.qualtrics.com/WRQualtricsControlPanel/File.php?F=F_xxxxxx&download=1

Credentials to use: SSO

SSO and Employee Experience

When SSO is enabled in a brand that has Employee Experience projects like Engagement, Lifecycle, and Pulse, the following may be affected. (For 360, see next section instead.)

MANUAL USER CREATION

Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

CSV IMPORT USER CREATION

Brand Administrators can bulk import users in the Directories tab. When SSO is enabled, a “UserName” column should be added to the CSV file. The “UserName” column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “UserName” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.

QUALTRICS API USER CREATION

Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

SELF-ENROLLMENT USER CREATION

Users can self-enroll when Just-in-time User Provisioning  is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”

ACCOUNT ACCESS

Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Login Page URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login

 

Credentials to use: Qualtrics

 Not available
Brand-Specific Login Page URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: Qualtrics

 URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: SSO

SURVEY TAKING

Regardless of whether or not SSO is enabled for a brand, respondents are only required to authenticate via SSO prior to taking a survey if there is an SSO Authenticator configured in the survey flow. Otherwise, no SSO authentication is needed to just take a survey.

Attention: A Shibboleth (SAML) SSO Authenticator can only be configured if the brand has SAML SSO configured and support SP-initiated logins.

DASHBOARD ACCESS

Users may be required to authenticate via SSO prior to viewing the dashboard, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Dashboard Login Page URL to use: https://datacenter.qualtrics.com/ee/dashboards

 

Credentials to use: Qualtrics

 Not available
Dashboard-Specific Invite Link URL to use: See Dashboard Invite Link

 

Credentials to use: Qualtrics

 URL to use: See Dashboard Invite Link

 

Credentials to use: SSO

SSO and 360

When SSO is enabled in a brand that has 360, the following may be affected.

MANUAL USER CREATION

Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

CSV IMPORT USER CREATION

Brand Administrators can bulk import users in the Directories tab. When SSO is enabled, a “UserName” column should be added to the CSV file. The “UserName” column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Qtip: The suffix “#brandID” will automatically be appended, by the Qualtrics system, to the value in the “UserName” column when the CSV file is uploaded.
Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “UserName” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.

QUALTRICS API USER CREATION

Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

SELF-ENROLLMENT USER CREATION

Users can self-enroll when Just-in-time User Provisioning  is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.

Example: SSO has been enabled for the fakeenvironment Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”

ACCOUNT ACCESS

Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Login Page URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login

 

Credentials to use: Qualtrics

 Not available
Brand-Specific Login Page URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: Qualtrics

 URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: SSO

PARTICIPANT ACCESS

Subjects and Internal Evaluators must authenticate via SSO prior to accessing their portal when SSO is enabled. The direct survey link can be sent to Internal Evaluators and External Evaluators to allow survey-taking without requiring participants to authenticate via SSO.

SSO and CX Dashboards

When SSO is enabled in a brand that has CX Dashboards, the following may be affected.

MANUAL USER CREATION

Brand Administrators can create new users in the Users tab of the Admin page. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

CSV IMPORT USER CREATION

Brand Administrators can bulk create dashboard users by importing a file in the User Admin tab. When SSO is enabled, a Username column should be added to the CSV file. The Username column will be used to create the Qualtrics Username and should match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Qtip: The suffix “#brandID” will be appended to the value in the “Username” column when the CSV file is uploaded. The brandID value will vary depending on the Qualtrics brand.
Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create a Participant account for the user, the CSV import “Username” column must have “john.doe” for the user. When uploaded, the user’s account will have “john.doe#fakeenvironment” as the Qualtrics Username value.

QUALTRICS API USER CREATION

Brand Administrators can use the Create User API call to automate user creation. When SSO is enabled, “#brandID” should be appended to the end of the Username value. The Qualtrics Username value must also match the SSO username attribute value in order to allow users to successfully authenticate via SSO.

Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the Brand Administrator wants to create an account for the user, the Qualtrics Username value must be “john.doe#fakeenvironment.”

SELF-ENROLLMENT USER CREATION

Users can self-enroll when Just-in-time User Provisioning  is enabled. When SSO is enabled, “#brandID” will automatically be appended to the end of the SSO username attribute value for use in the Qualtrics Username field.

Example: SSO has been enabled for the “fakeenvironment” Qualtrics brand. For one user, the SSO username attribute passes the value “john.doe.” If SSO is enabled and the user self-enrolls, the Qualtrics Username value will be “john.doe#fakeenvironment.”

AUTOMATIC ROLE ENROLLMENT

When a user logs into Qualtrics via SSO, they can send over additional information about their account from your system. Qualtrics has the ability to use this information to assign and update an account’s CX Dashboards Role via Automatic Role Enrollment.

Attention: CAS 2.0 is not compatible with this feature because they cannot pass over additional attributes to the Qualtrics system. Google OAuth 2.0 can only pass over attributes with a custom OAuth 2.0 connection.

USER ATTRIBUTES

When a user logs into Qualtrics via SSO, they can send over additional information about their Qualtrics account from your system. Qualtrics has the ability to pass and update this information into CX Dashboards to be stored as User Attributes.

Qtip: User Attributes derived from SSO attributes are updated each time a user logs into the platform via SSO.

ACCOUNT ACCESS

Users may be required to authenticate via SSO prior to accessing their Qualtrics account, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Login Page URL to use: https://qualtrics.com/login or https://datacenter.qualtrics.com/login

 

Credentials to use: Qualtrics

 Not available
Brand-Specific Login Page URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: Qualtrics

 URL(s) to use: https://brandID.datacenter.qualtrics.com or Vanity URL

 

Credentials to use: SSO

DASHBOARD ACCESS

Users may be required to authenticate via SSO prior to viewing the dashboard, depending on the brand’s settings.

SSO is Disabled SSO is Enabled
Generic Dashboard Login Page URL to use: https://datacenter.qualtrics.com/vocalize

 

Credentials to use: Qualtrics

 Not available
Dashboard-Specific Invite Link URL to use: See Sharing your Dashboard

 

Credentials to use: Qualtrics

 URL to use: See Sharing your Dashboard

 

Credentials to use: SSO

Logging in through Mobile Apps

LOGGING INTO THE QUALTRICS XM APP

Users must authenticate via SSO prior to gaining access to the Qualtrics XM App when SSO is enabled. This login process is explained on the Logging In with Your Organization ID support page.

Attention: Certain SSO types are not compatible with the Qualtrics XM App: 1) Google OAuth 2.0 configurations are not supported and 2) IdP-initiated logins are not supported, so SP-initiated logins must work for Shibboleth/SAML configurations.
Attention: The Qualtrics XM App is included in some Customer Experience and Employee Experience licenses. Talk to your Account Executive to see if you’re eligible.

OFFLINE APP

Users must use their full Qualtrics username and password to login to the Offline App, regardless of whether or not SSO is enabled. This login process is explained on the Entering Your Qualtrics Credentials support page.

Attention: Certain SSO types are not compatible with the Offline App: 1) Google OAuth 2.0 configurations are not supported and 2) IdP-initiated logins are not supported, so SP-initiated logins must work for Shibboleth/SAML configurations.
Attention: Qualtrics Offline Surveys is an add-on feature for your Qualtrics license and will need to be enabled before you can use the app. Check with your Qualtrics representative to see if this feature is already included in your license.