What is SSO?
SSO is an abbreviation of “Single Sign On”. SSO enables users to sign into multiple products and services with one set of user credentials, commonly assigned by your organisation. SSO is made up of 3 parts:
- Identity Provider (IdP) - This tool provides validation of the user's identity. The IdP is something your organisation will control, usually the IT department, where your internal user credentials are managed for things like Office 365 and others.
- Service Provider (SP) - This is the tool that you would like to use, in this instance SmartSurvey.
- The User – The user is part of a user directory that is managed by your organisation, which commonly provides you with your organisation log in credentials. The IdP checks the user is entitled to access the various services allocated to them and provides access based on your credentials being correct, e.g an Office 365 login.
How can it help me?
Easier management of users
SSO enables sub users to sign up automatically to SmartSurvey if they have been given access within the Identity Provider. In this case the sub-user can use the SSO login URL and sign up directly to create their account, using their existing credentials, automatically creating the user under the master admin account.
Using an IdP gives you better visibility of who is accessing which products within your organisation as well as enabling you to remove access centrally, for example disabling previous employees in one place rather than many.
Save your employees time
Your sub users can simply access SmartSurvey tusing their existing user credentials removing the need to manage multiple usernames and passwords. For example linking directly from an internal intranet through to SmartSurvey.
What do I need to enable SSO?
SSO is available as an option on our Enterprise Plus plan. Please contact your account manager for pricing and to enable access to the SSO set up page within your account.
You’ll need to have an Identify Provider that provides the option to configure SSO using OpenID Connect and can provide you with a discovery end point. It does not support plain OAuth2 or Shibboleth/SAML2 based systems.
All identity providers differ in the configurations they allow. Please check with your identity provider before confirming you'd like to add the option to your account.
So far we've tested with the following identity providers and have the following help guides available:
SmartSurvey’s SSO feature works with Open ID Connect. You’ll need to decide whether you’re sub users will use SSO or not – you cannot mix SSO and normal log in access.
It’s either enabled for all users or not. PKCE verification used in this process and SHA256 for the code verification process. If you’re IdP does not support PKCE then this will fail invisibly. If you support PKCE but not SHA256, please contact support to discuss options.
Once SSO is enabled, Master Users can log in to SmartSurvey via SSO or our normal log in page, giving flexibility to log in to manage the configuration.
New Sub Users
When SSO is enabled, you cannot add new sub users directly to SmartSurvey User Management. New users need to be given access to SmartSurvey within your Identity Provider and provided the SSO login URL. On first login, their account will be set up automatically.
Existing Sub Users
When SSO is enabled, existing users will need to log in via the SSO login URL. If they attempt to log in via the normal log in page, they will see a notification that their account is now linked to an Identity Provider.
The existing user will need to be given access to SmartSurvey within your Identity Provider and on first login they will log directly into their account.
When disabling SSO, your sub users will no longer be able to log in via the SSO login URL. Instead, they will be directed to reset their password via the normal log in page. Going forward they will need to log in via the log in page, unless SSO is reenabled on the account.
Users who have access to SmartSurvey within your Identity Provider can continue to sign up via the SSO login URL until your user limit is used.
You can set custom user limit warning notifications on your SSO set up page, to help monitor and manage your user limit as users sign up.