SmartSurvey supports organisational single-sign-on using OpenID Connect as a premium feature on Enterprise accounts. Using this feature, you can create a single billing account and then enable SSO so that any of your users can sign in to SmartSurvey using their existing organisation logins and without needing to create multiple SmartSurvey accounts in the SmartSurvey system.
Please note that setting up and debugging SSO is a relatively technical process that requires knowledge of HTTP and a reasonably good knowledge of SSO protocols. Note, however, that you will not break anything when setting it up so it might be possible for a business person to attempt to set things up and then to use your own technical support if you cannot get it to work.
Enabling Single Sign-on
To see if your plan supports SSO, go into My Account in the SmartSurvey app and look for the Single Sign-On item in the left-hand menu. If clicking this shows an upgrade dialog or it is not shown, the feature is not enabled. Please contact your Account Manager to upgrade your plan or add the feature.
Configuring Single Sign-on
Our system is compatible with OpenID Connect only. It does not support plain OAuth2 or Shibboleth/SAML2 based systems.
If the feature is enabled, clicking the menu item under My Account will show a simple configuration form that contains all of the details we will need in order to work with your organisation's SSO system.
Once the mandatory fields are populated and saved, the SSO system will be enabled for your account and will display the link that you will need to initiate the sign in process.
The client id and secret will come from your SSO system after registering SmartSurvey as an application and providing to it the Redirect URL displayed in this setup page, which will always be:
https://app.smartsurvey.co.uk/c/sso/redirecturi
The client id is usually a long alphanumeric string and the secret is more like a password and will probably contain "special" characters to make it more secure.
The discovery origin is shared between all applications using your SSO system and will be a URL pointing to the base of the SSO application and might be something like https://identity.yourcompany.com/openidconnect or in some cases, it might end with a "random" code to distinguish between different customers. Note, this should NOT include the .well-known part to be added to the end of the url.
When the SSO process is initiated, the scopes openid email profile will be requested. These are standard scopes that must be supported by OpenID Connect servers but in some cases might be explicitly disabled and will therefore cause an error when attempting to sign in.
Note also that we are using PKCE verification for the process, using SHA256. If your system does not support PKCE then the verification step will be ignored (and people will sign in with no problems). If you do support PKCE but do NOT support SHA256, then please contact support to discuss options since this will not work.
Initiating the SSO Login
Note that you cannot initiate the process from the normal login page but instead will need to trigger the process by invoking the login URL displayed in the Single Sign-on settings page once you have registered. This could be as simple as an HTML button on one of your intranet pages. For example, the following HTML fragment is a Bootstrap button that would invoke the process (but you need your own code, the code below is only an example):
<a href="https://app.smartsurvey.co.uk/c/sso/krHbQzs2Bc5NeI45vYlLClpm8eYIPO" class="btn btn-primary btn-lg">Login to SmartSurvey</a>
Debugging the SSO Process
There are error pages supported in the SmartSurvey process and also in most professional Identity providers so setting up and debugging should be relatively straight-forward. Using the code you were provided in the settings page and a link similar to the example above, attempt to initiate the process.
If you do not reach your identity provider or you get an error on the SmartSurvey login page, the error message should make it clear what has not been configured correctly. You need to ensure that SmartSurvey and your Identity provider systems are accessible from the system you are testing.
This should take you via a number of automatic redirects to your identity provider. The first time you do this, SmartSurvey will be a new application and you should see a consent screen on your identity provider asking you to consent to giving your email address and personal details to SmartSurvey. If you have got this far, the basic setup is correct.
Consenting (or in the future if your consent is remembered) you will be redirected back to SmartSurvey where you should either see an "Account Setup" screen, the first time, or you will simply be logged in to your account.
Managing Users
Each new user will automatically be linked to your organisation account and the billing will work according to your agreed plan and pricing, various soft and hard mechanisms will take place if your exceed your user limit.
If you want to reduce the accounts you are paying for, then you will need to contact your Account Manager to delete those users from SmartSurvey and/or block them in your Identity provider to ensure they don't simply login again and take another seat/license.
Note that blocking people in your provider only does NOT automatically perform any operations on SmartSurvey so you could find yourself with many orphaned accounts unless you are actively managing them with your SmartSurvey Account Manager.