SmartSurvey supports organisational single-sign-on using OpenID Connect as a premium feature on Enterprise accounts. Using this feature, you can create a single billing account and then enable SSO so that any of your users can sign in to SmartSurvey using their existing organisation logins and without needing to create multiple SmartSurvey accounts in the SmartSurvey system.
Please note that setting up and debugging SSO is a relatively technical process that requires knowledge of HTTP and a reasonably good knowledge of SSO protocols. Note, however, that you will not break anything when setting it up so it might be possible for a business person to attempt to set things up and then to use your own technical support if you cannot get it to work.
Enabling SSO
To see if your plan supports SSO, go into your account settings and look for the SSO item in the left-hand menu. If clicking this shows an upgrade dialog, the feature is not enabled. Please contact your Account Manager or the sales team to upgrade your plan or add the feature.
If the feature is enabled, clicking the menu item will show a simple configuration form that contains all of the details we will need in order to work with your organisation's SSO system. Once the mandatory fields are populated and saved, the SSO system will be enabled for your account and will display the link that you will need to initiate the sign in process. Note that you cannot initiate the process from the normal login page but instead will need to trigger the process by invoking the login URL displayed in the settings page. This could be as simple as an HTML button on one of your intranet pages. For example, the following HTML fragment is a Bootstrap button that would invoke the process (but you need your own code, the code below is only an example):
<a href="https://app.smartsurvey.co.uk/c/sso/krHbQzs2Bc5NeI45vYlLClpm8eYIPO" class="btn btn-primary btn-lg">Login to SmartSurvey</a>
Configuring SSO
Our system is compatible with OpenID Connect only. It does not support plain OAuth2 or Shibboleth/SAML2 based systems.
To configure the settings, you will firstly need to register SmartSurvey as an application with your identity provider. The instructions will vary enormously depending on your provider. What you will need to provider is the redirect uri for SmartSurvey which is:
https://app.smartsurvey.co.uk/c/sso/redirecturi
Registering should give you two important pieces of information, generally called client id and secret. These need to be copied and pasted into the SmartSurvey settings page. You will also need to enter the location of your discovery endpoint, which should be just the base URL (and not the .well-known/openid-configuration, which will be added automatically.). This information should be available from your identity provider, possibly inside the application itself or in the help documentation if using a cloud service.
Example: If you were using Google as an Identity provider, this discovery URL would be https://accounts.google.com
Do not include the .well-known/openid-configuration part, just include the origin with no trailing slash. The same origin is used to find other details about the SSO handshake.
When the SSO process is initiated, the scopes openid email profile will be requested. These are standard scopes that must be supported by OpenID Connect servers.
Note also that we are using PKCE verification for the process, using SHA256 for the code verification process. If your system does not support PKCE then this will fail invisibly (and people will sign in with no problems). If you do support PKCE but do NOT support SHA256, then please contact support to discuss options since this will not work.
Testing the SSO Process
There are many error pages supported in the SmartSurvey process and also in most professional Identity providers so setting up and debugging should be relatively straight-forward. Using the code you were provided in the settings page and a link similar to the example above, attempt to initiate the process.
If you do not reach your identity provider or you get an error on the SmartSurvey login page, the error message should make it clear what has not been configured correctly. You need to ensure that SmartSurvey and your Identity provider systems are accessible from the system you are testing.
This should take you via a number of automatic redirects to your identity provider. The first time you do this, SmartSurvey will be a new application and you should see a consent screen on your identity provider asking you to consent to giving your email address and personal details to SmartSurvey. If you have got this far, the basic setup is correct.
Consenting (or in the future if your consent is remembered) you will be redirected back to SmartSurvey where you should either see an "Account Setup" screen, the first time, or you will simply be logged in to your account.
Managing Users
Each new user will automatically be linked to your organisational account and the billing will work according to your agreed plan and pricing, various soft and hard mechanisms will take place if your exceed your user limit. If you want to reduce the accounts you are paying for, then you will need to delete those users manually and/or block them in your Identity provider. Note that blocking them in your provider does NOT automatically perform any operations on SmartSurvey so you could find yourself with many orphaned accounts unless you are actively managing them.