Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. In the context of SurveyMonkey Apply, SSO implementation allows clients to leverage their existing user authentication framework to permit and provision access to a SurveyMonkey Apply site. By the end of this document, you will know how to set up such an integration using the OAuth protocol.
In this Article...
There are 4 key entities to an SSO integration:
Users who sign in
Users who are permitted to sign in via SSO can be one of the following three types of users:
NOTE: To improve the user experience of external users who may be invited to your site (co-applicants, recommenders), your OAuth integration will not be utilized. Doing so will help prevent unforeseen challenges such as your users not being invited with an email address matching your IdP's records.
Identity Provider (IdP)
The Identity Provider is an instance of an SSO issuing server that is responsible for housing and validating a user’s account credentials as well as provisioning access. It has a few main purposes:
- Provides unique identifiers (UID) for users looking to interact with a system or software.
- Emits other user account information (attributes), as allowed by the the third party, along with any other account metadata necessary for the integration to SM Apply.
- Provisions user account access to SurveyMonkey Apply.
- Establishes a “trust” with SurveyMonkey Apply.
The Client Server is the software or system, in this case SurveyMonkey Apply, establishing a trust relationship with an IdP and requesting user account provisioning from that IdP. It is also responsible for consuming information (attributes/metadata) that may be passed from the IdP.
The protocol is what facilitates the integration between the IdP and Client Server. It defines the handshake (sequence of events/data passing) for the integration.
What SSO provider will you be using? [OAuth]
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
Which of your user groups will need to sign in via SSO? [Applicants, Reviewers]
- By default, users are added to the Applicant group in SurveyMonkey Apply
- If Reviewers require SSO, users must be first added to the SurveyMonkey Apply site to ensure proper account permissions
- External users (for example, collaborators or recommenders) may bypass SSO at this time. This is to reduce friction and improve the user experience of external users.
How are users uniquely identified? OAuth must use email as their uID.
How will users enter Apply? Client Server-initiated SSO
What attributes need to be passed to Apply? [First name, Last name, email, etc.]
- Depending on the protocol used, required vs. optional attribute limitations may exist
“Client Server initiated” SSO is when a user comes first to the SurveyMonkey Apply site, clicks the SSO sign-in button and inputs their username and password. This then starts the authentication process with SurveyMonkey Apply sending out a call for authentication to the IdP.
Due to the technical nature of implementing an SSO Integration, and the number of authentication services, SM Apply recommends there to be a technical expert experienced with OAuth to be facilitating the configuration aspects on the client end.