SSO does not apply to surveys (anyone can complete a survey) and does not apply to the administration Portal (admins use their email address and a CIOPulse-managed password to access the Portal).
If you are on a Corporate or Enterprise Plan, we are able to provide SAML 2.0 compliant Single Sign-On capability.
Single Sign-On will direct any user attempting to access CIOPulse to your Identity Provider system (e.g. OneLogin, Shibboleth, Okta, Microsoft Azure Active Directory) for authentication.
Once authenticated by your Identify Provider (IdP), COPulse will only grant access to a user whose email address is found in the CIOPulse Portal. The authentication steps are:
- Anonymous user requests a CIOPulse web page with your Client Portal Code.
- CIOPulse redirects them to your IdP for authentication.
- Your IdP returns an email address (NameID) and custom attribute containing your Client Portal Code (cpc) if the user is authenticated.
- CIOPulse checks the email address exists in the Portal as a Contact, Administrator, Monthly Report Recipient, or Additional Send-To Recipient.
- If the email address exists in the Portal, CIOPulse grants access.
This diagram shows how these steps fit into CIOPulse's user access model
Note that browser session timeouts and your Identity Provider System govern how long an authenticated user will remain authenticated before the user is asked to re-authenticate.
Other optional security settings can be applied beyond Single Sign-On - Encoded URLs only, IP address security and role-based security. More information can be found in Setup User Access Security.
SSO does not authenticate:
- Administrators. Administrators continue to be authenticated via the admin email address and password managed in the CIOPulse Portal.
- Survey invitees. Anyone issued a survey URL may complete a CIOPulse survey.
- API access.
How to turn on Single Sign On
If you would like to implement Single Sign On, please first contact us at [email protected] so that we can coordinate the implementation steps with you.
If you are already live, the first step will be for us to provide you with a test instance of CIOPulse so that you can test SSO before you go live.
To setup SSO, we will require your IdP settings. If you have both a test and production Identify Management environment, we will require these settings for both:
- URL for your entityId.
- URL for your singleSignOnService.
- Your x509 certificate.
Once we have your IdP settings, our Service Provider certificate/metadata can be found here:
https://app.cio-pulse.com/sso/metadata?cpc={your Client Portal Code}For an authenticated user, your IdP must return the user's email address in NameID and your Client Portal Code in a custom attribute called cpc.
If that user's email address is found in the CIOPulse Portal (as a Contact, Administrator, Monthly Report Recipient, or Additional Send-To Recipient), we will grant them access.
If that user's email address is not found in the CIOPulse Portal, they will see an error message like this:
If your IdP requires a default application URL, use https://app.cio-pulse.com/launchpad?cpc=XXXXX where XXXXX is your Client Portal Code. This will display the CIOPulse launchpad function, described here.
When you're ready to turn on Single Sign-On, set 'User Login Type' in your Portal Preferences to 'Single Sign-On'.
For an authenticated user, your IdP must return the user's email address in NameID and your Client Portal Code in a custom attribute called cpc.
If you ever experience a problem with Single Sign-On, you can temporarily turn off SSO by choosing another User Login Type in your Portal Preferences.
How to test Single Sign On
If you are a developer/SSO expert rather than one of your origination's nominated CIOPulse administrators, we strongly recommend you seek help from an administrator. With the help of an administrator, testing can be accomplished in minutes. Going solo is likely to take longer because of the learning curve.
The steps for testing SSO differ depending on whether you are already live with CIOPulse or have not yet gone live. The testing steps are described below.
Once we have your IdP settings, and you've used our Service Provider metadata to setup your Identity Management System, you are ready to being testing.
If you are already live with CIOPulse
If you are already live with CIOPulse, we will set you up with a test instance for testing SSO. We will give you a test Client Portal Code for this instance. This code will differ from your production Client Portal Code.
When we notify you that your test instance is ready, you will first need to register a new test administration account. You must register with an email address that hasn't already been used for your production administration account. You can register a new test administration account here. You will be asked for a Portal Code when you register. Use your test Client Portal Code.
Both the test and production Portal can be accessed with the same URL. The email address you use to sign in will determine whether you log in to the test or production Portal.
In the Portal, under Preferences, set 'User Login Type' to 'Single Sign-On'.
Once you've created a test admin account, you need to test that SSO works when accessing the CIOPulse information URLs. The URLs for creating surveys and viewing information can be found in the Portal using the 'View your URLs' function. Sign-in to the Portal using your test administration account to access this function.
We recommend you create some test surveys and test the Single Sign On function by accessing each of these:
- Live feedback slider
- Survey Responses Report
- Net Promoter Score Gauge (you may have to wait up to 12 hours for a Net Promoter Score to be calculated).
Once you have confirmed that SSO is working for you in test, we can turn on SSO in your production environment at a time that we will agree with you. Our Service Provider metadata is the same for both your test and production instances of CIOPulse.
Once you are live and have confirmed that SSO is working, we will then decommission your test instance of CIOPulse.
The surveys for your test instance will have a different look-and-feel than your live surveys. This will not affect your testing.
The CIOPulse domain for both test and production instances is the same (https://app.cio-pulse.com).
The test and production Portals are accessed with an identical URL (with different login IDs for test and production).
The URLs used to access CIOPulse information (e.g the NPS Gauge), share the same domain, but the rest of the URL will differ between test and prod.
If you are not already live with CIOPulse.
If you are not yet live, you can test SSO with your (pre)production environment.
You will need to test that SSO works when accessing the CIOPulse information URLs. The URLs can be found in the Portal using the 'View your URLs' function of the Main Menu. Sign-in to the Portal using your administration account to access this function.
When you are ready to test SSO, set 'User Login Type' to 'Single Sign-On' in Preferences in the Portal.
We recommend you create some test surveys and test the Single Sign On function by accessing each of these:
- Live feedback slider
- Survey Responses Report
- Net Promoter Score Gauge (you may have to wait up to 12 hours for a Net Promoter Score to be calculated).
Before you go live, you may want to ask us to delete your test surveys for you.