SSO Single Sign On SSO User Experience with

SSO Single Sign On

SSO User Experience with no other m. Suite applications. • User may have a link in their company intranet (Id. P-initiated SSO) or will be provided a link directly to the survey (SP-initiated SSO). When clicked the user: • • After the user has completed the survey the link is greyed out and can't be launched. If the survey completion date has passed, then the survey is greyed out and can't be launched. • • • Will be brought directly to the survey if they only have one survey to take. Will will be brought to the m. Suite Survey Dashboard with the option to launch a survey when they have more than one survey to take. The Survey URL you were trying to access is not available. Please select a different survey from the dashboard. Surveys sort by due date, the one with the closest due date coming first. If there are no surveys, the user will see the message: No Surveys exist for the User.

SSO User Experience with other m. Suite applications. • User will be brought to the Routing page and clicks the m. Research card or icon. • When the user has an m. Reporter account, they may use the gear icon. Takes user to m. Reporter Takes user to the Survey Dashboard.

SSO | Implementation Process Authentication to Surveys through the client’s intranet site. Benefits: • • • Ease of use for the client Better security No password support from Kincentric needed The client will need to work with IT using the standard process to have SSO implemented. • • Implementation of SSO takes 6 -8 weeks from start of configuration Final implementation date should coincide with a deployment. Client must have a SAML 2. 0 compliant Identity Provider Provide the client with the Kincentric Modern Survey SAML 2. 0 Overview document

SSO | Implementation Process Follow this process to begin the SSO implementation with the client: 1. Create an m. Suite account for the client. • Add at least one user – the client’s IT SSO contact. Remember, all SSO users must be set to Active, not Initial. 2. Gather the account information for a TFS Support Request. A. Create a TFS Case for SSO Implementation. Include the following information: 1. Client account information (Client. Id, subdomain, agent account) 2. PM name 3. Ops support name 4. Client's IT SSO contact name 5. Delivery date

SSO | Settings m. Suite settings used for SSO: 1. System Admin Settings Tab: Allow SSO Authentication • Turns on the SSO option in m. Research 2. Client/Settings Tab: Allow Just In Time SSO Provisioning 2 • Allows users to be created automatically when using SSO • Keep it as off! Requires advanced setup with IT and the client. 3. Application Feature: m. Research_Survey. Dashboard. • Allows the user access to the Survey Dashboard • Off by Default 1 3

SSO | Research New Settings Research: Event Administration Type: Generic with SSO Authentication • Only appears when Allow SSO Authentication setting is turned on.

SSO | Provisioning Process Flow SSO Provisioning setting allows the system to create users based on the information from the Identity Provider. When Provisioning is turned on, you can still create users manually without impacting the SSO process. This will allow you to pre-create users and assign membership roles when needed. SSO Provisioning ON System Applies Membership Role via Auto Scheme System Creates User System takes user to Routing Page. User clicks card. OR Uses Client default m. Research Dashboard Application Feature System takes user to Survey dashboard System Looks at Events and lists surveys.

SSO | Configuration SSO must be configured for the client before proceeding to these activities. m. Suite: 1. 2. 3. 4. 5. 6. 7. Impersonate the client Navigate to Admin/Client Admin/Security/Client Application Features Search for: m. Research_Survey. Dashboard Set to: Allow Navigate to Admin/Client/System Admin Settings Turn on Allow SSO Authentication Decision: A. B. 8. System creates users: Allow Just In Time SSO Provisioning – ON (requires advanced setup with the client!) Census or manual creation of users: Allow Just In Time SSO Provisioning – OFF Decision: Create Membership roles and Auto Schemes A. B. Since the Survey Dashboard is turned on at the Client level and not at the membership role level, a user will automatically get access to the survey dashboard when they have no membership roles assigned. Create an auto scheme to send the user to the routing page if they have membership roles.

SSO | Configuration Application Settings 1. Navigate to Admin/Client/Applications Tab 2. Click pencil icon the m. Research card 3. Click: Available to All 4. Click: Show in Routing 5. Optional: Ensure the m. Reporter role is in the m. Research Admin section. 6. Click: Save To hide the m. Thrive from dashboard: 1. Click on: Available to Membership Role 2. Uncheck: Show in Routing in m. Thrive 3. Click on Available by Membership Role in routing Page options and leave the membership roles empty. Allows user access when the Dashboard feature is on. Turns the Research card on in the Routing Page with the arrow icon. Turns the Gear Icon on in the routing card.

SSO | Configuration Ensure the username Replacement Key matches what the Identity Provider is sending. You will need to know if the client is using Email Address or External Person ID when you create the event distribution list in m. Research. 1. Navigate to Admin/Client/Settings Tab 2. Review the setting for: Person Identifier (should be either employee ID or email) 3. Ensure the person identifier is identical in the application settings A. Navigate to Client Admin/Content/Application Settings. B. Ensure the Username. Replacement. Key is the same as the person identifier. 4. Set all the security state of all users to active state A. Find the New User Security State and set it to: 0

SSO | Configuration m. Research 1. Create a distribution list that contains the External Person ID for each user. A. System does not check for duplicates or errors. Users will see two links to the same survey. The user will be able to take the survey twice! B. If the External Id is the users email address, enter it in both columns External Person ID and Email. 2. 3. Create an event with: Generic with SSO Authentication Provide the client with the Generic URL Column in the Distribution List when SSO Authentication is turned on

SSO | Redirect to Survey Hide the Thrive dashboard and redirect the respondent directly to survey site. Verify the security for a user; 1. 2. 3. 4. 5. Navigate to Security/User security Click: View/Edit for any user uploaded Click: Application Features tab Click: System Override Ensure m. Research_Survey. Dashboard is visible. If it is not, proceed to the next slide.

SSO | Redirect to Survey Ensure the m. Research_Survey. Dashboard is set to Default. 1. Navigate to Security/Client Application Features 2. Ensure all other client application features are set to Default. 3. Search for: m. Research_Survey. Dashboard and ensure it’s set to Default.

SSO | People Import New People 1. Navigate to People/Import People 2. Import the people from your survey distribution A. Download the template and convert your distribution list to the format of the template. • • B. C. D. Note: The ID’s being uploaded in the template MUST match with External ID’s being uploaded in the Distribution list in m. Research. For new additions, upload the new respondents only. If any ID’s already exists in the system, you will get a message that the ID already exists after uploading. Click: Select File Select your saved template Click: Import

SSO | Hide Log Off Button This step is optional upon client request. Normally, if the client’s Id. P has implemented Single. Logout. Service, this is not necessary. If they have not implemented it in their Id. P, using the Logout button results in an error. 1. 2. 3. 4. Navigate to: Content/Style Sheets Click: Create New Name: Hide. Logout. Button Paste the below script into the Style Definition text box: . main-head__message__text__button { display: none !important; } 5. Click: Submit