Single Sign-On with SAML | Questionmark

Single Sign-On with SAML

Streamlined, Secure User Access with SSO

Using SAML-based single-sign-on (SSO) with Questionmark OnDemand provides users with streamlined access, simplifies administration and strengthens security.

Single sign-On (SSO) is the ability for one application, the identity provider, to tell another application, the service provider, who you are. In easier terms: Someone you trust authenticates your users for you. SAML is one of the most widely used protocols for web browser single sign-on (SSO), which allows systems to exchange authentication data on users by eliminating application-specific passwords.

With SAML-based SSO, users including assessment participants, item and assessment authors, reporting users and even administrators can be:

  • authenticated against your IDP to access Questionmark OnDemand
  • created "on the fly" in your OnDemand area 
  • assigned roles based on a SAML attribute

Benfits of SAML SSO with Questionmark OnDemand

Provide streamlined, secure user access

Provide streamlined, secure user access

Reduce user “password fatigue”

Reduce user “password fatigue”

Centralize user management for security and efficiency

Centralize user management for security and efficiency

Leverage powerful IdP features like multifactor authentication

Leverage powerful IdP features like multifactor authentication

How it works
SAML is one of the most widely used protocols for web browser single sign-on (SSO), which allows systems to exchange authentication data on users by eliminating application-specific passwords. SAML exchanges authentication data between an identity provider (IdP) and cloud application service provider (SP) that have an established trust relationship.

SSO with SAML involves three parties: A user, an IdP e.g. Microsoft Active Directory, and a SP e.g. Questionmark OnDemand. The IdP stores information about the user in a database, and when the user connects to the SP and attempts to authenticate, the SP delegates authentication to the IdP. The IdP validates the user against its identity database and sends a SAML assertion about that user to Questionmark OnDemand, which then gives the user access to the application.

If the user is not yet authenticated against the IdP, a login page is displayed in the user's browser. Typically, login consists of entering a username and password, but it can also include other authentication mechanisms that the IdP supports, such as multifactor authentication.