Popular searches

Request consultation

Do you need support in running a pricing or product study? We can help you with agile consumer research and conjoint analysis.

Looking for an online survey platform?

Conjointly offers a great survey tool with multiple question types, randomisation blocks, and multilingual support. The Basic tier is always free.

Back
List of articles Back

How to set up SAML SSO?

If you are a team leader and you use SAML SSO for your organisation, you can set up SAML SSO login for your team members in Conjointly. This allows your team members to log in to Conjointly using their organisation’s credentials.

This setting works well with Microsoft Entra, Ping Identity, and other SAML SSO providers. However, Google Workspace does not seem to currently support the high level of security implemented on Conjointly.

Conjointly supports SP-initiated login (not IdP-initiated flows).

To set up SAML SSO login for your team members, follow these steps:

  1. Enable SAML SSO in your team authentication settings.
  2. Download the metadata file and the x509 certificate from the page.
  3. Go to your Identity Provider (IdP) and add a new application:
    • Upload the metadata file that you downloaded from Conjointly.
    • Populate the fields with the information from the metadata file:
      • Identifier (Entity ID): https://run.conjoint.ly/saml/metadata
      • Reply URL (Assertion Consumer Service URL): https://run.conjoint.ly/saml/acs
      • Sign on URL: https://run.conjoint.ly/
      • Relay State: https://run.conjoint.ly/
      • Logout URL: https://run.conjoint.ly/account/logout
      • Default RelayState: Leave this blank
      • Make sure that email address is passed to Conjointly (service provider).
        • If you use Okta, set:
          • Name ID format: EmailAddress
          • Application username: Email
        • If you use Ping Identity, set:
          • In Attribute Mapping, saml_subject: Email Address
          • In Configuration, Subject NameId Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • Upload the x509 certificate you downloaded from Conjointly and make sure that:
      • The signing algorithm is SHA-256.
        • If you use Microsoft, in Enterprise Applications → Single Sign-on (“Set up Single Sign-On with SAML”) → SAML Certificates, set Signing Algorithm: SHA-256
      • Require signing both for requests and responses.
        • If you use Microsoft, in Enterprise Applications → Single Sign-on (“Set up Single Sign-On with SAML”) → SAML Certificates, set Signing Option: Sign SAML Response and Assertion
      • Encrypt SAML assertion (unless you use OneLogin).
        • If you use Okta, in Advanced settings, set Assertion Encryption: Encrypted
        • If you use Ping Identity, you need to
          • Set Encryption Algorithm: AES_128
          • Enable Enforce Signed AuthnRequest
        • If you use OneLogin, please do not tick the checkbox called “Encrypt assertion”. There is an apparent problem in OneLogin that makes this setting incompatible with signing both for requests and responses. We have attempted to inform OneLogin about this issue, but have not received a response from them.
      • Require verification certificates
        • If you use Microsoft, in Enterprise Applications → Single Sign-on (“Set up Single Sign-On with SAML”) → Verification certificates (optional):
          • Switch “Require verification certificates” on
          • Switch “Allow requests signed with RSA-SHA1” off
      • Do not allow requests signed with RSA-SHA1
        • If you use Okta, set Signature Algorithm: RSA-SHA256
        • If you use Ping Identity, set Signing Algorithm: RSA-SHA256
    • You can use any name for your new application, such as Conjointly
    • Make sure that all your users are able to log in (e.g. “All Users” are assigned to the application under “Users and groups” in Microsoft Entra).
  4. Copy the following information from your Identity Provider into your team authentication settings on Conjointly:
    • Identity Provider SAML 2.0 URL (it could be called, for example, “Login URL” or “Single Sign-On URL” or “Single Signon Service”)
    • Identity Provider Issuer (it could be called, for example, “Microsoft Entra Identifier” or “Issuer ID”)
    • Identity Provider x509 Certificate
  5. Because of the high level of security of the above settings, you should not be able to “test” the SAML SSO login by clicking on the “Test SAML SSO” button on your identity provider’s page. But please do test it yourself by logging out of Conjointly and trying to log in again.
  6. After that, you can choose to disable email/password login for your team members.

If your organisation has many Conjointly users or if you have an Ultimate licence, please reach out to us for any assistance on this setup. We can also help you enforce SAML SSO for a whole domain or multiple domains.