Qualtrics - login issues that I could use some help figuring out
I am posting this as a discussion on the forum because I am looking for input/opinions/ideas on how to handle this problem.
Qualtrics is supposed to be using a custom OAuth plugin we built for their Qualtrics login. This is currently in use for both staging/production.
The issue that they have come to realize in the last minute is that not ALL of their clients use their Qualtrics login. Eventually, all clients will be moving to a Qualtrics login but 653 different companies, half of which are universities with hundreds/thousands of users use an Organization SAML login. Essentially its an SSO between their institution/company and Qualtrics. An example of this can be seen if you do the following:
Try to access qualtrics.com/community as a guest and you will be re-directed to their login. All these users from these 653 clients use an Organization login which sits just below the Qualtrics login. If you click that you can test it out by try 'umich' as an organization ID. You get an error. We don't expect this to work but this is the problem they are only realizing now.
-Current site is set to private communities but public launch will make it public
-I suggested they remove SSO as default sign-in method and they use Basic registration in parallel. They didn't like this idea because they fear their competitors becoming real members and asking questions. This is supposed to be only temporary and these users wouldn't have access once everyone is switched over to SSO.
-From my past experience, using SSO with Approval method, SSO users still need to be approved. This happened to Ctuit. Not sure if that was specific to JsConnect and not OAuth from some reason.
Ultimately, they need to find a way to streamline these users in the easiest way possible that is not disruptive to users. This is a rather larger number of users. They are not opposed to creating the users themselves when they receive some form of request. One idea was to keep Qualtrics SSO as the default sign-in method and then indicate to users that they need to go to /entry/password. They were hoping to drop a messsage in there somehow but the moderation messages cannot be placed on that page. Is there anything they could put there to give users instructions?
Basically, I am throwing a hail mary to see if any of the brilliant minds at Vanilla can think of a better solution than I already have. It seems to me that if users can't sign in via SSO then it can't be set as the default method. It has to then be clearly indicated to users who would be using an organization login that they have to register on the forum in some fashion or ticket someone to create an account. I think overall it's quite obvious that Qualtrics messed up here not letting us know this was a thing but at the end of the day we just to get it right rather than be right.
@Linc @Adrian @patrick_kelly @shaunamcclemens @ValR @BrigitteP @Derrick @DaazKu @Ryan @Laura
Comments
-
Can they send out Qualtric logins by e-mail to their users?
0 -
@slafleche said:
Can they send out Qualtric logins by e-mail to their users?Apparently not. I feel like it's much more complicated than just some credentials they can use. An organization can be something like a University where all their students use that login to gain access to Qualtrics. It's a different account than what we have integrated with for our SSO.These users are well trained to use their organization login. The plan is by the end of Q1 to have all these organizations update their SAML integrations to use a Qualtrics login. However, that takes reaching out and communicating with each of these clients.
0 -
All these users from these 653 clients use an Organization login which sits just below the Qualtrics login. If you click that you can test it out by try 'umich' as an organization ID. You get an error. We don't expect this to work but this is the problem they are only realizing now.
You're gonna have to fill in more context here.
What is 'umich' and what are you talking about 'organization ID'?
What does "sits just below" mean?
Are you saying there are 653 SSO connections they want to use?
0 -
@Linc said:
All these users from these 653 clients use an Organization login which sits just below the Qualtrics login. If you click that you can test it out by try 'umich' as an organization ID. You get an error. We don't expect this to work but this is the problem they are only realizing now.
You're gonna have to fill in more context here.
What is 'umich' and what are you talking about 'organization ID'?
What does "sits just below" mean?
Are you saying there are 653 SSO connections they want to use?
I kind of assumed you would see by trying to access qualtrics.com/community as a guest. Regardless here,
Where you login for SSO, just below the regular Qualtrics login it says Organization login
Clicking Organization login, which is what users from these 653 companies would do, reveals another screen where you input your organization id. In this case umich is the organization ID for the University of Michigan.
Writing umich and clicking login results in the following error.
However, there is no expectation that we integrate with all these SSO configurations for all these brands. The issue is how to run a parallel login system for these users that cannot log in via the Qualtrics login and who typically use the organization login in a seamless and efficient manner.
0 -
They could make a separate login page for the forum's SSO connection that doesn't contain Organization code / whatever other accommodations are needed, and change the redirect to that page in the SSO settings. That would be what makes the most sense.
Otherwise, I would disable the default connection / turn off "Connect" registration, and put a Message on the Sign In page. That should result in guest users landing on that page and seeing the message before making a decision about whether to register or use the SSO option.
0 -
Is there some way they could streamline the process a bit with APIv2? I am seeing some endpoints that could potentially make sense (at least to me in my very limited understanding).
For example, If they ran Invitatitation method along side SSO could they use the Post Invite endpoint on their end to generate an invite for these users?
What is post /users/register
0 -
You can register users over the API, of course, yes. That's always been true. I don't see how that simplifies their situation; that's far more complex than making a second, dedicated login form.
We never recommend registering users over the API as a substitute for SSO because it makes the process more complex and can lead to sync issues if not executed very carefully. Basically, if you think SSO causes a lot of support requests, that will cause even more.
0 -
As I look at this, that error has nothing to do with us. That is the authentication provider at University of Michigan complaining that the login page they have set up on Qualtrics (not the forum) is not configured for that Authentication provider.
If they could sort that out, couldn't they do some sort of script that would log the user into qualtrics and redirect them back to the forum. I don't see where this login page with the "Organization Login" link exists anywhere else on their site except for when trying to log in from the forum.
0 -
Update. If you put in MIT as an Organization Login you don't get an error. Can we find an organization that works and for which they can provide test credentials? I think that is asking a lot, mind you.
0 -
@patrick_kelly said:
As I look at this, that error has nothing to do with us. That is the authentication provider at University of Michigan complaining that the login page they have set up on Qualtrics (not the forum) is not configured for that Authentication provider.If they could sort that out, couldn't they do some sort of script that would log the user into qualtrics and redirect them back to the forum. I don't see where this login page with the "Organization Login" link exists anywhere else on their site except for when trying to log in from the forum.
That IS essentially what they are doing. The problem is more so just timing. They want to do this public launch before the summit and the goal is to have all these login experiences fixed by the end of Q1. We were more looking for creative solutions to how they might be able to proceed given their public launch goals.
Ultimately, they have decided to use the current SSO as the default sign-in method and manually add users via the dashboard. I will be updating that welcome email via the site's locale to include extra information as it pertains to logging in via /entry/password.
0
