SSO stands for "single sign-on". SSO allows you to authenticate your QuestionPro account or your survey against a third-party system. You can verify whether respondents have a legitimate user ID at your web application and then authenticate them to access the QuestionPro.
This Wikipedia article covers SSO in more detail
QuestionPro supports two basic types of SSO authentication:
1. SAML
2. HMAC-SHA1 (Single Sign-On)
SAML stands for Security Assertion Markup Language. It is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML authentication requires that the third-party application has a working SAML Identity Provider implemented. The identity provider acts as a producer of SAML assertions while the service provider acts as a consumer of assertions.
| Element | Description / Value |
|
|
Contains the unique identifier of the identity provider. |
|
|
Identifies the authenticated principal (but in this case the identity of the principal is hidden behind an opaque transient identifier, for reasons of privacy). |
|
|
Gives the conditions under which the assertion is to be considered valid. |
|
|
Describes the act of authentication at the identity provider. |
QuestionPro implements SAML authentication through the following process:
1. SAML authentication can be set up from My Account >> Authentications.
2. While setting up the authentication, you will have to enter the issuer
3. For authentication, the third party application will have to submit SAML Assertion to the following endpoint: https://questionpro.com/a/TakeSurveyAuth
4. QuestionPro will read the X509 certificate in the SAML assertion and check for the issuer. If the issuer matches the issuer set under Security, the authentication will succeed.
HMAC stands for hash-based message authentication code. This authentication is a product of a hash function applied to the body of a message along with a secret key. So rather than sending the authentication data via a Web service request, you send some identifier for the private key and an HMAC. When the server receives the request, it looks up the user's private key and uses it to create an HMAC for the incoming request. If the HMAC submitted with the request matches the one calculated by the server, then the request is authenticated.
The security identifiers / tokens will be sent to QuestionPro via the survey URL parameters. The token's data will be part of the query string.
HMAC-SHA1 authentication can be set up for your survey from Edit Survey >> Security
While setting up the authentication, you will have to enter:
1. Key: A 36 character key that is used for hashing the time in seconds.
2. Timestamp: The time window for which the survey URL will be valid.
You'll need to pass the following security token fields via the URL:
| Name | Description / Value | Required |
| surveyID | Survey ID | ✔ |
| ts | When the token was created in UTC time (seconds). | ✔ |
| hash | HMAC-SHA1 hash of the seconds (UTC) | ✔ |
| mode | Value for this parameter is always hmacSha1 | ✔ |
public String getAuthURL(String surveyID, String hashKey){
long ms = getUTCMillis();
long seconds = (ms/1000);
String hash = hmacSha1(String.valueOf(seconds),hashKey);
String params = "surveyID="+surveyID+"&ts=" + seconds + "&hash=" + hash + "&mode=hmacSha1"
return "https://www.questionpro.com/a/TakeSurveyAuth?"+params;
}
This security option allow you to pass additional data to the survey using DES encryption. You can pass data through the survey URL in encrypted format, the data will be decrypted and saved as part of the response.
DES Encryption can be set up for your survey from Edit Survey » Security
You'll need to enter a 8 character key which will be used to encrypt / decrypt the custom variables. You can refer the sample code given below to encrypt the variables:
public static String encriptDES(String passPhrase, String value) throws Exception {
SecretKey key = new SecretKeySpec(passPhrase.getBytes(), "DES");
Cipher ecipher = Cipher.getInstance(key.getAlgorithm());
ecipher.init(Cipher.ENCRYPT_MODE, key);
byte[] utf8 = value.getBytes("UTF8");
byte[] enc = ecipher.doFinal(utf8);
return base64Encode(enc);
}
Facebook Connect SSO allows respondents to log in to the survey with their Facebook credentials. The system stores Facebook details on who took the survey as custom variables. You can capture the following details:
Facebook Connect SSO can be set up for your survey from Edit Survey » Security
