Qualtrics integration changes

Losen, Stephen C. (scl) scl at virginia.edu
Fri Mar 16 07:56:17 EDT 2018

Hi folks,

Qualtrics is an InCommon member and publishes their SP metadata.  We (Univ. of Virginia) are also an InCommon member with published IDP metadata, and we load the InCommon metadata aggregate into our IDP.

We integrated our IDP with Qualtrics a year or so ago with no issues, only needed to add a filter to attribute-filter.xml  I think their SP uses simplesamlphp.  The entityID is https://virginia.az1.qualtrics.com/...

Recently Qualtrics asked us to integrate with a new SP whose entityID is https://az1.qualtrics.com .  So I modified our attribute-filter.xml to match the new entityID.  However, login to the new SP failed on the SP side after successful login to our IDP.  Qualtrics says that the assertion needs to be signed.

Looking at the IDP wiki, I believe the default behavior for the SAML2 browser profile is to sign the response and not sign the assertion.  We have not changed this in our relying-party.xml.

I suggested that Qualtrics should add WantAssertionsSigned="true" to their metadata, but the InCommon metadata management form does not appear to allow that.

Now it looks like I need to put an override in relying-party.xml which I would prefer not to do.  So I am dragging my feet a bit on this, Qualtrics is working just fine with the old SP. I suggested that they modify their new SP to require signed responses, not assertions.

Looking at the InCommon metadata file, it appears that Qualtrics has integrated with a large number of higher eds.  So this change will impact a large number of their customers if they insist on signed assertions.

In case I am forced to add an override for Qualtrics to our relying-party.xml, has anyone else done this already? I obviously need to sign assertions, but do I need to explicitly not sign responses?


Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640

More information about the users mailing list