Qualtrics integration changes

Domingues, Michael D michael-domingues at uiowa.edu
Mon Mar 19 16:44:45 EDT 2018

Just our two-cents to this whole mess. Qualtrics attempted to migrate our "brand" (their term for tenant) to one of their new SPs (https://ca1.qualtrics.com) this morning. Despite having set their requested signing preferences (unsigned responses, signed assertions) in relying-party.xml, it seems that Qualtrics is still having issues consuming assertions their old SP was perfectly happy to accept.

Based on a comment they made earlier about missing an expected ePSA value, I suspect they might be trying to (erroneously) assume things about the order of multi-valued attributes. I'll update the list when we have more information, but they've solidly bungled this. I'll also be pushing back to see if they'll change their signing preferences back to the default.


From: users <users-bounces at shibboleth.net> on behalf of Karla Borecky <kborecky at smith.edu>
Sent: Friday, March 16, 2018 7:55:21 AM
To: Shib Users
Subject: Re: Qualtrics integration changes

I have a separate standalone metadata file for Qualtrics (for Smith, just like Lee's example) and I didn't have to add an exception to relying-party. That was a long while ago, though, so I don't know if something changed.

On Fri, Mar 16, 2018 at 8:23 AM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
> I suggested that Qualtrics should add WantAssertionsSigned="true" to their
> metadata, but the InCommon metadata management form does not appear to
> allow that.

It's something that usually demonstrates a non-compliant SAML SP, so I at least advised them that it was possibly going to incent bad behavior to start allowing it. That doesn't inherently mean it's a bad idea but it was something to consider.

> In case I am forced to add an override for Qualtrics to our relying-party.xml,
> has anyone else done this already? I obviously need to sign assertions, but do I
> need to explicitly not sign responses?

Once an SP is broken, there is no way to a priori know how broken it actually is. This presumes Qualtrics has no *actual* reason to be requiring them to be signed that is independent of the profile, such as an auditor saying something that they somehow translated into "they have to be signed".

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

Karla Borecky
Systems Administrator
Smith College
Northampton, MA 01063

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180319/dd33d9c7/attachment.html>

More information about the users mailing list