Let's get your SSO Integrations migrated to our new Alchemer domains!
Along with the new alchemer application domains (app.alchemer.com, app.alchemer-ca.com, app.alchemer.eu) used for login, we have introduced new certificates for Single Sign-on (SAML SSO). For each of the applications SSO integrations (accessed via Integrations >Data Connectors) currently setup on SurveyGizmo domains, users will need to move over to the new domain as soon as possible.
If an account has one or more active Single Sign-On integrations set up between systems, a few actions are required to update the integration to ensure proper functionality and utilize signed assertions and requests.
There are three actions that are needed to successfully migrate an SSO integration. More detail on each item listed below is available under the Updating Login Domain Metadata section:
- Via Integrations > Data Connectors > Single Sign-on (Account), switch the Login Domain in the Alchemer integration to app.alchemer.com, app.alchemer-ca.com or app.alchemer.eu depending on the data center of the account via the Login Domain Dropdown:
- Select Save and Get Metadata in the integration pane:
- Supply the updated metadata to your Identity Provider (Okta, Ping, OneLogin, Auth0, etc.). Complete either a or b below depending on the specific use case:
- If you are utilizing a Service Provider metadata URL, you will need to trigger a refresh of this metadata by selecting Save and Get MetaData. The existing hostname in the metadata URL should be updated as such, prior to this refresh:
Existing Hostname New Hostname app.surveygizmo.com app.alchemer.com appca.surveygizmo.com app.alchemer-ca.com app.surveygizmo.eu app.alchemer.eu - Refresh the integration by resaving the integration.
- If you are manually managing your provider metadata, from your identity provider:
- Update both the Assertion Consumer Service URL and Service Provider Entity ID from the SurveyGizmo hostnames to the appropriate Alchemer hostnames:
Existing Hostname New Hostname app.surveygizmo.com app.alchemer.com appca.surveygizmo.com app.alchemer-ca.com app.surveygizmo.eu app.alchemer.eu www.surveygizmo.com survey.alchemer.com www.surveygizmo.eu survey.alchemer.eu ca.surveygizmo.com survey.alchemer-ca.com - If necessary, upload the new Signing Certificate from Alchemer to your Service Provider (Ping, ADFS, etc.), that is present in the metadata after resaving. Copy the certificate below using your clipboard:
-----BEGIN CERTIFICATE-----
MIIGmjCCBYKgAwIBAgIIMHbRnUv5+84wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwODE3MTI0NjM5WhcN
MjMwOTE4MTI0NjM5WjAbMRkwFwYDVQQDExBzc28uYWxjaGVtZXIuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3OMQGa69/15yQVmSVV4k/v2bh33G
U8THGzAfrEyP/yyE/cFOum+WFNKnM+Xi6vlXjO4PR//bVWrDpZOqDANINZp8K+Go
lcC4P5bpcmrcWMc/diFJ+0kHMQjOuRWJvoI8dLmeRWkIKJG2KzMbGJOVTOc/ZQZ3
ZHoD/yszmrJTKqsylQHDdj7yZT4ldz4QVhBgBG8wkJnTI0y48FaLA+blQKErQBog
b/EhMqCKsVqDASKBTnLrPkEa9+GSu2wHXVaFFgt0sRVCF/BcRaUoKsJbldCCedCi
v/geO1i6ugmA5xgLpPIOK/bEw5j7s1NMi9qeP2GOH/RwrDkY8Rw5EXzGOQIDAQAB
o4IDRjCCA0IwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9j
cmwuZ29kYWRkeS5jb20vZ2RpZzJzMS00Mzg1LmNybDBdBgNVHSAEVjBUMEgGC2CG
SAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29k
YWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAC
hjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2Rp
ZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDEGA1UdEQQq
MCiCEHNzby5hbGNoZW1lci5jb22CFHd3dy5zc28uYWxjaGVtZXIuY29tMB0GA1Ud
DgQWBBSyG1baK+YA07uqRZWh8lFyBcqGVTCCAX0GCisGAQQB1nkCBAIEggFtBIIB
aQFnAHYA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4AAAGCq9eHMwAA
BAMARzBFAiBlYopdLBbedcoiPavaApJYXBlxPl/qNlTb/Q2hKSuiHwIhAPZDiEnE
/oKmvv7vpa+cJrMMZXLJqVPWO+SkKPrjj1zGAHUANc8ZG7+xbFe/D61MbULLu7Yn
ICZR6j/hKu+oA8M71kwAAAGCq9eIoQAABAMARjBEAiA2oBb8sW/lj0zZjLS4KcoW
JzlL1I38jJXAeFYyA8ZuUAIgOsfE+PTCSmcias9omAElQipH6cbnAsRSWOGmUZ19
gIUAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYKr14kwAAAE
AwBHMEUCIEaVDtXMnxvtonICz6VmmLhZT+oehQD1/yybZOQ852ECAiEAmP3ALWEK
Z5VRUPjhVCSqfITHBvhUcwmw5V+MOIcYIQQwDQYJKoZIhvcNAQELBQADggEBAEE/
GTB+l5eLBndsHajgGJlZzBcch3+gKyrVrRfw9xDqGmNtyQhG2ZG3mnC8iHUOUK+7
zqIkMppREYJLk+rFD2ipIMq0KQGAzl790OPfb8NXGv3LBnR9gQhtg5KzOcOICV0z
cQsPJvJ/y5q6YGRxiBpEeYDL7/4+d0vvvOyYfE9HgWtoMM3caN5MMTODFbY6v52T
3zyE8rfCi0UlUu6Hu9B+agp/ZTI5BJtPdsYADflTtAQtq1qR7fYN0fArEekG4klH
5XR80mR+tU0aWMTltAXvPf2prtmHsrgFHXNfEQO1nDqCft/3iTxYvqsPwdCxUwCx
wyMBy1dqJSXZYqCCrA8=
-----END CERTIFICATE-----
- Update both the Assertion Consumer Service URL and Service Provider Entity ID from the SurveyGizmo hostnames to the appropriate Alchemer hostnames:
- If you are utilizing a Service Provider metadata URL, you will need to trigger a refresh of this metadata by selecting Save and Get MetaData. The existing hostname in the metadata URL should be updated as such, prior to this refresh:
- Re-test your integration after completing the above steps using the new Login Link found at the bottom of the integration in Alchemer after the integration is resaved:
Follow the steps below if you are switching to the new app.alchemer.com logins and using signed metadata, assertions and requests. The SSO signing certificate used for our legacy domains, app.surveygizmo.com and www.surveygizmo.com has been revoked, and you may experience errors until you update the Identity provider metadata with the new Alchemer signing certificate.
Updating Login Domain and Metadata
After switching to the new login domain, the old Login link generated in the Integration will not function. Once this process has been completed and the integration is rasaved, utilize the new login link found at the bottom of the specific integration being switched over to app.alchemer.
- To update the login domain for an SSO integration, start by selecting from the left-hand navigation menu in Alchemer Integrations > Data Connectors. Next, click Edit on the right side of the specific SSO integration being converted to the app.alchemer.com domains:
- In the right hand popup menu that displays once edit is selected, Scroll down to the Login Domain Dropdown, and choose app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu depending on the data center of the account:
- Scroll down further in the right hand popup window to Upload SSL/Signing Certificate section, and select Save and Get Metadata:
- Select Save in the bottom right corner of the popup menu.
Updating Assertion and Entity ID URL
To complete this process of moving over to the new app.alchemer login domains, users update the Assertion and entity ID URLs to be app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu instead of app.SurveyGizmo.com, appca.surveygizmo.com, or app.surveygizmo.eu depending on the data center of the alchemer account. Open up a new tab in the browser of choice, and navigate to the IDP provider being utilized for the accounts' SSO integration. Below are steps for the common IDP providers used in Alchemer:
Updating Assertion and entity ID URLs with Okta
- Login to Okta. Select applications from the top toolbar:
- Click the application that is currently in use for SSO.
- Via the General Tab in okta, scroll down to SAML Settings and select Edit:
- Click Next on the General Settings page to reach the Configure SAML section:
- On the General Section of the Configure SAML page, change the Single Sign On URL (Assertion Consumer Service URL) and the Service Provider Entity ID (Audience URI) to app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu from the SurveyGizmo equivalent based on data center. Leave the rest of the URL as is, replacing only SurveyGizmo:
- Select Next to reach the Feedback section in Okta, and then Finish.
- Head back into Alchemer, select Save and Get Metadata, and Save the integration. Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account). The new login link will now function as expected.
For specific information on replacing a service Provider signing Certificate in Okta, Follow the link to their documentation HERE.
Updating Assertion and entity ID URLs with OneLogin
- Login to OneLogin. Select applications from the top toolbar, then click the SAML SSO integration currently in use:
- Click Configuration from the left hand navigation menu:
- Replace app.SurveyGizmo.com with app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account in both the Audience (entityID) field and the Recipient ID field, leaving the rest of the URL as is:
- Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account). The new login link will now function as expected.
- To make changes to the signing certificate in OneLogin, Select SSO from the lefthand navigation menu, and click Change:
- To make changes to the signing certificate in OneLogin, Select SSO from the lefthand navigation menu, and click Change:
Updating Assertion and entity ID URLs with Ping
- Log into PingIdentity. Click Connections from the top toolbar and select Applications on the left hand navigation menu:
- From the list of connections on this screen, select the one representing SSO for the currently SurveyGizmo. Click the Vertical Ellipsis, and click the edit pencil on the right side of the screen:
- Via the Configuration Tab across the top of the page, select the SAML SETTINGS dropdown menu, and proceed to replace app.SurveyGizmo.com with app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account in both the ACS URLs and Entity ID URL, leaving the rest of the URL in tact. Click save once this has been completed:
- Scroll down to the SAML Settings dropdown menu on the Configuration tab, and via the Verification Certificate section, import the Signing Certificate that was downloaded in step 3bi near the top of this help article:
- Head back into Alchemer, upload the downloaded certificate via choose file under the Upload SSL/Signing Certificate section, select Save and Get Metadata, and Save the integration.Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account). The new login link will now function as expected.
For more information in regard to updating the Certificate in PingOne, follow their documentation instructions located HERE.
Updating Assertion and entity ID URLs with Auth0
- Log into Auth0, and select Applications on the left hand navigation menu:
- Click the horizontal ellipsis to the right of the SSO integration, selecting settings:
- Scroll down to Allowed Callback URLs, and replace app.SurveyGizmo.com with app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account, leaving the rest of the URL in tact:
- Click Save Changes at the bottom of the page.
- Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account). The new login link will now function as expected.
If an account is utilizing survey SSO, be aware that survey links will change when an update to the login domain value is completed. Once these changes have been made, please validate the survey links that are using SSO.
