Single Sign-On Configuration Guide

Overview

Single Sign-On (SSO) allows users to securely access the SurveySensum platform using their existing organizational credentials, eliminating the need for separate usernames and passwords.

SurveySensum supports authentication through Google and Microsoft OAuth providers, enabling seamless and secure login experiences across platforms.

This guide explains the supported SSO methods, configuration requirements, setup steps, and onboarding process.

Supported SSO Types

SurveySensum currently supports the following SSO authentication methods

Google Public OAuth

SurveySensum maintains a centralized Google OAuth application for authentication.

How It Works

Users can log in to SurveySensum using their Google accounts without requiring separate SurveySensum credentials.

Client Responsibilities

To enable Google SSO:

1. Contact the SurveySensum IT Team
2. Request Google SSO enablement for your account
3. Confirm activation after setup completion

OAuth Scopes Requested

The following scopes are requested during authentication:

• openid
• email
• profile

Microsoft Public OAuth

SurveySensum also maintains a centralized Microsoft OAuth application for Microsoft account authentication.

How It Works

Users can authenticate using their Microsoft accounts directly through the SurveySensum login page.

Client Responsibilities

To enable Microsoft Public OAuth:

1. Contact the SurveySensum IT Team
2. Request Microsoft SSO enablement
3. Validate the login flow after setup

OAuth Scopes Requested

The following scopes are used:

• openid
• https://graph.microsoft.com/User.Read
• offline_access

Microsoft Private/Internal OAuth

Microsoft Internal OAuth is designed for enterprise organizations that want authentication restricted to users within their own Microsoft tenant.

In this setup, the client manages their own Azure App Registration while SurveySensum configures the integration on the platform.

Client Requirements for Microsoft Internal OAuth

Clients must create an Azure App Registration and share the following details with the SurveySensum IT Team:

• accountId
• clientId
• clientSecret
• redirectUri
• scopes

Required Scopes

The following scopes are mandatory:

• openid
• https://graph.microsoft.com/User.Read
• offline_access

Redirect URI Configuration

Clients must configure the following Redirect URI in Azure Portal:

https://prod-micro.surveysensum.com/webapi/api/v2/sso/msad/authSuccess/{accountId}

Replace {accountId} with the actual SurveySensum Account ID shared by the SurveySensum IT team.

Microsoft Internal OAuth Setup Steps

Follow these steps to configure Microsoft Internal OAuth.

Step 1 — Open Azure Portal

Log in to your Microsoft Azure Portal.

Step 2 — Navigate to App Registrations

Go to:

Microsoft Entra ID → App Registrations

Step 3 — Create a New Registration

Click:

New Registration

Enter the required application details.

Step 4 — Select Supported Account Types

Choose:

Any Entra ID Tenant + Personal Microsoft Accounts

Step 5 — Configure Redirect URI

Add the SurveySensum Redirect URI provided earlier.

Step 6 — Add Microsoft Graph Permissions

Navigate to:

API Permissions → Add Permission → Microsoft Graph → Delegated Permissions

Add:

User.Read

Step 7 — Generate Client Secret

Create a new client secret and securely store the generated value.

Step 8 — Share Configuration Details

Share the following securely with the SurveySensum IT Team:

• Client ID
• Client Secret
• Tenant Details
• Redirect URI
• Scopes

Security Recommendations

To ensure secure SSO implementation, follow these best practices:

• Share client secrets only through secure channels
• Rotate client secrets periodically
• Enable Multi-Factor Authentication (MFA)
• Restrict unauthorized domains and users
• Review Azure application permissions regularly

Testing & Go-Live Process

After configuration, the following rollout process is followed:

1. SurveySensum IT Team configures SSO integration
2. Client validates the authentication flow
3. User Acceptance Testing (UAT) is completed
4. Production rollout is enabled

Troubleshooting Tips

Unable to Login

Verify:

• Redirect URI is configured correctly
• Client Secret is active
• Required scopes are added
• User belongs to the authorized tenant

Invalid Redirect URI Error

Ensure the Redirect URI exactly matches the value configured in Azure Portal.

Permission Errors

Confirm Microsoft Graph delegated permission User.Read is added and admin consent is granted if required.

Support & Assistance

For SSO onboarding, setup assistance, or troubleshooting, contact the SurveySensum IT Team with the following details:

• Organization Name
• Preferred SSO Type
• Technical Contact Information
• Expected Rollout Timeline
• Azure Configuration Details (for Microsoft Internal OAuth)

Frequently Asked Questions (FAQs)

Can we use our own Microsoft Azure App Registration?

Yes. Microsoft Internal OAuth allows organizations to use and manage their own Azure App Registration.

Does SurveySensum store Microsoft passwords?

No. Authentication is securely handled through Microsoft OAuth providers.

Is MFA supported?

Yes. MFA support depends on your Microsoft tenant configuration and security policies.

Can SSO be enabled for specific users only?

Yes. Access restrictions can be managed through your Microsoft tenant and organizational policies.