Skip to main content

How to enable SAML SSO (Single Sign-On) on your OpinionX team workspace

Written by Daniel Kyne
Updated this week

πŸ”’ SAML SSO is available to customers on the Accelerate Tier or higher.

OpinionX users on the Accelerate tier or higher can configure Single Sign-On using the SAML (Security Assertion Markup language) authentication mechanism. This custom approach is designed to work seamlessly with any IDP (identity provider) of your choice.

-- -- --

[Prerequisites] How do you get SAML SSO on OpinionX?

Before you begin, make sure you have:

  1. Accelerate Tier: SAML SSO is only available on OpinionX's enterprise plan.

  2. Admin: The user setting up SAML SSO must be an Admin in your workspace.

  3. Feature Approval: Ensure SAML SSO has been enabled for your workspace by a member of the OpinionX team (please contact your account rep to confirm this step has been completed on our side before you proceed with the steps below).

-- -- --

Step 1. Create a SAML Connection in OpinionX

  1. Go to Workspace Settings and scroll down to the SAML Single Sign-On section.

  2. Click New SAML Connection.

  3. Enter a name for the connection (eg. "Microsoft Entra" or "Okta").

  4. Click Create.

The connection appears in the table with a Needs Setup status. You can have up to 10 SAML connections per workspace.

-- -- --

Step 2. Copy Service Provider (SP) Details to Your Identity Provider

  • On OpinionX, click the pencil icon next to your new connection to open the configuration dialog.

  • Select your Identity Provider from the dropdown. This adjusts field labels to match your IdP's terminology. Supported presets:

    • Microsoft Entra (Azure AD)

    • Okta

    • JumpCloud

    • Google Workspace

    • Ping Identity

    • Other (generic SAML 2.0)

  • Copy the following read-only values into your Identity Provider's SAML app configuration:

OpinionX Field

What it's called in your Identity Provider

Example

SP Entity ID

Identifier / Entity ID / Audience URI

https://api.opinionx.co/api/saml/{connectionID}

ACS URL

Reply URL / Single sign-on URL / ACS URL

https://api.opinionx.co/api/saml/{connectionID}/acs

  • 4. In your Identity Provider, set the NameID format to Email Address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).

Tip: Click the copy icon next to each field to copy it to your clipboard.

-- -- --

Step 3. Configure Your Identity Provider

In your Identity Provider's admin console:

  1. Create a new SAML application (or "Enterprise application").

  2. Paste the SP Entity ID and ACS URL you copied from OpinionX into the appropriate fields.

  3. Set the NameID (or "Subject") to the user's email address.

  4. [Recommended] Map the following user attributes so OpinionX can display user names:

    • firstName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname β†’ User's first name

    • lastName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname β†’ User's last name

  5. Save the SAML app, then locate and copy these three values. You'll need them for the next step:

    • IdP SSO URL (the login/redirect URL)

    • IdP Entity ID (the issuer identifier)

    • IdP Certificate (X.509 certificate in PEM format)

-- -- --

Step 4. Enter IdP Details in OpinionX

  • Return to the OpinionX SAML connection configuration dialog.

  • Fill in the Identity Provider Details section:

Field

Description

Connection Name

A friendly name (already set in Step 1, editable here).

IdP SSO URL

The login URL from your Identity Provider.

IdP Entity ID

The issuer / entity identifier from your Identity Provider.

IdP Certificate

The X.509 signing certificate from your IdP. You can either paste the PEM text or upload a .pem / .crt / .cer file.

  • Click Save Changes.

The connection status should update from Needs setup to Configured.

-- -- --

Step 5. Test the Connection

  1. In the SAML settings table, find the Sign-In URL column for your configured connection.

  2. Copy the sign-in URL (it looks like https://app.opinionx.co/sso/sign-up?connectionPublicId={id}).

  3. Open the URL in a private/incognito browser window.

  4. You should be redirected to your Identity Provider's login page.

  5. After authenticating, you should be redirected back to OpinionX and signed in.

Note: Make sure the test user's email domain matches one of your allow-listed domains and that the user has been assigned to the SAML app in your Identity Provider.

-- -- --

Detailed Walkthrough: Microsoft Entra (Azure AD)

This section provides step-by-step instructions for configuring Microsoft Entra as your Identity Provider.

A. Create an Enterprise Application in Entra

  1. Sign in to the Azure Portal.

  2. Navigate to Microsoft Entra ID β†’ Enterprise Applications.

  3. Click New application β†’ Create your own application.

  4. Enter a name (e.g., "OpinionX SSO") and select Integrate any other application you don't find in the gallery (Non-gallery).

  5. Click Create.

B. Set Up SAML Single Sign-On

  1. In your new application, go to Single sign-on β†’ select SAML.

  2. In Card 1 β€” Basic SAML Configuration, click Edit:

    • Identifier (Entity ID): Paste the SP Entity ID from OpinionX.

    • Reply URL (Assertion Consumer Service URL): Paste the ACS URL from OpinionX.

  3. Click Save.

C. Configure Attributes & Claims

  1. In Card 2 β€” Attributes & Claims, click Edit.

  2. Verify the NameID claim is set to user.mail with the format Email address.

  3. (Recommended) Add or confirm these additional claims:

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname β†’ user.givenname

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname β†’ user.surname

  4. Click Save.

D. Copy Entra Details to OpinionX

  1. In Card 4 β€” Set up <your app name>, copy:

    • Login URL β†’ Paste as the Login URL field in OpinionX.

    • Microsoft Entra Identifier β†’ Paste as the Microsoft Entra Identifier field in OpinionX.

  2. In Card 3 β€” SAML Signing Certificate:

    • Download Certificate (Base64).

    • Upload or paste the certificate content into the Certificate (Base64) field in OpinionX.

  3. Click Save Changes in OpinionX.

E. Assign Users and Groups

  1. In the Entra application, go to Users and groups.

  2. Click Add user/group and assign the users or groups who should have access to OpinionX.

F. Test

Follow Step 5 above to verify the connection works.

-- -- --

How Team Members Sign In

Once SAML SSO is configured, team members can sign in using one of two methods:

i. Email-Based Sign-In

  1. Go to the OpinionX login page.

  2. Click Sign in with SSO.

  3. Enter your work email address (e.g., [email protected]).

  4. Click Submit. You are redirected to your organization's Identity Provider.

  5. Authenticate with your IdP credentials.

  6. You are redirected back to OpinionX and signed in.

Note: Email-based sign-in requires that the user already has an SSO-enabled account. New users should use the direct sign-in link instead.

ii. Direct Sign-In Link

Workspace admins can share the Sign-In URL displayed in the SAML settings table. Users can bookmark this link for one-click SSO access β€” it redirects straight to the Identity Provider without needing to enter an email.

First-time SSO users are automatically added to the workspace as a Teammate.

-- -- --

Converting an Existing Account to SSO

If a team member already has a password-based OpinionX account, they can convert it to SSO:

  1. A workspace admin initiates the conversion from the workspace settings.

  2. The user is prompted to enter their current password for verification.

  3. After confirmation, the user is redirected through the SAML sign-in flow.

  4. Once complete, the user signs in exclusively via SSO going forward.

-- -- --

Troubleshooting

Problem

Solution

"No SSO domains configured" warning

Your email domain hasn't been allow-listed yet. Contact OpinionX support to have your domain enabled.

Certificate error on save

Ensure the certificate is in PEM format. It should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

"No SSO enabled account exists with this email"

The user doesn't have an SSO-enabled account. Try the direct sign-in link instead (which creates an account on first use), or convert the existing account to SSO.

Connection still shows "Needs setup"

Both the IdP SSO URL and IdP Entity ID must be saved for the connection to be considered configured.

User redirected to IdP but gets an error

Verify the SP Entity ID and ACS URL in your IdP exactly match what OpinionX displays. Check that the user is assigned to the SAML app in your IdP.

Maximum connections reached

You can have up to 10 SAML connections per workspace. Remove an unused connection to add a new one.

-- -- --

FAQ

Q: Which Identity Providers are supported?

OpinionX supports any Identity Provider that implements the SAML 2.0 protocol. The setup dialog includes presets with provider-specific terminology for Microsoft Entra, Okta, JumpCloud, Google Workspace, and Ping Identity.

Q: How many SSO seats are included?

Enterprise plans include 10 SSO seats. Additional seats can be purchased. Contact your account manager for details.

Q: Can I have multiple SAML connections?

Yes, up to 10 per workspace. This is useful if your organization uses different Identity Providers for different teams.

Q: What happens when a new user signs in via SSO for the first time?

They are automatically created in OpinionX and added to the workspace as a Teammate.

Q: Can users switch back from SSO to password-based login?

Contact OpinionX support for assistance with authentication method changes.

"Sign-In With Google" SSO is available to all OpinionX users, including those on the free tier. This guide is specially for SAML SSO.

Related Articles
External Recruitment: How to buy participants for your OpinionX surveys
Allowed Email Domains: Allow your teammates to auto-join your workspace
Two-Factor Authentication: Add an extra layer of verification and account security
Did this answer your question?