Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Changing the identity provider (IdP) for single sign-on (SSO)

By Karl Newstead
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators responsible for managing their single sign-on configuration.

Assistance from Ideagen Support is required.

You might need to switch from one single sign-on (SSO) provider to another, such as when changing identity products or moving between Azure tenants.

This article explains how to update SSO details in Disclose.

Note: Ensure you have one or two administrator accounts that do not use SSO, in case there are issues during the change.

1. Understand whether user UPN's are going to change as part of this process

Each SSO user has a SyncID matching their UPN, used for identification at login. The SyncID is permanent and cannot be changed. Changing a user's UPN causes issues; After a UPN change a user cannot log into their Disclose account, and will auto-provision a new Disclose account if they try.

Before proceeding, determine whether your users' UPNs will change as part of the IdP switch, as this affects the steps you need to take.

If UPNs will NOT change: You can update the IdP configuration directly without creating new users. Follow the steps in Section 3 to reconfigure SSO with the new IdP settings.

If UPNs WILL change: New users must be created in Disclose with the new UPN as the SyncID. This happens automatically when a user logs in with their new UPN for the first time, or you can pre-create users by uploading a CSV file, which also helps assign licences and groups. For details on CSV uploads, see our article on importing users from a CSV file.  This scenario is described more in section 2.

2. Managing users where UPNs change

Note: Ensure you have one or two administrator accounts that do not use SSO, in case there are issues during the change.

To change the IdP when UPNs are changing, you will need to create new users in Disclose, each with the new UPN.  In overview:

  1. Review the system for current users' group memberships.
  2. Prepare a CSV file containing all current users.  Map the users to their group membership.
  3. Upload the CSV. At this point the new users are in the system, unlicenced and unused.
  4. Reconfigure SSO with the new IdP settings (per section 3 in this article).
  5. Revoke licences from old user profiles.
  6. Allocate licences to new users.

The new users should then be able to log in.

Note: Ideagen cannot make any changes to users or data on your behalf.

Other considerations for migrating users

  • Restricted clients:  Some clients are restricted to specific users or groups.
    Before starting, check if clients are restricted and assign the new users accordingly before switching.
  • Comments:  Users can leave comments within answer sets.
    Only the comment's creator can edit or delete it, so comments made by an 'old' user can't be changed by their new one.
  • Offline answer sets:  If using offline answer sets, ensure they are set online before switching users.

3. Changing SSO information for the Disclose tenant 

After you activate the new IdP, the Ideagen support team must update the Configure SSO page in your Disclose tenant:

  • Identity Provider ID will change from old ID to new ID.
  • SSO Service URL will change from https://[old URL]/ to https://[new URL]/.
  • Identity Provider X509 Signing Certificate will be replaced with the new one.

You will need to send a metadata file with this new information beforehand. The new settings take effect once saved.

Example for Entra ID

It is common to move from ADFS to Entra ID.

In Disclose:

  • Identity Provider ID becomes https://sts.windows.net/[Tenant ID]/
  • SSO Service URL becomes https://login.microsoftonline.com/[Tenant ID]/saml2
  • Identity Provider X509 Signing Certificate becomes the new certificate value at <KeyDescriptor>use="signing">
      <KeyInfo> 
        <X509Data> 
          <X509Certificate>

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page