You are here

Authentication, Authorization, and Prepopulation in Qualtrics

With the new university site license for Qualtrics, we can now use OSU single sign on to:

  • Authenticate survey respondents.
  • Restrict surveys to certain people.
  • Prepopulate common fields.

Why Authenticate a Survey?

Ease of Use

People get tired of entering name, email, major, and a number of other attributes. By using single sign on, you can eliminate this step as well as any opportunity for error in data entry.

Workflow Security

It is becoming common for staff to use surveys for business processes. For example, one office recently had a survey that was used to report outcomes. When processing responses, staff would deactivate the individual’s account within their system as it was no longer needed. However, without authentication, there is nothing to prevent respondent A from filling out the form for respondent B and tricking staff into deactivating B’s account.

Panels Security

It is not uncommon to upload a panel of recipients including private information. To take the survey, each member of the panel receives a unique link via an unencrypted email. This unique link, which operates as a kind of password or shared secret, allows Qualtrics to associate their response with information uploaded as part of their panel record.

In contrast, if you use single sign on to identify your respondents, you do not need unique survey links or any other kind of shared secret between the respondent and Qualtrics. This reduces the possibility of security being compromised by an intercepted or forwarded email while often simplifying the logistics of distributing a survey to a panel.

Authentication

Requiring authentication for a survey is easy. To do so, you just need to navigate to survey flow and add a Shibboleth survey authenticator (Shibboleth is the name of the software OSU uses for web authentication).

Step by Step Instructions

  1. Click “Edit Survey”
  2. Click on “Survey Flow”
  3. Click “Add a New Element Here” and pick “Authenticator”
  4. Change the “Authentication Type” to “SSO”
  5. Change the “SSO Type” to “Shibboleth”
  6. Drag any question blocks underneath your authentication branch.

Note that while this requires a user to authenticate, it doesn’t capture who authenticated unless you also select “capture respondent identifying info”. In this sense, requiring authentication without capturing information is a largely anonymous way to restrict a survey to an OSU affiliate.

Capturing Respondent Info

When an individual authenticates, OSU single sign on shares information about the user with Qualtrics. You can optionally record this information with each respondent. To do so, underneath, “capture respondent identifying info”, enter any human readable name (whatever you choose) and the exact SAML2 identifier for the attribute in question (below).

Friendly Name ** SAML2 Identifier Example
username urn:oid:1.3.6.1.4.1.5923.1.1.1.6 little.129@osu.edu
*affiliation urn:oid:1.3.6.1.4.1.5923.1.1.1.9 employee@osu.edu
fullname urn:oid:2.16.840.1.113730.3.1.241 Jason Little
lastname urn:oid:2.5.4.4 Little
firstname urn:oid:2.5.4.42 Jason
*departmentnumber urn:oid:2.16.840.1.113730.3.1.2 14060
email urn:oid:0.9.2342.19200300.100.1.3 little.129@osu.edu
*major urn:mace:osu.edu:shibboleth:attribute-def:major PTMBA

* Affiliation, department number, and major are all multi-value fields. In these cases, only the first value is recorded.

** You can create any label you want for a friendly name. Avoiding spaces or other unusual characters may save headache later.

Example Configuration

Authorization: Restricting Access

Sometimes you may want to limit access to particular individuals by username or types of people by affiliation (student, staff, faculty, etc). This can be accomplished by setting up authentication as described above and then creating a branch within your survey accessible only to individuals with certain attributes.

Example Configuration

In the example below, the "Protected Questions" block is only accessible to people whose username is either little.129@osu.edu or kim.523@osu.edu

Note the syntax used to reference an embedded data field. ${e://Field/your-friendly-name}.

Prepopulation

Prepopulating survey questions with embedded data can give your respondents ease of use and flexibility. For example, if you want to collect names to be printed on a certificate, you could supply their name from central OSU systems as a default, but let them change it as a field in your survey.

Once you have set up authentication and captured identifying information, pre-populating questions in your survey is easy. Just enter a default value using Qualtrics' embedded data format: ${e://Field/your-friendly-name}

Example Configuration

Caveats

  • With multi-valued fields (affiliation, department number, major), you only get the first value. For example, individuals with dual majors may fail a check for a specific major if that major is second in their list.
  • Students with a FERPA waiver will never have a student affiliation or a major.
  • Always test your authorization logic with at least one person that should not have access.
  • If performing research, be sure you understand the rules around collecting identifying information on your subjects before incorporating single sign on into your dataset.

Additional Resources

This guide only scratches the surface of what you can do with authentication and embedded data. To learn more, check out these Qualtrics articles.

 

Jason Little