In this article:
Basic Settings
-
Approved Email Domains
Only approved email domains trigger the SSO hint and login button for each IdP. Every email address sent by the IdP must match the pre-approved list. Multiple email domains can be added.
-
Password Reset Hint
This optional hint is displayed on the password reset page and typically contains instructions provided by the IdP for their users.
-
Login Label
This label appears on the login button for users whose email address matches the pre-approved list. It is displayed on login pages across polleverywhere.com, pollev.com, mobile, and native applications.
During SSO testing, the label can be left blank to prevent users from seeing the button. A name-based redirect link (e.g., https://www.polleverywhere.com/auth/saml/techcorp) can be shared with the client’s technical contact for testing.
SSO Options
Comprehensive SSO (Recommended)
Comprehensive SSO provides authentication and provisioning for all users associated with your domain. Custom attributes can automatically differentiate presenters from participants.
-
Authentication: All email addresses using your organization’s domain must use SSO to log in. Password login is disabled.
-
Provisioning: Custom role attributes are used to distinguish between presenters and participants, automatically creating accounts.
-
No Additional Steps: Users on the free version must be invited to the enterprise account before logging in via SSO.
When comprehensive SSO is enabled, users must log in with their SSO credentials:
Standard SSO
Standard SSO provides authentication only for users already on your organization’s account.
-
Authentication: Users can log in via SSO or with a password.
-
Provisioning: Administrators must manually invite new users via email or CSV upload.
-
Additional Steps: Administrators must monitor and invite free-version users to join the enterprise account.
When comprehensive SSO is disabled (standard SSO), users can log in via SSO or password.
Creating an Account via SSO
When comprehensive SSO is enabled, users must log in with their SSO credentials to create an account.
Note: Comprehensive SSO only allows existing presenters on the enterprise account to log in via SSO. All off-license (non-enterprise) presenters can continue to log in using a password until they are invited to the enterprise account.
IdP SAML Settings
-
Request to join customized message
What would you like the copy to be for new users who request to join?
-
Request to join URL
What should the URL be where new users can request access?
-
IDP Metadata URL
Example: https://www.organization.com/idp/SSO/metadata.xml. Alternatively, you can also provide a metadata file.
-
IDP SSO Target URL
Example: https://www.organization.com/idp/SSO.saml2. This is the identity provider’s entry point where Poll Everywhere redirects users. Typically, it redirects to the IdP login page. (This can also be a test URL if you'd prefer to start with a test SAML instance).
-
Email Domain Pattern(s) for Notice
Example: acme.com. Only email addresses matching this pattern can use SSO. Poll Everywhere can display an SSO login notice for users attempting to log in at https://www.polleverywhere.com/login.
-
Name Identifier Format
Poll Everywhere expects a specific Name ID format in the IdP response (e.g., transient, permanent, or emailAddress). This value is present in the metadata file. Once a non-transient Name ID user signs in, Poll Everywhere permanently associates their account with the Name ID.
-
IdP Public Certificate
Example:
-----BEGIN CERTIFICATE-----
MIIB9D...
Public X.509 Certificate -
First Name Attribute
Example: urn:oid:2.5.4.42 or first_name. The name of the attribute containing the user's first name. Poll Everywhere expects this attribute in the IdP response and it is defined in the metadata file. This value will auto-populate on the SAML signup page.
-
Last Name Attribute
Example: urn:oid:2.5.4.4 or last_name. The name of the attribute containing the user's last name. Poll Everywhere expects this attribute in the IdP response and it is defined in the metadata file. This value will auto-populate on the SAML signup page.
-
Email Attribute
This is the name of the SAML attribute containing the user's email address. Typically, the email address will be provided from your directory server.
-
Presenter Attribute
By default, new users signing up via SAML are provisioned as participants. To provision them as presenters, we need you to identify presenters via an attribute and pre-approved values. If that attribute and pre-approved values are sent to Poll Everywhere via the SAML integration, we will provision that new user as a presenter.
-
Sign Requests
When enabled, the SP-initiated login (from Poll Everywhere to the IdP) request will be signed with our key. This will also add our public key to the metadata file. Generally, this setting is enabled for new configurations. It should never be changed for an existing configuration without confirmation from the IdP.
Troubleshooting
-
Non-Enterprise Presenter SSO Error
Non-enterprise presenters attempting to log in via SSO receive this error:
“You are not on an account that is SSO-enabled. Please log in with your username and password.”
Non-Enterprise Presenter SSO Error:
You can confirm user status under Manage Presenters in the admin dashboard:
-
Presenters: Successfully added users. For assistance, contact
support@polleverywhere.com. -
Invitations: Users need to accept the pending invitation to log in via SSO.
-
Request to Join: Users have requested to join the account. As an account administrator, you can choose to accept or reject their pending request.
-
Non-Enterprise Presenters: Users have created an off-license presenter account using an approved email domain. You can invite these users to join the license.
You can also download the helpful guide below:
If you’re interested in discussing how SAML SSO can benefit your organization, please contact our Sales team to learn more!