Single Sign-on Preparation

About EchoSpan SSO
EchoSpan's Enterprise 360-Degree Feedback and Performance Review tools provide Single sign-on (SSO) support via the SAML 2.0 protocol. Single sign-on makes the use of web applications more convenient and secure by allowing your employees to log in to multiple applications using a single username and password combination.

SSO Eligibility
EchoSpan SSO features are available for Enterprise Edition subscriptions. All Enterprise accounts are provided complimentary SSO access to the EchoSpan tool for up to 50,000 users as part of their annual subscription fee. Sub-accounts of Enterprise-level customers may also add SSO to their accounts at an additional annual cost.

Enterprise SSO connections include:

1. Licensing for all account users to access the tool via SSO.
2. Up to 2 hours of initial setup assistance. Additional hours can be purchased at current support rates.
3. Self-service SSO configuration tools for quick and easy setup.
4. Support for SSO availability issues.

Readiness Requirements
Please review this document carefully and follow all steps in order to ensure an easy and error-free setup. To prepare for SSO-integration with EchoSpan, please review the following requirements:

1. Verify that your organization has an existing SAML-based, SSO platform for internal or external applications.

2. Confirm you have a current Enterprise Edition EchoSpan account.

3. You will need to have a complete employee roster ready to provide to EchoSpan for all users that should have SSO access to the tool. On accounts where roster updates are performed automatically via API, this step can be skipped. Make sure that all users in the list provided have unique email addresses.

4. Have your company's SAML Identity Provider (IdP) metadata file ready. EchoSpan uses employee email address as a unique identifier. Your SAML assertions should include the employee's email address in a parameter named EMAIL as well as a static parameter, CLIENTID that will be provided by your client manager and is the same value for all users.

5. Be available to assist with testing your SAML connection to EchoSpan. Getting servers to communicate with one another for SSO can sometimes be tricky. It's not uncommon for connections to require several rounds of tests to make sure everything is working.

Setup Steps
Once you've confirmed that all items in the Readiness Requirements steps above are complete, please follow the steps listed below to configure SSO for your account:

1. Upload your SAML metadata file to your account. Your account's master administrator can upload your SAML metadata file by following the steps below:

• Log into the EchoSpan administrative tool.
• Click the "My Account" tab at the top left.
• Select the "SSO" sub tab on the My Account homepage.
• Paste the contents of your SAML metadata file into the "Your SAML 2.0 Metadata" text field at the bottom of the screen.
• Click the "Submit" button to transmit your metadata file to EchoSpan.
• EchoSpan will contact you within 48 hours about the status of your metadata file import. Sometimes adjustments will need to be made to the file's contents, so please have IT staff available to assist.

2. Download EchoSpan's metadata. To download EchoSpan's metadata file, your master administrator should:

• Log into the EchoSpan administrative tool.
• Click the "My Account" tab at the top left.
• Select the "SSO" sub tab on the My Account homepage.
• Copy the contents of the "EchoSpan SAML 2.0 Metadata" text field at the top of the page.
• Configure your identity provider solution to transmit two claims to EchoSpan: 1) EMAIL, which is the user's email address and 2) CLIENTID, which is a numeric code provided to you by your client manager.

3. Upload your employee user list. If your user list is being uploaded via API you can skip these steps:

• Log into the EchoSpan administrative tool.
• Click the "Users" tab at the top.
• Then, click the "Upload Users" button to access the template by utilizing the "click here" hyperlink.
• Paste your tab-delimited list of users into the upload field.
• Click the "Submit" button and then click "View Errors" to confirm there are no errors.

4. Manage SSO for end-users. Once SSO is configured, by default your end-users are able to access the EchoSpan tool via local login or SSO. However, you can control the authentication method for individual projects by:

• Log into the EchoSpan administrative tool.
• Click the "Feedback Projects" tab at the top.
• Open the project you want to modify.
• Select Setup >> Advanced Settings.
• Expand the "Project Administration" settings section.
• Modify the "User Authentication" option as desired.
• Click the "Save Settings" button to commit your changes.

5. Activate SSO for admin users. By default, administrative users log into the EchoSpan tool locally (using the page found here). Once SSO is configured for your account, you can enable SSO login for your administrators. To do this:

• Log into the EchoSpan administrative tool as the master administrative user.
• Click the "My Account" tab at the top.
• Select the "Other Admins" sub tab.
• Select the authentication method that you prefer using the "Admin Authentication" drop-down box.
• Advise your IT staff to transmit a RelayState variable with the value "ADMIN" for all authentication requests for administrative users. Your IT staff will provide a specialized SSO login URL to use for administrative access. This configuration works best using an IdP-initiated SSO connection.

6. Update your email templates with the SSO URL. For Identity Provider-initiated connections (the most common configuration), your company will create the URL that will lead users to the EchoSpan tool. This can be pasted into your EchoSpan email templates in place of our standard [[url]] merge field. For Service Provider-initiated connections, EchoSpan will provide you the URL to include in your email templates.

Single Sign-on Costs
Internal-use single sign-on is a complimentary feature of the Enterprise Edition of EchoSpan. Single sign-on services for consultant or distributor accounts are available at an additional cost.