Alchemer SSO Certificate Migration

Let's get your SSO Integrations migrated to our new Alchemer domains!

Along with the new alchemer application domains (app.alchemer.com, app.alchemer-ca.com, app.alchemer.eu) used for login, we have introduced new certificates for Single Sign-on (SAML SSO). For each of the applications SSO integrations (accessed via Integrations >Data Connectors) currently setup on SurveyGizmo domains, users will need to move over to the new domain as soon as possible. 

If an account has one or more active Single Sign-On integrations set up between systems, a few actions are required to update the integration to ensure proper functionality and utilize signed assertions and requests. 

There are three actions that are needed to successfully migrate an SSO integration. More detail on each item listed below is available under the Updating Login Domain Metadata section:

  1. Via Integrations > Data Connectors > Single Sign-on (Account), switch the Login Domain in the Alchemer integration to app.alchemer.com, app.alchemer-ca.com or app.alchemer.eu depending on the data center of the account via the Login Domain Dropdown:
  2. Select Save and Get Metadata in the integration pane:
  3. Supply the updated metadata to your Identity Provider (Okta, Ping, OneLogin, Auth0, etc.). Complete either a or b below depending on the specific use case:
    1. If you are utilizing a Service Provider metadata URL, you will need to trigger a refresh of this metadata by selecting Save and Get MetaData. The existing hostname in the metadata URL should be updated as such, prior to this refresh:
      Existing HostnameNew Hostname
      app.surveygizmo.comapp.alchemer.com
      appca.surveygizmo.comapp.alchemer-ca.com
      app.surveygizmo.euapp.alchemer.eu
      1. Refresh the integration by resaving the integration.
    2. If you are manually managing your provider metadata, from your identity provider:
      1. Update both the Assertion Consumer Service URL and Service Provider Entity ID from the SurveyGizmo hostnames to the appropriate Alchemer hostnames:
        Existing HostnameNew Hostname
        app.surveygizmo.comapp.alchemer.com
        appca.surveygizmo.comapp.alchemer-ca.com
        app.surveygizmo.euapp.alchemer.eu
        www.surveygizmo.comsurvey.alchemer.com
        www.surveygizmo.eusurvey.alchemer.eu
        ca.surveygizmo.comsurvey.alchemer-ca.com
      2. If necessary, upload the new Signing Certificate from Alchemer to your Service Provider (Ping, ADFS, etc.), that is present in the metadata after resaving. Users can also download it from here, or by copying the below certificate using your clipboard:
        -----BEGIN CERTIFICATE-----
        MIIGRDCCBSygAwIBAgIJAPvuGFmFiOG+MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMTAxNjE3MzIyMloXDTIxMTExNzE3MzIyMlowPjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRkwFwYDVQQDExBzc28uYWxjaGVtZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3OMQGa69/15yQVmSVV4k/v2bh33GU8THGzAfrEyP/yyE/cFOum+WFNKnM+Xi6vlXjO4PR//bVWrDpZOqDANINZp8K+GolcC4P5bpcmrcWMc/diFJ+0kHMQjOuRWJvoI8dLmeRWkIKJG2KzMbGJOVTOc/ZQZ3ZHoD/yszmrJTKqsylQHDdj7yZT4ldz4QVhBgBG8wkJnTI0y48FaLA+blQKErQBogb/EhMqCKsVqDASKBTnLrPkEa9+GSu2wHXVaFFgt0sRVCF/BcRaUoKsJbldCCedCiv/geO1i6ugmA5xgLpPIOK/bEw5j7s1NMi9qeP2GOH/RwrDkY8Rw5EXzGOQIDAQABo4ICzDCCAsgwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0yMzg1LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDEGA1UdEQQqMCiCEHNzby5hbGNoZW1lci5jb22CFHd3dy5zc28uYWxjaGVtZXIuY29tMB0GA1UdDgQWBBSyG1baK+YA07uqRZWh8lFyBcqGVTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdTJ4PoQAAAQDAEcwRQIhANVNJ/GrdsfDbNcU9MHHo89miIJuM5OCoKOEyhGCB1NIAiBml0dGZ+1LVVilKKw5q0Ks1XnbYpx6fAY2R+oIKc6zLwB1AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABdTJ4P7cAAAQDAEYwRAIgCYLg5qLaE5OHhnNc9jEbAE10buV2nKaGv72QyJtDDqoCICgKxeSlcoTCL08D9hB7VcPRho0pkyw6+XkWHsucz+VFMA0GCSqGSIb3DQEBCwUAA4IBAQBn5Ex96TDHgXMB0P3cbl2kIktpWempahEmRPl/aywVR4tDd5y6v+82qXJC/U6Zq0cMe8q61lxihB/Jh2hwjaGOog83s9IrrfuPlYk1b1fSUGfwPAhWs2DwSA7mr8PAEXrqgwSqy9A55MscHmxucQ8m68y5Elks1CeI9CQcN5Y5qGxG0McBZjYW/nO9u26+Cp54ZvVw2dn2IJw9qWTbvtJsRASsyWCvoBdCb2mCuwKqnDsNhbLO4TFfNodM++5Kapuq/pk0eVYUxcNbjPLvrn29Zoq4YCN1aaN7XUU+/AC+jHoDrvlZqzvY2369F6ZwjxWkXrwsoKjx1HMPILoYLoJl
        -----END CERTIFICATE----
  • Re-test your integration after completing the above steps using the new Login Link found at the bottom of the integration in Alchemer after the integration is resaved:


Follow the steps below if you are switching to the new app.alchemer.com logins and using signed metadata, assertions and requests. The SSO signing certificate used for our legacy domains, app.surveygizmo.com and www.surveygizmo.com has been revoked, and you may experience errors until you update the Identity provider metadata with the new Alchemer signing certificate.

Updating Login Domain and Metadata

After switching to the new login domain, the old Login link generated in the Integration will not function. Once this process has been completed and the integration is rasaved, utilize the new login link found at the bottom of the specific integration being switched over to app.alchemer.

  1. To update the login domain for an SSO integration, start by selecting from the left-hand navigation menu in Alchemer Integrations > Data Connectors. Next, click Edit on the right side of the specific SSO integration being converted to the app.alchemer.com domains:
  2. In the right hand popup menu that displays once edit is selected, Scroll down to the Login Domain Dropdown, and choose app.alchemer.comapp.alchemer-ca.com, or app.alchemer.eu depending on the data center of the account
  3. Scroll down further in the right hand popup window to Upload SSL/Signing Certificate section, and select Save and Get Metadata:
  4. Select Save in the bottom right corner of the popup menu.

Updating Assertion and Entity ID URL

To complete this process of moving over to the new app.alchemer login domains, users update the Assertion and entity ID URLs to be app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu instead of app.SurveyGizmo.com, appca.surveygizmo.com, or app.surveygizmo.eu depending on the data center of the alchemer account. Open up a new tab in the browser of choice, and navigate to the IDP provider being utilized for the accounts' SSO integration. Below are steps for the common IDP providers used in Alchemer:

 Updating Assertion and entity ID URLs with Okta

  1. Login to Okta. Select applications from the top toolbar:
  2. Click the application that is currently in use for SSO.
  3. Via the General Tab in okta, scroll down to SAML Settings and select Edit:
  4. Click Next on the General Settings page to reach the Configure SAML section:
  5. On the General Section of the Configure SAML page, change the Single Sign On URL (Assertion Consumer Service URL) and the Service Provider Entity ID (Audience URI) to app.alchemer.com, app.alchemer-ca.com, or app.alchemer.eu from the SurveyGizmo equivalent based on data center. Leave the rest of the URL as is, replacing only SurveyGizmo:
  6. Select Next to reach the Feedback section in Okta, and then Finish.
  7. Head back into Alchemer, select Save and Get Metadata, and Save the integration. Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account)The new login link will now function as expected.

    For specific information on replacing a service Provider signing Certificate in Okta, Follow the link to their documentation HERE.

 Updating Assertion and entity ID URLs with OneLogin

  1. Login to OneLogin. Select applications from the top toolbar, then click the SAML SSO integration currently in use:
  2. Click Configuration from the left hand navigation menu:
  3. Replace app.SurveyGizmo.com with app.alchemer.comapp.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account in both the Audience (entityID) field and the Recipient ID field, leaving the rest of the URL as is:
  4. Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account)The new login link will now function as expected.
    • To make changes to the signing certificate in OneLogin, Select SSO from the lefthand navigation menu, and click Change: 

 Updating Assertion and entity ID URLs with Ping

  1. Log into PingIdentity. Click Connections from the top toolbar and select Applications on the left hand navigation menu:
  2. From the list of connections on this screen, select the one representing SSO for the currently SurveyGizmo. Click the Vertical Ellipsis, and click the edit pencil on the right side of the screen:
  3. Via the Configuration Tab across the top of the page, select the SAML SETTINGS dropdown menu, and proceed to replace app.SurveyGizmo.com with app.alchemer.comapp.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account in both the ACS URLs and Entity ID URL, leaving the rest of the URL in tact. Click save once this has been completed:
  4. Scroll down to the SAML Settings dropdown menu on the Configuration tab, and via the Verification Certificate section, import the Signing Certificate that was downloaded in step 3bi near the top of this help article:
  5. Head back into Alchemer, upload the downloaded certificate via choose file under the Upload SSL/Signing Certificate section, select Save and Get Metadata, and Save the integration.Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account)The new login link will now function as expected.
  6. For more information in regard to updating the Certificate in PingOne, follow their documentation instructions located HERE.

 Updating Assertion and entity ID URLs with Auth0

  1. Log into Auth0, and select Applications on the left hand navigation menu:
  2. Click the horizontal ellipsis to the right of the SSO integration, selecting settings:
  3. Scroll down to Allowed Callback URLs, and replace app.SurveyGizmo.com with app.alchemer.comapp.alchemer-ca.com, or app.alchemer.eu depending on the data center of the alchemer account, leaving the rest of the URL in tact:
  4. Click Save Changes at the bottom of the page.
  5. Use the new Login Link found in alchemer via Integrations > Data Connectors > Single Sign-On (Account)The new login link will now function as expected.
For more information in regard to updating a Signing Certificate in Auth0, follow the link to their documentation HERE.

If an account is utilizing survey SSO, be aware that survey links will change when an update to the login domain value is completed. Once these changes have been made, please validate the survey links that are using SSO.


Basic Standard Market Research HR Professional Full Access Reporting
Free Individual Team & Enterprise
Feature Included In