Qualtrics SAML User Type mapping fails when multiple group values are present | Experience Community
Skip to main content
Question

Qualtrics SAML User Type mapping fails when multiple group values are present

  • April 30, 2026
  • 0 replies
  • 6 views
M
Level 1 ●
Forum|alt.badge.img+1

I’m configuring SAML-based SSO in Qualtrics and have run into unexpected behavior around User Type Field mappings when a user belongs to more than one group.

What works

  • SAML authentication is functioning correctly in a proof-of-concept.
  • I can successfully log in as a Brand Administrator.
  • In Qualtrics, User Type Field is mapped to the SAML attribute groups.
  • I have User Type validation enabled, so only explicitly mapped values are accepted.
  • A single group value (e.g. brand-admins) is mapped to the Brand Administrator role and works as expected.

SAML assertion details

When a user belongs to only one group, the SAML assertion contains a single value and authentication succeeds.

When the user belongs to more than one group, the assertion looks like this (simplified):


<saml2:Attribute Name="groups"
                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xsi:type="xs:string">brand-admins</saml2:AttributeValue>
  <saml2:AttributeValue xsi:type="xs:string">another-group</saml2:AttributeValue>
</saml2:Attribute>

Using a SAML tracer during login, Qualtrics appears to treat the groups attribute value as:

brand-admins::another-group

The problem

With multiple group memberships:

  • Login fails, even though brand-admins is a valid and explicitly mapped value.
  • Qualtrics does not appear to evaluate individual AttributeValues independently.

As an experiment:

  • I created a new User Type mapping using the literal value
    brand-admins::another-group
  • This does grant access (to that experimental role), which suggests Qualtrics is performing an exact-string match against the concatenated value.

What’s confusing

Qualtrics allows User Type mappings to be re-ordered, which suggests some form of priority or first-match logic. My assumption was that a high-privilege group (e.g. brand-admins) could be placed at the top so that if a user belongs to multiple groups, the most privileged role would be selected first.

However, based on the observed behavior, it looks like:

  • Qualtrics treats multi-valued SAML attributes as a single, delimiter-joined string
  • No per-value evaluation or precedence is applied

Questions

  1. Is this the intended behavior for multi-valued SAML attributes in Qualtrics User Type mapping?
  2. Does Qualtrics support evaluating individual values within a multi-valued attribute like groups?
  3. If not, what is the recommended approach?
    • Restrict users to a single role-defining group?
    • Transform the SAML assertion to emit a single role claim?
    • Disable User Type validation?
  4. What is the practical purpose of re-ordering User Type mappings if no precedence evaluation occurs?

Any insight into the expected design or best practices here would be appreciated.

Terms & ConditionsAccessibility statement