Authentication Details

Simply Voting supports the following authentication methods for electors:

Standard Authentication

In most cases, organizations use the Standard Authentication method.

With this method, an Email Blast is sent at the start of voting, and electors log into the voting website by entering an Elector ID and a Password found in their email.

The default email blast template also contains a direct vote link, which allows electors to be authenticated with a single click, without having to enter their credentials manually.

By default, passwords are randomly generated by Simply Voting for each elector and remain unknown to the election organizers. Keeping the password secret and hidden protects the integrity of the election and the anonymity of the elector’s vote.

To change the format of automatically generated passwords, update the Password Type (Alphanumeric vs Numeric) and Password Length under Authentication Details when the authentication method is set to Standard Authentication.

Alternative Configurations

If you are interested in any of the alternative configurations below, please contact support.

Second Secret or Date of Birth: requires a third credential to log in, in addition to Elector ID and Password. This “second secret” can optionally be entered as a date, such as a Date of Birth.
Password-Only: requires only a password to log in.
Supplied Elector Passwords: the organization supplies passwords for all electors, rather than relying on Simply Voting to assign random ones. Keep in mind that this may open your organization to elector concerns about privacy and may give election organizers access to electors’ ballots.

Alternative Distribution Methods

Organizations most often distribute voting credentials and instructions via our Email Blast tool.

Some election projects also involve physical paper mailings, where electors receive their unique credentials via a voting information letter with instructions on how to vote online using the enclosed credentials.

For other election projects, organizations sometimes offer internally run “help desks” to provide electors with their unique voting credentials.

Alternatively, some election projects may use voting credentials that are entirely known to individual electors (e.g. the Elector ID is an employee ID known only to the elector and the password is their postal code). By using already known credentials, organizations that lack email addresses or the resources to send a paper mailing may conduct online voting. But the security and secrecy of known credentials must be thoroughly understood to ensure that electors or organization staff members cannot impersonate other electors.

A number of election projects also use a mix of credential and instruction distribution methods, such as sending an email blast to those with an email on file with the organization, but physical voting information letters to those without an email address, or simply those who have opted in specifically to receive hardcopy notices, etc.

Simply Voting staff can help you decide what will work best with your organization.

Direct Vote Link Only

With this method, an Email Blast is sent at the start of voting, and electors log into the voting website by following a unique direct vote link, which allows them to be authenticated with a single click, without having to enter any credentials.

Security Access Markup Language (SAML)

This is a remote authentication method. For more information, see Remote Authentication.

This authentication method requires Simply Voting staff involvement for implementation. Please contact support to make your request and to exchange the required information described below.

The voting system can authenticate electors against a Security Assertion Markup Language (SAML) Identity Provider such as Shibboleth, ADFS, Azure AD, Keycloak, or Okta.

With this authentication method, electors click on a Login to Vote button and are directed to the organization's identity provider. Upon successful login, they are redirected back to the voting system . Passwords are not seen by the voting system.

Requirements

General

InCommon & CAF

Provide your SAML metadata to Simply Voting as a URL.
Install Simply Voting's metadata as an approved Service Provider in your organization's Identity Provider. Simply Voting's Service Provider metadata is located here.
Release a single attribute, a unique identifier, which can be anything as long as it matches the Elector ID that will be used in the stored list of eligible electors in the voting system. For example, if email is being used as the Elector ID, then email must be released as an attribute.
Communicate the SAML name of the chosen attribute to Simply Voting staff. You may also specify a Logout URL that you would like electors to be redirected to upon logout.
Test the integration. Our preference is for your organization to provide us with a set of test login credentials. Otherwise we can coordinate testing with your IT staff.

If your organization is part of a federation like InCommon or the Canadian Access Federation (CAF), follow the instructions below:

Provide your entityID to Simply Voting
Install Simply Voting's entityID as an approved Service Provider in your organization's Identity Provider. Simply Voting's entityID is: https://shibboleth.simplyvoting.com/shibboleth-sp
Release a single attribute, a unique identifier, which can be anything as long as it matches the Elector ID that will be used in the stored list of eligible electors in the Voting System. For example, if email is being used as the Elector ID, then email must be released as an attribute.
Communicate the SAML name of the chosen attribute to Simply Voting staff. You may also specify a Logout URL that you would like electors to be redirected to upon logout.
Test the integration. Our preference is for your organization to provide us with a set of test login credentials. Otherwise we can coordinate testing with your IT staff.

Election Manager users can also be authenticated via SAML. See here for more information.

OpenID Connect (OIDC)

This is a remote authentication method. For more information, see Remote Authentication.

The voting system can authenticate against an OpenID Connect provider such as Okta or Keycloak.

Implementation of this authentication method does not require Simply Voting staff involvement, and can be configured self-service by client organizations inside the Election Manager tool by navigating to the Settings page and then to the Authentication Details section.

Requirements

Client ID
Client Secret Value
Issuer (provider) URL (e.g. https://idp.domain.com). The voting system will look for a discovery document with your OpenID metadata under https://idp.domain.com/.well-known/openid-configuration.
You must configure https://customer.simplyvoting.com/auth.php as the Login Callback in your identity provider (where customer.simplyvoting.com is your voting website).
You must configure https://customer.simplyvoting.com as the Logout Callback in your identity provider (where customer.simplyvoting.com is your voting website).

Optional Parameters

Custom Logout URL: This is typically only needed for OIDC providers that don't publish an end_session_endpoint directive in their well-known configuration (e.g. Auth0).
Claim: The claim name returned by the identity provider that will be used to match the Elector ID in the voting system. The value will default to sub if not provided. If you wish to use a different claim, please ensure that the issued Client ID and Client Secret Value are authorized to access the OpenID scope to which it belongs.
Scopes: A semicolon-separated list of scopes that will be requested from the IdP. The scopes will default to openid if not provided.

Testing

You can test your OIDC configuration using the Test these Settings button in the Authentication Details form. To test properly, you must add https://www1.simplyvoting.com/manage/authtest.php as one of your Login Callbacks.

Central Authentication Service (CAS)

This is a remote authentication method. For more information, see Remote Authentication.

The voting system can authenticate against a Central Authentication Service (CAS) protocol. Electors click a Login to Vote button on the Voting Website and enter their credentials on the organization's system, after which they are redirected back to the voting system upon successful authentication. Passwords are not seen by the voting system.

Requirements

Server Hostname (e.g. www.example.com)
Server Base URI (e.g. /cas)
Server Port (usually 443)
CAS Logout can also be optionally configured to logout the elector from CAS upon logout from the voting system.

Election Manager users can also be authenticated via CAS. See here for more information.

Proprietary SSO

This is a remote authentication method. For more information, see Remote Authentication.

This authentication method can be used in parallel with any other authentication method supported by the voting system, including Standard Authentication.

The voting system can authenticate against Simply Voting's proprietary Single Sign-On authentication. Electors enter their credentials through the organization's secure website login form and then click a specially programmed link displayed in the organization's secure website. When an elector clicks this link, the elector is redirected to the voting system and automatically logged in. Passwords are never seen by the voting system.

Requirements

Secret Text, a mutually shared secret.
Optionally, a Sign-on URL of the login page or landing page of your secure website can be provided. This redirects unauthenticated visitors to your secure website.
Optionally, Restricted Referrers can be provided. You may restrict SSO according to the HTTP referrer. Supply the host and as much of the path as desired to match. For example, www.example.com/members-only/ could restrict SSO to visitors following the SSO link on any page in the members-only section of a website. To allow several referrers, separate them with a semi-colon.

Single Sign-On links must be programmed by your organization. Each link contains a unique hash that corresponds to a specific elector in the voting system.

The format of the link is as follows:

https://yourvotingwebsite.simplyvoting.com/auth.php?e={id}&mac={hash}

Where:

yourvotingwebsite.simplyvoting.com is your voting website address.
{id} is the Elector ID, both in your organization's system and in Simply Voting (e.g. jsmith, 73649, etc). This parameter must be URL encoded. To have an elector presented with a ballot, there must be an eligible elector present in the voting system under an Active or Waiting election, and whose Elector ID matches this exact one.
{hash} is a unique hash that represents the specific elector (see hash recipe below).

The hash generation recipe is as follows:

SHA1(Secret Text + ElectorID + Secret Text)

Where:

SHA1 is the hashing function,
Secret Text is a password of your choosing, and
+ means concatenate.

Example

Given the following parameters:

Voting Website: nova.simplyvoting.com
Secret Text: abc123
Member ID: MTom

The elector's {hash} is generated as:

SHA1(abc123MTomabc123)

Which returns:

38c2c62f118208f2c5741014a221dde8721964a6

The resulting single sign-on URL for this elector is therefore:

https://nova.simplyvoting.com/auth.php?e=MTom&mac=38c2c62f118208f2c5741014a221dde8721964a6

Sample Implementation in PHP

<?php

$secretKey = "abc123"; 
$memberId = "MTom"; 
$hash = sha1($secretKey . $memberId . $secretKey); 
$memberIdEncoded = urlencode($memberId); // important if member IDs contain characters that are unsafe in URLs (“/,?+[]” etc.) 

echo "<a href=\"https://nova.simplyvoting.com/auth.php?e={$memberIdEncoded}&mac={$hash}\">click here to authenticate</a>"; 

?>