XTRM Single Sign-On
XTRM is a service provider for single sign-on. An identity provider such as OKTA is required as an identity provider (IdP).
To use XTRM SSO please login to your company account and go to "Settings" - then click on the "SSO" option. You will see this screen to start configuration.
Using our single sign-on integration you can avoid your users having to sign in multiple times to view reward transactions and payout information. Single sign-on can be from a variety of SAML products such as Salesforce, Oracle, or your own home built-in system.
Single sign-on to XTRM will generate one time passwords to the users for security reasons the first time they access XTRM via a 3rd party portal or custom website. Once authenticated, that device IP and browser type is stored with the users profile.
- XTRM Single Sign-On
- Single Sign-On
- Identity Provider
- Authentication Parameters
- Auto-Create Optional Parameters
XTRM allows access to the XTRM Portal through the implementation of a Single Sign-On (SSO) Service Provider (SP). 3rd party integrators can now connect their existing SSO Identity Provider (IdP) solutions with the XTRM SP and allow users to access the XTRM system seamlessly from the 3rd partner system without requiring re-entry or duplication of credentials. Since 3rd party SSO IdP implementations tend to differ across the industry , this document describes at a high level how the XTRM SSO SP is implemented and discusses the initial parameters and configurations required to start using SSO between the XTRM system and the 3rd party integrator.
SSO is a protocol that allows systems to exchange user authentication information in a secure way. The systems are usually independent of each other but share a common interest for the user, so they agree on the implementation of the SSO protocol to facilitate the login process for the users when they have to switch between the systems. In the case of XTRM, most 3rd party users already have a set of credentials to access the 3rd party system and would need an extra set of credentials to access the XTRM. The SSO implementation permits the users to switch from the 3rd partner system to start creating and managing the Registrations within XTRM without re-entering credentials. The SSO protocol defines the interaction between an IdP and a SP using the Security Assertion Markup Language (SAML) standard to exchange the authentication information. The IdP is the one that provides the user credentials, and the SP trusts the user information passed by the IdP and agrees to provide access to its services or resources. In this implementation of SSO, XTRM performs the role of the SP, accepting requests from configured and trusted IdPs.
Integrators who plan on offering a SSO solution to their users to access XTRM would need to implement an IdP server. As was already specified, the IdP needs to exchange information with the XTRM SP server using the SAML standard. As part of the attributes that are contained in the SAML, the XTRM SP expects some specific parameters that define the authentication information used by XTRM to allow the sign-on process.
Expected parameters when a new SSO request is received are:
User Name – Email Address
The user name attribute needs to be a valid XTRM user name, hence the IdP needs to do the mapping from their system’s username to the username used in XTRM (in the event it is not the same). XTRM user names are typically the user email address.
For SFDC SSO only
Partner SFDC ID
The Partner SFDC ID attribute needs to match with the Partner Id established in XTRM when the Partner was initially created in the XTRM system. As an example, previous integrations have used the Partner SFDC ID.
Vendor SFDC System Org ID
The Vendor SFDC System Org ID attribute needs to match with the Vendor Organization Id set up at configuration time in XTRM that uniquely identifies the calling integrator.
An example of these parameters in a Single Sign-On request would look like this:
Partner SFDC ID=001i000000SBrRg
Vendor SFDC System Org ID=00Di0000000h0Q9
All three parameters are validated during the SSO request authentication process and must match with the information stored in XTRM in order to grant the access. That is why one of the key steps during the setup is to exchange the information of the list of User Names, Partner Ids and Organization Id that will need to be used.
Auto-Create Optional Parameters
XTRM also supports the automatic creation of users provided the SAML payload includes all 4 additional, optional parameters. This provides an easy way for creating individual beneficiaries without the individuals employer having to create them manually in the XTRM system to match what exists in the Partner Portal. Auto-creation is favored by larger sized customers where their payment beneficiary community is on the larger side.
The first name of the individual beneficiaries
The last name of the individual beneficiaries
Email- Used for Username
The email address of the individual beneficiaries
The phone number of the individual beneficiaries
An example of these optional parameters in a Single Sign-On for an SFDC request would look like this (in addition to the 3 required parameters listed above):
The final task in system-to-system integration involves configuring the SSO elements for communication. The following items need to be exchanged / setup in order for this to happen.
Third Party SAML SSO URL
This is the sign-in URL for the 3rd partner IdP. XTRM need this URL to add to their web configuration bindings. Example: https://vendor.com/idp/login
Third Party SAML SLO URL
This is the sign-out URL for the 3rd partner IdP. XTRM need this URL to add to their web configuration bindings. Example: https://vendor.com/idp/logout
Third Party SAML Certificate
This needs to be installed in the XTRM SSO server in order to exchange SAML information with the 3rd partner IdP.
XTRM SAML Assertion URL
This is the sign-in / assertion URL for the XTRM SP. The 3rd partner integrator will need this URL to add to their web configuration bindings. Example: https://sandbox.xtrm.com/web/common/sso/post.aspx
XTRM SAML SLO URL
This is the sign-out URL for the XTRM SP. The 3rd partner integrator will need this URL to add to their web configuration bindings. Example: https://sandbox.xtrm.com/web/common/sso/redirect.aspx
XTRM SAML Assertion URL: https://sandbox.xtrm.com/web/common/sso/post.aspx
XTRM SAML Assertion URL: https://www.xtrm.com/web/common/sso/post.aspx