SingleSignOn


XTRM Single Sign-On


XTRM is a service provider for single sign-on. An identity provider such as OKTA  is required as an identity provider (IdP)SAML is an XML standard used for communicating identities between two web applications. You can use it to let large teams access your support portal easily using Single Sign On.


To use XTRM SSO, please log in to your company account and go to "Integrations" on the left-hand menu and then click on the "SSO" option. You will see this screen to start the configuration.









Using our single sign-on integration, you can avoid users signing in multiple times to view reward transactions and payout information. Single sign-on can be from various SAML products such as Salesforce, Oracle, or your home built-in system.


Single sign-on to XTRM will generate one-time passwords for the users for security reasons the first time they access XTRM via a 3rd party portal or custom website. Once authenticated, that device's IP and browser type are stored with the user's profile. 


Content

  • XTRM Single Sign-On
  • Content
  • Introduction
  • Implementation
  • Single Sign-On
  • Identity Provider
  • Authentication Parameters
  • Auto-Create Optional Parameters

 

Introduction


XTRM allows access to the XTRM Portal by implementing a Single Sign-On (SSO) Service Provider (SP). 3rd party integrators can now connect their existing SSO Identity Provider (IdP) solutions with the XTRM SP and allow users to access the XTRM system seamlessly from the 3rd partner system without requiring re-entry or duplicate credentials. Since 3rd party SSO IdP implementations tend to differ across the industry, this document describes at a high level how the XTRM SSO SP is implemented and discusses the initial parameters and configurations required to start using SSO between the XTRM system and the 3rd party integrator.

Implementation

Single Sign-On

SSO is a protocol that allows systems to exchange user authentication information in a secure way. The systems are usually independent of each other but share a common interest for the user, so they agree on implementing the SSO protocol to facilitate the login process for the users when they have to switch between the systems. In the case of XTRM, most 3rd party users already have a set of credentials to access the 3rd party system and would need an extra set of credentials to access the XTRM. The SSO implementation permits the users to switch from the 3rd partner system to start creating and managing the Registrations within XTRM without re-entering credentials. The SSO protocol defines the interaction between an IdP and an SP using the Security Assertion Markup Language (SAML) standard to exchange the authentication information. The IdP is the one that provides the user credentials, and the SP trusts the user information passed by the IdP and agrees to provide access to its services or resources. In this implementation of SSO, XTRM performs the role of the SP, accepting requests from configured and trusted IdPs.


Identity Provider

Integrators who plan on offering an SSO solution to their users to access XTRM would need to implement an IdP server. As specified, the IdP needs to exchange information with the XTRM SP server using the SAML standard. As part of the attributes that are contained in the SAML, the XTRM SP expects some specific parameters that define the authentication information used by XTRM to allow the sign-on process.


Authentication Parameters


Expected parameters when a new SSO request is received are:


User Name – Email Address

The user name attribute needs to be a valid XTRM user name. Hence the IdP needs to do the mapping from their system’s username to the username used in XTRM (in the event it is not the same). XTRM user names are typically the user email address.


For SFDC SSO only


Partner SFDC ID

The Partner SFDC ID attribute must match the Partner Id established in XTRM when the Partner was initially created in the XTRM system. As an example, previous integrations have used the Partner SFDC ID.


Vendor SFDC System Org ID

The Vendor SFDC System Org ID attribute must match the Vendor Organization Id set up at configuration time in XTRM that uniquely identifies the calling integrator.


An example of these parameters in a Single Sign-On request would look like this:


UserName=johndoe@myvar.com

Partner SFDC ID=001i000000SBrRg

Vendor SFDC System Org ID=00Di0000000h0Q9


All three parameters are validated during the SSO request authentication process and must match with the information stored in XTRM in order to grant access. That is why one of the key steps during the setup is to exchange the information of the list of User Names, Partner Ids, and Organization Ids that will need to be used.


Auto-Create Optional Parameters


XTRM also supports the automatic creation of users provided the SAML payload includes all 4 additional, optional parameters. This provides an easy way for creating individual beneficiaries without the individual's employer having to create them manually in the XTRM system to match what exists in the Partner Portal. Auto-creation is favored by larger-sized customers where their payment beneficiary community is on the larger side.


First Name

The first name of the individual beneficiaries


Last Name

The last name of the individual beneficiaries


Email- Used for Username

The email address of the individual beneficiaries


Phone

The phone number of the individual beneficiaries


An example of these optional parameters in a Single Sign-On for an SFDC request would look like this (in addition to the 3 required parameters listed above):


FirstName=John

LastName=Doe

Email=johndoe@myvar.com

Phone=(123) 456-7890


Configuration

The final task in system-to-system integration involves configuring the SSO elements for communication. The following items need to be exchanged/set up for this to happen.


Third-Party SAML SSO URL

This is the sign-in URL for the 3rd partner IdP. XTRM needs this URL to add to their web configuration bindings. Examplehttps://vendor.com/idp/login


Third-Party SAML SLO URL

This is the sign-out URL for the 3rd partner IdP. XTRM needs this URL to add to their web configuration bindings. Example: https://vendor.com/idp/logout


Third-Party SAML Certificate

This needs to be installed in the XTRM SSO server in order to exchange SAML information with the 3rd partner IdP.


XTRM SAML Assertion URL

This is the sign-in / assertion URL for the XTRM SP. The 3rd partner integrator will need this URL to add to their web configuration bindings. Example: https://sandbox.xtrm.com/web/common/sso/post.aspx


XTRM SAML SLO URL

This is the sign-out URL for the XTRM SP. The 3rd partner integrator will need this URL to add to their web configuration bindings. Example: https://sandbox.xtrm.com/web/common/sso/redirect.aspx



XTRM Sandbox


         XTRM SAML Assertion URL: https://sandbox.xtrm.com/web/common/sso/post.aspx


XTRM Production


         XTRM SAML Assertion URL: https://www.xtrm.com/web/common/sso/post.aspx