How to set up an Outbound SSO Integration (RG as an IDP) – RG Help Center

In this article, we’ll go through how Reward Gateway can act as an Identity Provider (IDP) using outbound SAML connections to integrate with a client's third-party Service Providers.

When enabled, this SSO can be accessed by our clients’ employees from their Reward Gateway platform allowing one-click access to other systems from a tile on their homepage or a menu item on the navigation bar. This gives a seamless and easy employee journey between systems. It provides an extra level of security and a smoother user experience.

How can Outbound SSO be enabled?

To enable the Outbound SSO, log into Reward Manager and navigate to the Integration Dashboard, search for “Outbound SSO” under the “Explore” tab.

If you don’t have access please speak with your Client Success Manager or a member of the Client Support team who will assign your permissions.

Initial Setup

Integration Name

Give your connection a name that can be easily identified by anyone.

Screenshot_2022-06-24_at_12.13.38.png

Entry Point

This would be the Service Provider's Consumer URL or Service URL. This is where we will send the SAML Response after authenticating a user. They will receive it, verify the Response, and log the user onto their system.

Example Entry Point / ACS URL:

https://test.rewardgateway.co.uk/Authentication/EndLogin?idp=210661

Screenshot_2022-06-24_at_12.39.46.png

Relay State

This is optional and will redirect the users to a specific page, once they have been authenticated.

Screenshot_2022-06-24_at_12.14.17.png

Valid Audiences

This is for the Service Provider to identify, if they require valid audiences please insert them here.

Screenshot_2022-06-24_at_12.14.42.png

Privacy Disclaimer

You can enter a Privacy Disclaimer here, which will be shown when transferring the user from Reward Gateway to the Service Provider. You can also skip this section and it won’t prompt the users to agree to the disclaimer.

Screenshot_2022-06-24_at_12.14.50.png

Encrypt Assertion

If the Service Provider prefers the SAML Assertions to be encrypted, paste in a public key here and the SAML Assertions would be encrypted using that key.

Screenshot_2022-06-24_at_12.15.01.png

Sign Assertion

If the Service Provider requires the assertions to be signed, this could be marked here.

Screenshot_2022-06-24_at_12.15.36.png

Metadata and certificate

The metadata or the certificate can be downloaded from here. This needs to be sent to the Service Provider.

Screenshot_2022-06-24_at_12.15.42.png

Mapping

This step is where you choose which SAML Attributes to be sent to the Service Provider.

You can choose to send ID, email address or any other additional attribute that we have available.

If the Service Provider is going to look for the unique identifier in the name ID, you need to add SAML Subject and Name ID Format.

Screenshot_2022-06-24_at_12.15.50.png

Note: The "ID" field at the bottom is an internal system identifier for Reward Gateway and has no relation to any data provided by the client.

Screenshot_2022-06-24_at_12.15.58.png

If the Service Provider is going to look for the unique identifier as an attribute, select None and Unspecified as SAML Subject and Name ID Format. Then click on “Add” and fill in your aliases’ names.

Screenshot_2022-06-24_at_12.16.08.png

Testing

In this step, you need to test the Outbound connection that has been set up. Click the Start Test button to initiate a SAML Request to the Service Provider.

Screenshot_2022-06-24_at_12.16.23.png

Once you have successful logins and the testing is complete, click on the 'Next' button to proceed.

Screenshot_2022-06-24_at_12.16.30.png

Review and Publish

Review your integration and once satisfied, publish the connection using the "Publish" button.

Screen_Shot_2019-12-17_at_07.26.28.png