Integrations - How SSO Authentication Works

Introduction

This article explains the expected behavior of the SSO Single Sign-On (SSO) authentication. Details are provided for login and logout events, including what happens during authentication. Keep reading this article to learn more about the SSO protocol and how it is used on our platform.  

Background

Our platform uses Single Sign-On (SSO) technology to provide secure authentication. This is a modern, industry-standard security protocol used by major services worldwide. When you click the login button on our platform, you're redirected to a third-party identity provider that handles all authentication. 

Note: This is important to understand, the login screen Is not ours.

Login Behavior

• The login screen where you enter your email and password is hosted and controlled by the 3rd party identity provider, not by Reward Gateway | Edenred.
• We have no control over the identity provider's session management, cookies, or how they maintain authentication state. 
• This separation is intentional and follows security best practices - we never directly handle your password.

What Happens During Authentication

1. Redirect to the identity provider: You're sent to their login page.
2. The identity provider authenticates you: You enter credentials and it verifies them.
3. Identity provider session created: It creates its own session in your browser (separate from our platform).
4. Return to our platform: It sends you back with a secure authentication token.
5. Our session created: Our platform creates a session tied to your browser and device.
6. Device trust established: Your device is registered as trusted in our backend database for a specific period (typically 90 days). 

After Successful Login, Two Separate Sessions Exist:

• Identity provider's session - Managed entirely by the identity provider; we cannot control when this expires.
• Our platform's session - Managed by Reward Gateway for access to the platform. 

When you log out of our platform, we only terminate our session. The identity provider's session may still be active because it's controlled by a third party.

Logout Behavior

When you click Log Out on our platform:

1. Our session terminated: Your active session on Reward Gateway servers is immediately terminated.
2. Our cookies cleared: Session cookies for our platform are removed.
3. You're logged out of our platform: You can no longer access Reward Gateway | Edenred's resources.

However - and this is critical to understand: 

The identity provider's session is NOT terminated because: 

• Their session is a separate, third-party service that we don't control.
• It maintains its own session management independent of our platform
• We have no ability to force the identity provider to end its session when you log out of our platform.
• This is by design in SSO architecture - the identity provider's session is separate.

When you click Log in again after logging out:

1. You're redirected to the identity provider's login page.
2. The identity provider still has an active session in your browser from your previous login.
3. The identity provider recognizes you as already authenticated (their session is still valid).
4. The identity provider automatically re-authenticates you without showing the login form.
5. The identity provider sends you back to our platform with a new authentication token.
6. You're logged into our platform again - all in a fraction of a second.

This behavior is intentional, secure, and follows industry best practices for Single Sign-On systems. This design ensures that:  

• Your credentials are secure
• Everyone involved in the authentication process follows industry security standards
• The appropriate security controls are applied 
• Convenience and protection are equally balanced

We take security seriously and the measures in place are designed to keep your account secure while providing a smooth user experience.