This article describes how Single Sign-On (SSO) can be implemented using Security Assertion Markup Language 2.0 (SAML) to enable employees who have been authenticated by a third-party system to access Reward Gateway without credentials.

Single Sign-On allows employees to access all authorized network resources without having to log in separately to each resource. It validates usernames and passwords against the employer's corporate user database rather than having separate user passwords managed by Reward Gateway.

SAML

Reward Gateway uses the XML-based Security Assertion Markup Language 2.0 (SAML) protocol for Single Sign-On into Reward Gateway from a corporate portal or identity provider.

SAML is used for communicating user authentication, entitlement, and attribute information. It was developed and continues to be advanced by the Security Services Technical Committee of the open standards consortium, OASIS (Organization for the Advancement of Structured Information Standards.) It is now regarded as the de facto standard protocol for identity management.

Considerations

• Reward Gateway supports SAML version 2

• Reward Gateway supports IDP Initiated SSO and SP initiated SSO

• Reward Gateway supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata. 

• The IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.

• Reward Gateway supports JIT user provisioning via SAML

Configuring your identity provider

To get started, our clients will need to set up a connection to the client program on Reward Gateway with their IDP. There are several guides for many providers we have worked with before listed below:

If the clients IDP is not listed above, it is nothing to worry. We also offer a guide on setting up a Custom SAML connector to their program with us.

Setting up the Integration on Reward Manager

Each of the IDPs listed above in Step 1 has their own associated Integration on the Integration Dashboard in Reward Manager. 

Clients need to select the Integration they wish to proceed with and follow the instructions below to complete the setup. 

The setup process includes 4 steps:

1. Initial setup: Capturing identity provider details

2. Mapping: Mapping SAML attributes from the IDP to SP

3. Testing: Testing the connector

4. Review and Publish: Review the setup and request it to be published 

To get a better understanding on how to complete the setup, please refer to the Guide to SAML Integration Settings article.

Testing your SAML Integration

None of the SAML integrations will be published on the clients platform until it has successfully passed a Testing process. During the testing stage, an actual SAML Response must be sent to the SAML Assertion Consumer Service URL. This could be by attempting to login using the new SAML connector with the IDP. 

If there are any errors with the connection, the testing step would provide a detailed list of the errors and also show the raw SAML Response related to that attempt.

Management 

SAML is a method for federated identity, not the management of accounts (including deprovisioning.) Administrators must still revoke employee accounts through Reward Manager, the administrative platform for Reward Gateway. 

Revoking accounts can either be done on a case-by-case basis by looking up the individual affected member and changing their eligibility status, or in bulk through a dedicated file import tool.

Further Reading

Additional information on SAML can be found through the following links:

• http://en.wikipedia.org/wiki/SAML_2.0

• https://www.oasis-open.org/standards#samlv2.0