In this article, we’ll go through how Reward Gateway can act as an Identity Provider (IDP) using outbound SAML connections to integrate with a client's third-party Service Providers.
When enabled, this SSO can be accessed by our clients’ employees from their Reward Gateway platform allowing one-click access to other systems from a tile on their homepage or a menu item on the navigation bar. This gives a seamless and easy employee journey between systems. It provides an extra level of security and a smoother user experience.
How can Outbound SSO be enabled?
To enable the Outbound SSO, log into Reward Manager and navigate to the Integration Dashboard, search for “Outbound SSO” under the “Explore” tab.
If you don’t have access please speak with your Client Success Manager or a member of the Client Support team who will assign your permissions.
Give your connection a name that can be easily identified by anyone.
This would be the Service Provider's Consumer URL or Service URL. This is where we will send the SAML Response after authenticating a user. They will receive it, verify the Response, and log the user onto their system.
Example Entry Point / ACS URL:
This is optional and will redirect the users to a specific page, once they have been authenticated.
This is for the Service Provider to identify, if they require valid audiences please insert them here.
You can enter a Privacy Disclaimer here, which will be shown when transferring the user from Reward Gateway to the Service Provider. You can also skip this section and it won’t prompt the users to agree to the disclaimer.
If the Service Provider prefers the SAML Assertions to be encrypted, paste in a public key here and the SAML Assertions would be encrypted using that key.
If the Service Provider requires the assertions to be signed, this could be marked here.
Metadata and certificate
The metadata or the certificate can be downloaded from here. This needs to be sent to the Service Provider.
This step is where you choose which SAML Attributes to be sent to the Service Provider.
You can choose to send ID, email address or any other additional attribute that we have available.
If the Service Provider is going to look for the unique identifier in the name ID, you need to add SAML Subject and Name ID Format.
Note: The "ID" field at the bottom is an internal system identifier for Reward Gateway and has no relation to any data provided by the client.
If the Service Provider is going to look for the unique identifier as an attribute, select None and Unspecified as SAML Subject and Name ID Format. Then click on “Add” and fill in your aliases’ names.
In this step, you need to test the Outbound connection that has been set up. Click the Start Test button to initiate a SAML Request to the Service Provider.
Once you have successful logins and the testing is complete, click on the 'Next' button to proceed.
Review and Publish
Review your integration and once satisfied, publish the connection using the "Publish" button.