This article will describe how Reward Gateway can act as an Identity Provider (IDP) using outbound SAML connections to integrate with a client's third party service providers.
When enabled, this SSO can be accessed by our clients employees from their Reward Gateway platform allowing one click access to other systems from a tile on their homepage or a menu item. This gives our clients greater flexibility and control and their employees a seamless and easy employee journey between systems.
How can Outbound SSO be enabled?
To enable the Outbound SSO, clients should log into Reward Manager and navigate to the Integration Dashboard where they should search for “Outbound SSO” under the “Explore Integrations” tab.
Select the integration and turn it “On” using the toggle button in the top right-hand side.
Give your connection a name that can be easily identified by anyone.
This would be the service provider's consumer url or service url. This will be where SAML Responses / Tokens will be sent to when a connection attempt is made.
This would pass across an additional parameter called "RelayState" as a part of the HTTP POST request allowing the service provider to deep link into a specific page on their end for example.
This is for the Service provider to identify the Issuer of the SAML Responses that are sent to them. If left blank it will default to using the clients program domain.
If the service provider would prefer the SAML Assertions to be encrypted, the client can paste in a encryption key of their choice here and the SAML Assertions would be encrypted using the key provided.
This step is where the client chooses which SAML Attributes to be sent over to the Service Provider.
Firstly choose which identifier to send through the SAML Subject (Name Identifier). This could be either the unique identifier setup on the clients platform such as a Payroll Number or Employee ID or can also be the member's email address.
Note: An "ID" field can also be sent as the SAML Subject and is an internal system identifier for Reward Gateway and has no relation to any data provided by the client.
Then select the format of the Name Identifier. This could be chosen from the dropdown and maybe worth consulting the service provider beforehand.
Additionally, clients can add any amount of attributes by using the Add button shown on screen. This would add multiple attributes to the SAML Response sent to the Service provider and the client also has the flexibility in controlling the aliases of how these attributes will appear to the Service provider.
In this step, the client can test their Outbound connection that has been set up. Click the Start Test button to initiate a SAML Request to the service provider and see if the expected result is accurate. Once testing is complete, click on the 'Next' button to proceed.
Note: Before testing, the client would have to pass on the IDP (Reward Gateway) metadata over to the Service provider to ensure the service provider is aware of how to verify the SAML connection. To do this download the Metadata or the Signing certificates using the options shown on the right of the screen as shown below:
Review and Publish
The Outbound SSO connection is now setup and ready to go. Review the details and verify the connection is working as expected with the service provider. Once satisfied, publish the connection using the "Publish" button available. This would enable the connection on the clients program to be used.