Xap Single Sign On (SSO)

Xap Single Sign On (SSO)


Xap single sign on is available to all customers on the Enterprise package.

What is SSO?

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

True single sign-on allows the user to log in once and access services without re-entering authentication factors. Conversely, single sign-off or single log-out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems.


Benefits of SSO

Some benefits of using single sign-on include:


  • Mitigate risk for access to 3rd-party sites (federated authentication) because user passwords not stored or managed externally.
  • Reduce password fatigue from different username and password combinations.
  • Reduce support burden due to lower number of help desk calls about passwords.
  • Simpler administration. SSO-related tasks are performed transparently as part of normal maintenance, using the same tools that are used for other administrative tasks.
  • Better network security. Eliminating multiple passwords also reduces a common source of security breaches—users writing down their passwords.


What’s changing in Xap?

Xap previously provided SSO capability to customers, however there was functionality that was missing that has now been made available to customers.

  • Previously, SSO was only available for use when logging in via the Xap Web Portal. Xap SSO is now covers login access from the Xap Connect App.
  • Single Log Out (SLO) functionality was previously not available. Configuring an SLO URL, means your users can log out once across all your federated applications.
  • Once enabled, SSO is now enforced for the entire organisation when a user logs in with a Staff role for the organisation.
  • A custom URL, specific to an organisation will now be available for Enterprise organisations.


E.g. organisationname.sso.xap.rocks


What this means for Organisations already using Xap SSO

  1. There will be a new version of the Xap Connect App. Devices will need to be upgraded to the new version of the Xap Connect App and configured to use the organisation’s new login URL.


After the Feature release, if SSO is enabled for your organisation, Users will be unable to login to the Xap Connect App unless the app is updated to the latest version and configured with your

new Organisation Application login URL.

  1. Existing web portal users will need to log in via the new URL that has been provisioned for your organisation.


How does Xap SSO work?

When SSO is enabled for your organisation, all users logging in with an email address linked to your organisation, will be required to authenticate with your Identity Provider (IDP). If that account is inactive or does not exist in your IDP, that user will not have access to any user roles linked to your organisation.


Setup Xap SSO

Enterprise customers can log a request with the Xap Support team to request SSO to be enabled. Customers are required to provide the following information in order to be setup:


  • WtRealm
  • Metadata URL
  • ID Claim Type
  • Logout URL


Xap System Administrators will configure this in conjunction with Customer IT teams.



Setup SSO

Customer Responsibilities

Customers are responsible for co-ordinating the following:

  1. Setting up and managing SSO within their organisations. An example of this is shown in our How To: Setup SSO Configs guide.
  2. Sharing the custom login URL with all staff members.
  3. Updating all Connect App devices with the latest version of the app.
  4. Configuring the Connect App to use the new organisation specific login URL.


It is important to note that once this release is in Production, if SSO is enabled, all devices will need to be on the correct version and correctly configured with the new organisation specific URL before users will be able to log into the App. For this reason, the Xap release will be on a Friday so that existing Organisations using SSO have time to coordinate the upgrade and configuration of the devices.


New SSO Customers

If you would like to use SSO for Xap authentication within your organisation, please contact the Xap support team and they will assist you with getting SSO enabled.


Login View


The initial sign in will be:


  1. Add in your email address, select Next


  1. Add in your secure Password, select Next



  1. Choose whether to save your details and remain signed in, select Yes or No




SSO FAQ's

Customer Questions

Answer

Where a user has only a staff account and SSO is enabled and tries to login via the default Xap login portal, what happens?

If they attempt to login with a user email address linked to the organisation and does not have a guardian role, they will be redirected to the Organisation specific URL after attempting to login. If they have a Guardian profile, they will log in with the Xap credentials and will only have access to the Guardian account.

If we invalidate an auth token on our IDP how long until it’s invalidated in Xap (how often would token validation confirmed) ?

The Xap token lives for 4 hours, so the user would have access for a max of 4 hours.

We would like to ensure that Federated Authentication / SSO enables us to logically separate the concept and access of guardian and staff – where an email address is shared between the two, is this feasible ?

If a user authenticates via Active Directory, they will have access to the Guardian Role as well as the Organisation Role. If the user authenticates via the Xap Login URL, they will only have access to the Guardian Role. Xap will not redirect to the Org URL where there is also a Guardian Role.

If the Connect App is not updated what is the user experience?

Users cannot log into the Connect App if SSO is enabled for an organisation and the Connect App is not configured.

If a user does not exist in XAP and SSO is enabled, what is the user experience?

The user will be unable to login.

Updated on: 31/10/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!