The CreditXpert SSO Setup Guide provides the SSO configuration requirements for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that leverages the SAML protocol to automatically provision users at the time of their first login to the CreditXpert Platform via their company’s Identity Provider (IdP).
About the CreditXpert Environment:
- CreditXpert uses AWS Cognito to support SAML 2.0 authentication
- AWS Cognito acts as the service provider (SP) on behalf of the CreditXpert Platform
- CreditXpert currently only supports SP-initiated SSO. (Visit the FAQs section of the Help Center for additional information.)
Table of Contents
Prerequisites
- You must use a SAML 2.0-enabled Identity Provider (IdP)
- You are in our multi-tenant environment (your URL contains "web.prod.selfsvc.Platform.creditxpert")
Configuration requirements
To initiate the setup of SSO for the CreditXpert Platform you will configure your IdP either manually or by uploading the CreditXpert SP metadata file to configure your IdP.
Visit the Configuration Requirements section of the Help Center for important details relating to the SP metadata file. Note: To access this page, you must login to the CreditXpert Platform.
Step 1: SSO Setup
The CreditXpert Platform provides a technical admin role which allows the technical admin to log into the self-service portal to configure SSO for the CreditXpert Platform. CreditXpert will send an invitation to the technical admin(s) designated by the lender.
Upon logging in, the technical admin can navigate to the Configure SSO screen by following the path Company Settings > Configure SSO.
Configure SSO Screen
Add the Whitelisted domains for your company by entering the domain(s) of the user email addresses that will authenticate via SSO. For example, for a user with the email address a.user@yourdomain.com you would add the domain yourdomain.com to the whitelist.
Adding Whitelisted domains
Upload your IdP metadata file or provide the URL to the metadata in Identity provider settings
Upload Identity Provider Settings
Provide the SAML attributes/claim name that map to each CreditXpert user attribute in User attribute fields. Only first name, last name and email are required attributes. (Visit the FAQs section to understand where to identify your SAML attributes or the Attribute section of the Help Center for more information)
Providing User attribute fields
Click the Save changes button at the bottom of the screen.
Save SSO configuration changes
You should then see the below screen once SSO is setup for your company. It is important to note that SSO will initially be disabled as you have just completed the SSO configuration requirements for Just-in-Time (JIT) provisioning. Users will be automatically provisioned at the time of their first login to the CreditXpert Platform via the company’s Identity Provider (IdP).
SSO is initially disabled
Step 2: SSO Testing
Before enabling SSO for your company in the CreditXpert Platform please test to ensure everything is configured correctly. Test by following the path Ellipsis > Test.
Ellipsis > Test
Test menu item
Clicking “Test” will open a new tab in your browser that directs you to your Company’s IdP log-in screen.
The first time you run a test you may see an Account linked message, this is an extra step performed during first login of a technical admin account to link the SSO identity with your existing CreditXpert account. If you get this message simply close the test tab and run the test again.
When testing is successful you will see a list of user attributes that successfully mapped from your IdP. If an error has occurred an error screen will be displayed with additional messaging identifying the type of error.
Congratulations! You are now ready to enable SSO for your company. Enable by following the path Ellipsis > Enable.
Ellipsis > Enable
Enable SSO menu item
Users will be automatically provisioned at the time of their first login to the CreditXpert Platform via your company’s Identity Provider (IdP).