The CreditXpert SSO Setup Guide with Microsoft Entra provides the SSO configuration requirements for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that leverages the SAML protocol to automatically provision users at the time of their first login to the CreditXpert Platform via their company’s Identity Provider (IdP).
About the CreditXpert Environment:
- CreditXpert uses AWS Cognito to support SAML 2.0 authentication
- AWS Cognito acts as the service provider (SP) on behalf of the CreditXpert Platform
- CreditXpert currently only supports SP-initiated SSO. (Visit the FAQs section of the Help Center for additional information.)
Table of Contents
Step 1: Create Enterprise Application
Step 2: Assign users and groups
Prerequisites
- You must use a SAML 2.0-enabled Identity Provider (IdP)
- You are in our multi-tenant environment (your URL contains "web.prod.selfsvc.Platform.creditxpert")
Step 1: Create Enterprise Application
In Microsoft Entra, navigate to Applications → Enterprise applications.
Enterprise applications
Click New Application
New application
In Browse Microsoft Entra Gallery, click Create your own application
Create your own application
Enter “CreditXpert” as the name of your application (app). Then, select the “Integrate any other application you don’t find in the gallery (Non-gallery)” option.
"CreditXpert" and option
Once the CreditXpert app is created, you will be directed to the Overview screen.
App Overview screen
Step 2: Assign users and groups
You can now assign users and groups to the CreditXpert app. To get started click the tile 1. Assign users and groups.
Assign users and groups
Once you click the tile you will be directed to the Users and groups page. This is where you can grant CreditXpert application access to users/groups in your organization. To accomplish this click the Add user/group at the top of the page.
Add user/group button
Step 3: Set up SSO
Now that users are assigned access to CreditXpert, click on Set up single sign-on to complete setup.
Set up single sign-on
Select SAML as the single sign-on method.
Select SAML
On the SAML-based Sign-on page upload the SP-metadata file by clicking Upload metadata file. This will automatically populate the Entity ID and Reply URL required in the first step Basic SAML Configuration.
Visit the Configuration Requirements section of the Help Center to access the SP metadata file. Note: To access this page, you must login to the CreditXpert Platform.
Upload metadata file
Add SP metadata file
Once the Basic SAML Configuration panel opens on the left side it should be pre-filled with the required information from the SP-metadata file. Click the Save button at the top left of the panel.
Click Save
Download the Federation Metadata XML under step 3 SAML Certificates. You will need this to upload to the CreditXpert Platform under SSO Configuration.
Download Federation Metadata XML
The CreditXpert Platform provides a technical admin role which allows the technical admin to log into the self-service portal to configure SSO for the CreditXpert Platform. CreditXpert will send an invitation to the technical admin(s) designated by the lender.
Upon logging in, the technical admin can navigate to the Configure SSO screen by following the path Company Settings > Configure SSO.
Configure SSO Screen
Drag and drop the XML file you downloaded from Microsoft Entra to the file upload in Identity provider settings.
Identity provider settings
Once the metadata file is uploaded, the next step is to update the attributes/claims in Microsoft Entra. This is done by clicking Edit in the Attributes & Claims section.
Edit Attributes & Claims
The email, givenname and surname attributes/claims are required. They can be added by clicking the Add new claim button on the Attributes & Claims page.
Add new claim
Microsoft Entra may also set-up some default additional claims for the application that can be updated by clicking on the claim record in the table.
Edit existing claim
These default claims may also have a Namespace set. It is advised to remove this Namespace an only provide a Name for the claim to keep the attribute/claim name shorter.
Edit existing attribute/claim
Once the claims have been added/updated, the next step is to copy the claim name to the CreditXpert Configure SSO page.
Copy claim name
Paste claim name into the correct user attribute field
Click the Save changes button at the bottom of the screen.
Save SSO configuration changes
You should then see the below screen once SSO is setup for your company. It is important to note that SSO will initially be disabled as you have just completed the SSO configuration requirements for Just-in-Time (JIT) provisioning. Users will be automatically provisioned at the time of their first login to the CreditXpert Platform via the company’s Identity Provider (IdP).
SSO is initially disabled
Step 4: SSO Testing
Before enabling SSO for your company in the CreditXpert Platform please test to ensure everything is configured correctly. Test by following the path Ellipsis > Test.
Ellipsis > Test
Test menu item
Clicking “Test” will open a new tab in your browser that directs you to your Company’s IdP log-in screen.
The first time you run a test you may see an Account linked message, this is an extra step performed during first login of a technical admin account to link the SSO identity with your existing CreditXpert account. If you get this message simply close the test tab and run the test again.
When testing is successful you will see a list of user attributes that successfully mapped from your IdP. If an error has occurred an error screen will be displayed with additional messaging identifying the type of error.
Congratulations! You are now ready to enable SSO for your company. Enable by following the path Ellipsis > Enable.
Ellipsis > Enable
Enable SSO menu item
Users will be automatically provisioned at the time of their first login to the CreditXpert Platform via your company’s Identity Provider (IdP).