To deliver both security and convenience to Culture Cloud clients and their employees, O.C. Tanner uses SSO authentication.
We recommend you use your own Identity Provider for SAML Single Sign-On (SSO). If you don’t have SSO available, we offer core IDP (identity service provider) as an alternative.
- The SAML system must use SAML 2.0 HTTP post binding.
- The SAML system must be configured to sign the SAML assertion element.
- The SAML system must include a URL or XML file for their metadata.
- The SAML system must include the signing Certificate (not required if provided in SAML 2.0 metadata) and Certificate Chain used for the SAML assertion.
Open ID is a Federated alternative to SAML that O.C. Tanner can support.
- Open ID Connect is supported for clients who want to use this form of authentication.
- The Open ID Connect system must include a metadata URL or well-known configuration.
- Clients must provide OAuth client credentials for use with Open ID Connect.
SSO File Requirements
We will need to establish the participant's Login ID. To do this, we'll need you to provide this type of information from the population file: employee name, phone or email address.
To set up SSO authentication, we’ll ask you to answer some preliminary questions (see below). Once these questions have been answered and the requirements are communicated, the next step is to put your federation team in touch with O.C. Tanner’s security team to discuss implementation.
Do you have a federated solution (Identity Provider) already in place and are you federating currently with other vendors?
What is your Identity Provider solution?
What is the unique ID you will send in the SAML assertion? This unique ID must also be in the data files that are sent as part of the program.
Are you able to provide O.C. Tanner your SAML 2.0 metadata? If so, please attach the metadata file or URL.
Using Open ID Connect?
What is the preferred username coming from Open ID Connect? This data element must also be in the data files that are sent as part of the program for the login ID.
Do you include the JWKs URI for signature verification in your metadata or well known configuration?
Do you support the authorization code grant type for OAuth?
Do your Corporate Password Standards meet or exceed the following?
- Minimum of 8 Characters
- Requires complex passwords
- Maximum of 6 failed login attempts
- Password expiration of 90 days
- Password history of last 8 passwords
- Minimum session expiration of 60 minutes