Single Sign-On

To deliver both security and convenience to Culture Cloud clients and their employees, O.C. Tanner uses SSO authentication.

Technical Requirements

We recommend you use your own Identity Provider for Single Sign-On (SSO) that can take advantage of using your federated authentication service. By using your own Identity Provider, you control who has access to Culture Cloud and require 2FA or other security methods. If you don’t have SSO available, we offer a non-federated authentication service  as an alternative.

We support both SAML and OpenID Connect v1.0 for Single Sign-On (SSO).

When using SAML, we require the following to be configured:

  • Must support and use SAML 2.0
  • Must support using HTTP POST binding with TLS
  • Must support providing O.C. Tanner with a metadata URL or be able to export an XML file
  • Must use at least a 2048-bit key size for your signing keyMust use at least RSA 256-bit algorithm for signing the SAML response
  • When using OpenID Connect v1.0 (OIDC) we require the following to be configured:Must provide a well-known configuration URL
  • Must provide O.C. Tanner with their own unique set of credentials for authorizing on behalf of the Authenticated user
  • Upon receiving your well-known configuration endpoint, O.C. Tanner will provide you with your unique redirect URI upon having successfully configured your Identity Provider

SSO File Requirements

We will need to establish the participant's Login ID that will match on SSO. To do this, we'll need you to provide this type of information from the population file such as the employee ID, email or their current login ID.

Preliminary Questions

To set up SSO authentication, we’ll ask you to answer some preliminary questions (see below). Once these questions have been answered and the requirements are communicated, the next step is to put your federation team in touch with O.C. Tanner’s security team to discuss implementation.

Do you currently have a federated solution (Identity Provider) already in place and are you using SSO with other vendors?

What is your Identity Provider solution?

Does it meet the requirements for SAML?

What is the login ID you will send as the subject in the SAML response? This login ID must also be in the data files sent as part of the program.

Are you able to provide O.C. Tanner your SAML 2.0 metadata? If so, please attach the metadata file or URL.

Does it meet the requirements for OpenID Connect?

What is the preferred username coming from Open ID Connect? This data element must also be in the data files sent as part of the login ID program.

Do you include the JWKs URI for signature verification in your metadata or well known configuration?

Do you support the authorization code grant type for OAuth?

Does your Corporate Password Standards meet or exceed the following?

  • Minimum of 8 Characters
  • Requires complex passwords
  • Maximum of 6 failed login attempts
  • Password expiration of 90 days
  • Password history of last 8 passwords
  • Minimum session expiration of 60 minutes

Current clients – how SSO changes:

Culture Cloud will use the same SSO connection that you have in legacy, yet there are a few important differences.

We’ve added a layer of security to our authentication process. Our current technology leverages either Service-Provider-initiated (SP) or Identity-Provider-initiated (IPD) Single Sign-On (SSO). The new technology leverages both SP/IPD for a more seamless experience. Current clients must ensure both IDP and SP initiated SSO is configured and enabled.

These descriptions refer to where the SSO request is made. If it’s from O.C. Tanner, then it’s SP-Initiated SSO as we are the Service Provider (App) initiating SSO to find out the authenticated user. If they came from your intranet or Identity Provider first (IDP), it means the Identity Provider has initiated SSO and sent a user who is authenticated with a request to go O.C. Tanner’s Service Provider (App).

This means that your employees’ login experience will change slightly with the new technology.

Your employees may be prompted to enter their login ID or email address and enter the name of the company they work for. This identifies the employee and routes them to your Identity Provider via SSO and then they can login as they currently do.

Your employees may go through this experience the first time they visit the site or mobile app and again in the following scenarios:

  • When their previous session has expired
  • If they logged out of their previous session
  • If they have a new computer, device or phone
  • If they’re using a new browser, incognito or a private session to visit the website
  • Or if any of the above applies when they click on a link in the email they receive

Help Desk Guidelines

Basic troubleshooting tips:

  • Culture Cloud powers recognition experiences; it is not phishing.
  • Culture Cloud works in all browsers. Use Edge rather than Internet Explorer. Be sure users are on the latest browser version.
  • If a user is having issues on the Culture Cloud mobile app make sure they are on the latest version/operating system of the mobile app from App Store (iOS) or Google Play (Android).

How should the help desk respond if colleagues have trouble accessing or using the platform?

  • Ensure the user is not using a bookmarked old link or a link from an old email.
  • Provide user this link to log in: www.culturecloud.com. If still having issues check if they are a higher security level than a typical employee to see if the allow list was completed for that higher security level.
  • Culture Cloud uses the same SSO connection you have in legacy, yet the employee log in experience will change slightly. When they first log in, if they’re logged out of previous session (every 28 days, subject to change), if they have a new computer or device, they are in a new browser, or link in emails. If asked, “What company do you work?” Please enter a company tag (these company tags are not case sensitive). Company tags are usually the name of the Client/company and/or all web domains they have for emails (i.e., octanner.com is a tag).

Data migration:

  • Legacy catalog favorited items and saved addresses will not migrate
  • Everything else will migrate: History, Orders, Avatar photos if populated before upgrade, Privacy settings, Budget History and current budget data, scheduled eCards and Nominations

Questions?

Request a Demo