Authentication
Q: Does the platform support Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA)?
Yes, Xoxoday enforces a strong multi-layer authentication process using MFA and 2FA. All employees are required to use 2FA, particularly when accessing production environments.
Key security layers include:
2FA-protected bastion server access,
VPN authentication followed by 2FA,
Use of tools like InstaSafe for secure identity verification.
These controls significantly reduce the risk of unauthorized access and align with enterprise-grade security protocols.
Q: Does the solution allow any SSO integration?
Our solution fully supports Single Sign-On (SSO) integration, ensuring seamless and secure access for users. We are compatible with a wide range of SSO providers, including Okta, OneLogin, Azure AD, and Ping Identity, as well as other standard SSO providers via SAML 2.0. Additionally, our management interface also supports SSO integration, providing a unified and efficient identity management experience.
Q: Does the Xoxoday platform support Single Sign-On (SSO), including modern web SSO standards such as SAML 2.0, OIDC, CAS, or others?
The Xoxoday rewards, incentives, and payout platform supports advanced Single Sign-On (SSO) and federation capabilities to deliver secure, seamless authentication across enterprise environments. These integrations ensure centralized identity management, improved security, and a frictionless user experience for both administrators and end-users.
Supported SSO Standards and Protocols
SAML 2.0 (Redirect Flow): Fully compatible with identity providers such as Azure AD, Okta, OneLogin, Google Workspace, and Ping Identity. Exchanges information using signed XML assertions over HTTPS (TLS 1.2+), with configurable attributes (e.g., NameID, email, roles) for user provisioning and role mapping.
OIDC (OpenID Connect): Supported for integration with OIDC-compliant providers. Uses signed JWT tokens via HTTPS, supporting dynamic client registration, token expiry, and refresh logic.
OAuth 2.0: Enables secure delegated access for applications, ensuring compliance with modern authorization frameworks.
CAS (Central Authentication Service): Not natively supported but can be implemented through SAML or OIDC bridges or middleware if required.
Custom Integrations: Available via standardized SSO endpoints and metadata exchange, with Just-In-Time (JIT) provisioning supported for both SAML and OIDC workflows.
Security Features for SSO
All SSO traffic is encrypted using TLS 1.2 or higher.
Session tokens are both encrypted and signed for enhanced integrity.
Replay prevention mechanisms, logout URL support, and configurable SSO session timeouts
Business Benefits
Supports SSO for both administrative and user-level access, allowing consistent authentication policies across the organization.
Simplifies onboarding and offboarding with centralized identity control.
Enhances enterprise security posture while improving the user experience across the Xoxoday rewards marketplace and related applications.
Authorization
Q: Does your solution provide administration for access management of the APIs, and what protocols are used for authentication and authorization?
Yes. Xoxoday’s product suite provides centralized administration for API access management, ensuring controlled provisioning, monitoring, and revocation of API access as needed. The platform uses industry-standard authentication, authorization, and security protocols to protect API interactions and maintain data integrity.
Key Details:
Access Management: API access and administrative changes are managed exclusively through Xoxoday’s technical support team, ensuring secure and controlled provisioning.
Authentication & Authorization Protocols:
OAuth 2.0 – for secure, delegated access
JWT (JSON Web Tokens) – for token-based authentication and secure session handling
Access Controls: Role-Based Access Control (RBAC) with fine-grained permissions ensures only authorized users can access specific resources.
Data Security:
TLS 1.2+ encryption for all API communications
API rate limiting to prevent misuse
Multi-Factor Authentication (MFA) where required for added security
Compliance: All API security measures align with ISO/IEC 27001:2022 and SOC 2 Type 2 standards, providing enterprise-grade protection
This ensures APIs are both secure and easy to manage while maintaining strict control over who can access what.
Q: What are the protocols used for authentication of users of the application?
SAML 2.0 and OAuth are the primary protocols used for user authentication in our application. We support single sign-on (SSO) and have pre-built integrations with identity providers such as Azure AD, Google, OneLogin, Okta, and Ping Identity. Our solution supports both web and mobile authentication using OAuth 2.0 and SAML-based tokens.
Q: How are users and roles in your solution manageable by an Identity Management solution?
Xoxoday integrates with Identity and Access Management (IAM) solutions to manage users and roles. Using SAML 2.0 Single Sign-On (SSO) and SCIM provisioning, organizations can automate onboarding, de-provisioning, and role-based access. Admins assign roles with granular permissions. The platform complies with ISO 27001, SOC II, GDPR, and other global standards.
Access Rights
Q: Can an organization's IT services team receive administrative rights on the Xoxoday platform?
Xoxoday is a fully managed SaaS solution, retaining core administrative rights—like server access and code modifications—to ensure security and compliance. Client IT teams manage users, roles, SSO, API integrations, and brand customizations within the platform interface.
Q: Does your solution support local authentication protocols for user and administrator authentication?