Authentication using an Identity Provider (IdP)

Xpress Insight 5 allows authentication to be managed by an Identity Provider to enable Single Sign On (SSO).

Enabling SSO integration delegates user provisioning, identity, and access management tasks to an identity management service, offering the additional capability of multi-factor authentication (MFA), mobile identity management, while complying with your organization's flexible policies for organization security and control.

When using IdP (Identity Provider) authentication, there are two ways user can access Xpress Insight 5:

• Navigating to Insight by, for example, opening a Bookmark in a browser, will forward the user to the IdP. If the user is already logged in to the IdP, the user is forwarded to Xpress Insight and can use the software subject to the permissions granted to them by the IdP administrator (Service Provider initiated authentication).
• Logging into the IdP and clicking on the Xpress Insight tile in their IdP dashboard (IdP initiated authentication).

Both paths use the IdP to verify the user identity and permissions. When a user requests access to Insight 5, the user’s credentials are securely authenticated by the IdP and an assertion is sent using the SAML standard from the IdP to Insight.

Note: Xpress Insight 5 uses SAML version 2.0

The user is given access to the Insight applications and groups that are specified in their IdP profile.

The image shows the subsequent steps that authenticate a user with single sign-on in a typical service provider-initiated authentication flow:

1. Xpress Insight starts the authentication process by redirecting the client to the configured IdP.
2. The IdP requests the user’s username and password from the user. After the user submits valid credentials, the IdP authenticates the user.
3. The IdP returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Insight 5.
4. Xpress Insight verifies that the username in the SAML Response matches a licensed user. If a match is verified, then Insight 5 responds to the client with the requested content.

Xpress Insight 5 can be configured to operate in Development or Production mode-Utilizing an IdP for user management is required when running in Production mode.

Note: The information in this topic uses Okta as the Identity Provider (IdP) to instruct you on how to set up SAML authentication for Xpress Insight 5. These steps reflect a third-party application and are subject to change without our knowledge. If the steps described here do not match the screens you see in your IdP account, you can use the general SAML configuration steps, along with the IdP’s documentation.

© 2001-2021 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.