Authentication using an Identity Provider (IdP)

Xpress Insight allows authentication to be managed by an Identity Provider to enable Single Sign On (SSO).

Enabling SSO integration delegates user provisioning, identity, and access management tasks to an identity management service, offering the additional capability of multi-factor authentication (MFA), mobile identity management, while complying with your organization's flexible policies for organization security and control.

When using IdP (Identity Provider) authentication, there are two ways that the user can access Xpress Insight:

• Navigating to Insight by, for example, opening a Bookmark in a browser, will forward the user to the IdP. If the user is already logged in to the IdP, the user is forwarded to Xpress Insight and can use the software subject to the permissions granted to them by the IdP administrator (Service Provider initiated authentication).
• Logging into the IdP and clicking on the Xpress Insight tile in their IdP dashboard (IdP initiated authentication).

Both paths use the IdP to verify the user identity and permissions. When a user requests access to Insight 5, the user’s credentials are securely authenticated by the IdP and an assertion is sent using the SAML standard from the IdP to Insight.

Note: Xpress Insight uses SAML version 2.0

The user is given access to the Insight applications and groups that are specified in their IdP profile.

The image shows the subsequent steps that authenticate a user with single sign-on in a typical service provider-initiated authentication flow:

1. Xpress Insight starts the authentication process by redirecting the client to the configured IdP.
2. The IdP requests the user’s username and password from the user. After the user submits valid credentials, the IdP authenticates the user.
3. The IdP returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Insight 5.
4. Xpress Insight verifies that the username in the SAML Response matches a licensed user. If a match is verified, then Insight 5 responds to the client with the requested content.

Xpress Insight can be configured to operate in Development or Production mode. Using an IdP for user management is required when running in Production mode. When Xpress Insight is integrated with SSO, all the user account information and authorizations are managed by the iDP.

Note: When SSO is configured for a Development system then it is recommended that app developers be assigned the APP_ALL authority so they are able to access their newly published apps without the user administrator having to grant app membership.

Xpress Insight supports SAML Just-in-Time (JIT) user provisioning. If a user's SAML attributes grant access, Insight automatically creates an account for the user during the first login. For more information about managing SSO users, see Managing Single Sign-on Users.

© 2001-2025 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.