Xoxoday Empuls authenticates external, non-employee users — such as partners, vendors, and dealers — through secure, role-based access mechanisms including Single Sign-On (SSO), OAuth 2.0, and SAML-based federation, with optional multi-factor authentication (MFA) enforcement.
How external user authentication works in Xoxoday Empuls
Organisations often need to extend their engagement and rewards programmes beyond full-time employees. Xoxoday Empuls is built to handle this securely, provisioning external users — such as channel partners, contract workers, or third-party vendors — without compromising internal data integrity.Provisioning external user credentials
When your organisation adds external users to Xoxoday Empuls, each user receives a unique set of credentials scoped to their role. Provisioning can be managed manually by an admin or automated through directory sync, depending on your IT setup. This ensures that every external user has a clearly defined identity within the system before they ever log in.Supported authentication protocols
Xoxoday Empuls supports three primary authentication pathways for external users: Single Sign-On (SSO) lets external users authenticate using credentials from your organisation’s existing identity provider — for example, an Azure Active Directory or Okta-managed directory. This removes the need for separate passwords and keeps access governed by your central IAM policies. OAuth 2.0 enables delegated authentication, allowing users to sign in via an authorised identity source without exposing underlying credentials to Xoxoday Empuls directly. SAML-based federation is available for organisations running enterprise identity stacks. If your organisation uses SAP SuccessFactors or Darwinbox as your HR system of record, Xoxoday Empuls can federate authentication through the same identity assertions your internal employees use, keeping the login experience consistent. Your IT team selects the protocol that best matches your existing infrastructure during the initial configuration phase.Enforcing multi-factor authentication
For organisations with heightened security requirements, Xoxoday Empuls supports mandatory MFA for external users. Admins can require a second verification step — such as a time-based one-time password (TOTP) or push notification — before any external user accesses the platform. This is particularly valuable when partners or vendors are granted access to sensitive programme data or reward budgets.Role-based access and least privilege
Once authenticated, external users see only the modules and data relevant to their assigned role. An external sales partner, for instance, can view their own reward wallet and recognition feed, but cannot access your internal employee directory, payroll integrations, or HR data connected via Workday or SAP SuccessFactors. This principle of least privilege is enforced at both the UI and API layer. Xoxoday Empuls aligns with SOC 2 Type II and ISO 27001 control requirements, meaning access boundaries for external users are auditable and reportable at any time.Notifications and access events
Authentication events for external users are logged within the admin dashboard. Your team can review login activity, flag anomalies, and revoke access instantly — all without involving Xoxoday Empuls support. Automated notifications can also be pushed to Slack or MS Teams when an external user’s access status changes. Learn more: Empuls Help Centre — GeneralSetting up SSO for your organisation
Configure Single Sign-On for employees and external users using your existing identity provider.
Enabling MFA on Xoxoday Empuls
Step-by-step guide to enforcing multi-factor authentication for all user types.
User provisioning and role management
Learn how to add, update, and deactivate users — including external collaborators — through the admin console.
Role-based access control overview
Understand how Xoxoday Empuls applies least-privilege access across modules and data types.