Can Xoxoday access be restricted to specific IP ranges? - Xoxoday

Xoxoday enforces IP-based access restrictions through your configured SSO or identity provider, ensuring only users authenticating from approved network ranges can reach the platform.

Xoxoday is hosted as a cloud-native application accessible over the public internet, making it straightforward to deploy across distributed teams without VPN dependencies. For organisations that need stricter network perimeter controls, Xoxoday supports IP-based access restrictions through your existing SSO or identity provider configuration. Rather than enforcing IP filtering at the Xoxoday application layer, access control happens at the identity layer — the point where authentication occurs. When a user attempts to sign in, the SSO provider evaluates the originating IP address against your approved ranges before granting a session token. If the IP falls outside the allowed list, access is denied before the user ever reaches Xoxoday. How IP restriction works in practice Your organisation configures IP allowlisting rules directly inside your identity provider. If you use Okta, Microsoft Azure Active Directory, or Google Workspace as your SSO provider, each offers built-in conditional access or sign-on policies where you can specify permitted CIDR ranges. For example, an organisation using Azure AD can create a Conditional Access policy that blocks Xoxoday sign-ins from any IP outside the corporate network — whether on-premises or a known set of VPN egress addresses. Once the identity provider enforces those IP restrictions, all Xoxoday access — including the rewards catalogue, recognition flows, and manager dashboards — is automatically gated. Employees on personal devices or unapproved networks are blocked at the SSO step, not at Xoxoday itself. Integration with enterprise identity systems Xoxoday integrates with leading enterprise identity providers including Okta, Microsoft Azure AD, OneLogin, and Ping Identity via SAML 2.0 and OAuth 2.0. IP restriction policies your organisation has already built for tools like Workday, SAP SuccessFactors, or Darwinbox can be extended to Xoxoday without additional configuration overhead. This centralised approach aligns with the principle of least privilege recommended under ISO 27001 and SOC 2 Type II frameworks, so your security team manages one policy layer rather than configuring restrictions tool-by-tool. What to consider before enabling IP rules IP allowlisting is most effective when your workforce accesses Xoxoday from predictable, stable network locations such as corporate offices or fixed VPN endpoints. For fully remote teams with dynamic home IP addresses, routing all traffic through a fixed VPN egress IP is typically more practical than maintaining a rolling list of individual addresses. For global organisations using Slack or MS Teams for Xoxoday notifications, webhook and notification services operate server-to-server and are unaffected by end-user IP restrictions. Those integrations continue functioning regardless of which IP rules are applied at the user authentication layer. Learn more: Xoxoday Help Centre — Application Security (Confidentiality, Integrity)

Single Sign-On (SSO) configuration

Learn how Xoxoday integrates with SAML 2.0 and OAuth 2.0 identity providers to centralise authentication and access control.

Multi-factor authentication support

Understand how Xoxoday supports MFA enforcement through your identity provider to add a second layer of user verification.