Xoxoday supports enterprise Single Sign-On through SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0, with TLS 1.2+ encryption, JIT provisioning, and compatibility with major identity providers including Azure Active Directory, Okta, OneLogin, Google Workspace, and Ping Identity.
Supported SSO Standards
Xoxoday is fully compatible with SAML 2.0 using the Redirect Flow. Authentication exchanges happen over HTTPS with TLS 1.2 or higher, and configurable attributes — including NameID, email, and role mappings — give administrators precise control over how users are provisioned and what access they receive. This works out of the box with Azure Active Directory, Okta, OneLogin, Google Workspace, and Ping Identity. For organizations running modern cloud-native identity stacks, Xoxoday also supports OpenID Connect (OIDC). The integration uses signed JWT tokens and handles dynamic client registration, token expiry, and refresh logic — making it a natural fit for environments already standardized on OAuth 2.0 authorization frameworks. CAS (Central Authentication Service) is not natively supported, but organizations relying on CAS can connect to Xoxoday through SAML or OIDC bridges or middleware, preserving existing identity infrastructure without a full migration.Just-In-Time Provisioning and Custom Integrations
Xoxoday supports Just-In-Time (JIT) provisioning for both SAML and OIDC workflows. When an authenticated user accesses Xoxoday for the first time, their account is automatically created using attributes passed from the identity provider — no pre-provisioning or manual setup required. For enterprises with non-standard identity configurations — such as those running Workday, SAP SuccessFactors, or Darwinbox as their primary HR platform — Xoxoday offers custom SSO integration through standardized endpoints and metadata exchange. This is particularly useful when workforce identity is tightly coupled with HR data and employee lifecycle events.Security Architecture
All SSO traffic within Xoxoday is encrypted using TLS 1.2 or higher. Session tokens are both encrypted and signed, replay prevention mechanisms guard against session hijacking, and configurable session timeouts allow organizations to enforce access hygiene in line with internal policy. Logout URL support ensures clean session termination across identity provider and Xoxoday simultaneously. These controls directly support compliance with security frameworks such as ISO 27001 and SOC 2 Type II, both of which require documented access control and session management practices.Operational Benefits
SSO in Xoxoday applies equally to administrative access and employee access to the rewards marketplace. IT teams manage a single authentication policy across the organization, and employees sign in to Xoxoday using the same credentials they use for Slack, Microsoft Teams, or their corporate HR portal — no separate password needed. Onboarding and offboarding become operationally simpler as well. When an employee’s account is deactivated in the identity provider, their access to Xoxoday is revoked immediately, eliminating the risk of orphaned accounts and reducing the manual workload on IT teams during employee exits. Learn more: Xoxoday Help Centre — AuthenticationUser Provisioning and SCIM Support
Learn how Xoxoday automates user lifecycle management through SCIM 2.0, JIT provisioning, and directory sync with enterprise identity providers.
Data Security and Compliance
Explore how Xoxoday protects data in transit and at rest, and how its security architecture supports ISO 27001 and SOC 2 Type II compliance requirements.