Xoxoday supports Single Sign-On for both users and administrators using SAML 2.0 and OAuth 2.0, with native integration for enterprise identity providers including Azure Active Directory, Okta, and Google Workspace.
Enterprise Identity Provider Integrations
Xoxoday integrates out of the box with major enterprise identity providers, including Azure Active Directory, Okta, and Google Workspace. If your organisation uses a workforce platform such as Workday or SAP SuccessFactors as the source of truth for employee data, these can be paired with your identity provider to keep provisioning, deprovisioning, and role assignments in sync. This eliminates duplicate account management and reduces the risk of orphaned credentials persisting after an employee exits.Multi-Factor Authentication
SSO is not the only authentication layer Xoxoday enforces. Xoxoday supports Multi-Factor Authentication through time-based one-time passwords (TOTP), authenticator apps, or policies delegated entirely to the identity provider. Organisations that have already mandated MFA through Azure AD or Okta can carry those policies directly into Xoxoday, ensuring consistent enforcement across all enterprise tools without maintaining separate MFA configurations.Password Policy and Credential Controls
For organisations authenticating outside of SSO, Xoxoday enforces configurable password policies covering minimum length and complexity, restrictions on commonly breached passwords, rotation schedules, and reuse prevention. These controls align with the credential management requirements of frameworks such as ISO 27001 and SOC 2 Type II, supporting audit readiness without additional tooling.Session Management and Role-Based Access
Xoxoday applies automatic session expiration and idle timeout rules to reduce exposure from unattended sessions. Access within the platform is governed by Role-Based Access Controls (RBAC), so administrators, programme managers, and end users each operate within a permission boundary appropriate to their function. A finance approver managing reward budgets in Xoxoday, for example, holds a distinct permission set from an HR manager configuring the reward catalogue or an IT administrator provisioning accounts.Audit Logging for Compliance and Monitoring
Every authentication event in Xoxoday — successful logins, failed attempts, MFA challenges, and session terminations — is written to a structured audit log. These logs support compliance reviews, security incident investigations, and regulatory reporting. For security teams running SIEM pipelines, authentication logs can be exported to feed centralised monitoring and alerting workflows. Taken together, these controls reflect an authentication architecture built for enterprise environments where security, auditability, and ease of access must coexist without friction. Learn more: Xoxoday Help Centre — Technical requirementDoes Xoxoday support Multi-Factor Authentication (MFA)?
Learn how Xoxoday enforces MFA through TOTP, authenticator apps, and identity provider-delegated policies to protect every account.
How does Xoxoday manage role-based access controls?
Understand how Xoxoday uses RBAC to scope permissions for administrators, managers, and end users based on their responsibilities.