search

keySSO — Agents

Configure SAML 2.0 SSO for agent access to Reach Central.

Set up SAML-based SSO so agents sign in with your IdP.

hashtag
Overview

Agent SSO lets agents sign in to Reach Central using brand-managed credentials. Reach supports SAML 2.0 and integrates with your Identity Provider (IdP).

Reach never stores passwords. Authentication always happens on your systems.

circle-info

This page covers agent SSO only. For end-customer SSO, use SSO — End Customers.

hashtag
Why brands enable agent SSO

  • Remove duplicate Reach Central credentials.

  • Keep MFA, lockouts, and password policy in your IdP.

  • Improve agent productivity with fewer login resets.

  • Increase auditability for agent actions.

hashtag
Who it applies to

  • Customer support agents

  • Sales agents

  • Brand operational users

hashtag
How authentication works (SP-initiated SAML 2.0)

Reach uses a Service Provider (SP)-initiated SAML flow.

1

hashtag
Agent initiates login

Agent starts login from Reach Central.

2

hashtag
Redirect to your IdP

Reach redirects the agent to your IdP login page.

3

hashtag
Authentication happens on your systems

Agent enters credentials in your IdP. Reach is not involved in credential validation.

4

hashtag
IdP sends a signed SAML assertion to Reach

Your IdP sends a digitally signed SAML response to Reach.

5

hashtag
Reach validates and establishes a session

Reach validates the signature and required attributes. Reach then creates a session for Reach Central.

hashtag
Required identity attributes (agent assertion)

The SAML assertion must include the fields Reach uses to identify the agent. You define the exact attribute names during mapping.

Attribute
Required
What Reach uses it for

Agent email

Yes

Primary identifier to map the agent to a Reach Central user.

Agent name

Yes

Display name in Reach Central. Also used in audit logs and reporting.

Agent ID

No

Reporting attribution and operational analytics.

Agent role / groups

No

Optional input to role mapping if you enable role-based access via SSO.

hashtag
Sample SAML SSO Attribute Payload (Reach)

These examples show the attributes Reach expects after mapping.

Your IdP attribute names can differ. Reach maps them during setup.

hashtag
Agent SSO (Reach Central) – role parameters

hashtag
Example (Agent login)

hashtag
Authorization and attribution

SSO covers authentication only. It does not automatically grant permissions.

  • Authentication: proven by the IdP via SAML.

  • Authorization: controlled by Reach Central roles and permissions.

Agent actions (customer changes, purchases, support operations) are attributed to the authenticated agent. This supports agent-level auditability in reporting.

hashtag
Session behavior

  • Reach Central access is granted via a session token created after SAML validation.

  • If the session token expires or is invalid, Reach Central requires re-authentication via your IdP.

hashtag
Security model

Your brand remains the system of record for identity.

  • Your brand controls password policies, MFA requirements, lockouts, and access revocation.

  • Reach trusts only digitally signed SAML assertions.

  • Unsigned or tampered assertions are rejected.

  • Reach does not store or expose agent passwords.

hashtag
Responsibilities

hashtag
Your brand provides

  • IdP-side SAML configuration.

  • SSO login endpoint (IdP URL).

  • X.509 certificate for assertion signing.

  • Attribute mappings for agent assertions.

  • Agent lifecycle management (joiners/movers/leavers).

  • MFA, lockouts, and access policy enforcement.

hashtag
Reach provides

  • SP metadata for IdP configuration.

  • Assertion Consumer Service (ACS) endpoints.

  • Secure session handling post-authentication.

  • Platform-level authorization and role management.

  • Audit logging for authenticated sessions and actions.

  • Support during setup and testing.

hashtag
Commercial and onboarding considerations

SSO is a paid add-on. It must be contracted explicitly.

  • Selecting SSO adds build time during onboarding.

  • Enabling SSO post-launch typically requires a formal change order.

hashtag
Scope options (for contracting)

Scope
Who it covers
When to choose this

Agent SSO only

Agents in Reach Central

When agent productivity and centralized access control are the priority.

Customer SSO only

End customers on web/mobile/app

When you want a seamless self-care experience.

Customer + Agent SSO

Both customers and agents

When you want consistent identity across all touchpoints.

hashtag
Setup checklist

1

hashtag
Confirm IdP readiness

Confirm your IdP supports SAML 2.0 SP-initiated flows.

2

hashtag
Exchange metadata

Reach provides SP metadata and ACS details. You provide your IdP metadata and signing certificate details.

3

hashtag
Map required attributes

Map agent email and agent name at minimum. Add agent ID and role/groups if you want richer reporting or automated role mapping.

4

hashtag
Test with real agent accounts

Validate login, session expiry, and access revocation. Confirm audit attribution shows the right agent identity.

5

hashtag
Sign off for production

Complete non-production testing before requesting production enablement.

circle-info

Questions or clarification? Reach out to your respective account manager or email at [email protected]

PreviousAffiliate Tracking via GTMNextSSO — End Customers

Last updated