Review & Audit Integration
Integration guide
This page sets out how to integrate the Case Review Portal with single sign-on.
Setup
Fourthline's Case Review Portal access leverages single-sign-on which can be integrated with Identity Provider that supports SAML 2.0 and multi-value SAML attributes.
Fourthline supports the following Identity Providers:
- ADFS
- Azure Entra ID
- Okta
- OneLogin
Recommended browser
We recommend using the latest version of Chrome as your browser for the Case Review Portal, which we use for all testing.
Overview
- Provide Fourthline with the following information:
| Configuration | Description |
|---|---|
| Use case | Case Processing • Escalations • Time-tracking • Case auto-assign • Case Guidance |
| Case Auditing • View only • Compliance review • Case Guidance | |
| IdP | Specify which SAML 2.0 identity provider (IdP) you are using. |
| IP addresses | Provide the IP addresses that need to access the portal for both the sandbox and production environments. |
- Setup the IP address routing correctly for the two received URLs
- Setup the app integration with the received SAML information from Fourthline in your IdP's configuration section. Follow your IdP's instructions to configure single sign-on.
- Configure the app roles within your IdP, required for correctly granting permissions towards your users. The required roles will be shared by Fourthline.
- Configure correctly the SAML Attribute mapping within your IdP.
- Share the generated SAML statement towards Fourthline.
- After Fourthline finalized the configuration the integration can be tested.
App roles
The following app roles can be configured to manage your user's permissions. The role permissions are managed in your organization's IdP. These roles are required and must be sent from your IdP to gain the right permissions within the Case Review Portal.
Different roles are required depending on your use case: Case Processing only, Case Auditing only, or both:
Global roles
| Role | Permissions | Portal page |
|---|---|---|
Access | Can access the portal.  Required for all users | |
UserManagement | Can assign agents to process cases for specific business partners. This role is only needed if you need to access multiple partner accounts through your Case Review Portal. | Users |
Case Processing
| Role | Permissions | Portal page |
|---|---|---|
CaseProcessor | Can process cases. | Processing |
Reviewer | Can perform four-eyes reviews and edit other agents' incomplete cases. Configure your own rules for when four-eyes review is required. | Processing |
Supervisor | Can view and edit completed cases processed by other agents, unassign cases from agents, and view backlog metrics. | Processing |
DailyWatchlistAutomation | Can view and process AML Screening and Monitoring cases. | Processing |
Case Auditing
| Role | Permissions | Portal page |
|---|---|---|
CaseAuditor | Can view completed cases. | Auditing |
QaAuditor | Can create case samples and confirm compliance reviews. | Auditing |
AfcReporter | Can create and download fraud and AML hit data. | Reports |
Required SAML Attribute mapping
You must configure the following required claims:
| SAML Attribute Name | Maps to | Additional Explanation |
|---|---|---|
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | User's email address | This claim is also referred to as Name ID or User Principal Name. It is used as the unique identifier to match the user identity principle from the federated IdP to the shadow account in our system. |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | User's email address | |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | User's first name | |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | User's last name | |
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | User's granted roles | This field must be returning the roles as a multi-valued attribute. See the SAML response below. |
Example SAML response
The following is an example of a SAML response from your IdP:
<samlp:Response>
<Assertion>
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>John</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Smith</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>User</AttributeValue>
<AttributeValue>Reviewer</AttributeValue>
</Attribute>
</AttributeStatement>
<Assertion>
</samlp:Response>
Troubleshooting
I see a "Sorry, you have been blocked" page when trying to access the portal
The IP address connected to your request to the portal has not been whitelisted by Fourthline. Reason could be your requests are not routed correctly through your VPN with the allowed IP address(es) to access the portal.
I am able to reach the portal, and click on Login button, but I am getting an error after signing in
The received SAML statement likely doesn't have the correct attributes and/or required user roles in it. Confirm that the correct SAML Attribute mappings have been setup and make sure that the user that signs in have the required app roles configured.
Updated 16 days ago