Purpose: Orion provides a Client Portal with a complete suite of features to engage new prospects, onboard those prospects, and to serve them as clients. These features include a best in class user experience, financial planning, reports (both on screen and pdf), document vault, account opening and funding, and many more. It is a common request from firms to allow these clients to first come to the firm’s branded website or even existing portal and then single sign on to the Orion portal.
Simple Use Case: Advisor wants to direct clients to first navigate to their branded website which includes announcement, webinars, and educational material, and then allow the client to log into the Orion Client Portal from there.
Scope and Outputs:
- The Orion Client Portal requires a client level user to exist in the platform for the client to access it. That user is linked to a specific household.
- More than one user can be linked to a specific household.
- The Portal has many setup options that can be customized at the firm or representative or even client level to create the unique experience you need.
Process Overview:
Orion Provides three methods of directly end client users to the Client Portal.
- Imbedded Login Screen
- SSO / Authentication
- Impersonation
Process Steps:
1. Imbed the Orion login framework into your own website using the URL login.orionadvisor.com or login.orionadvisor.cloud. Simply remove the extra margin or space around the login experience and place this in the best location on the site.
This solution is ideal when the client does not have to log into the website they are being directed from and the client knows their Orion username and password. This solution significantly reduces development time and allows the firm to take advantage of Orion’s password reset and multi-factor authentication frameworks.
2. Build an authentication to Orion’s Basic or SAML 2.0 framework to identify the user, gain the access token, and then pass the user into the Orion Portal.
This solution is ideal when you want to have the client connect their Orion user to a user or identity that already exists for the initial website. In this case the user in Orion already exists and we need to simply link the two identities.
Basic – You can use the client’s username/password to retrieve a token from the API. These tokens are currently good for 12 hours.
https://api.orionadvisor.com/api/v1/security/token
Redirect the client user using the new token and option page path (URL encoded)
https://portal.orionadvisor.com/sso.html?t=[TOKEN]&p=[PAGE]
[TOKEN] = client token
[PAGE] = optional page url to go to first ie: “/portfolio/holdings”
*set the p parameter to the URL encoded page
SAML SSO (IdP Initiated) – POSTing an unsolicited SAML Response. You will need to provide Orion with the public certificate you wish to use for the SAML SSO
https://auth.orionadvisor.com/sso/samlconsumer
relay state = /clientportal/
3. Impersonate the client by first authenticating to Orion using a general API service level account, passing the client ID which will create the client user as needed on the fly.
This solution is ideal when you don’t want the user to know or have to set up their Orion user. You will need to link the client’s Household ID (Client ID) from Orion to the initial identity, but then you can create the Orion user for that Household on the fly the first time the client SSO’s to Orion.
Assertions:
authFlow = “Impersonation”
serviceUser = API service level account username
servicePassword = API service level account password
impersonateEntity = The entity level you want to impersonate (5:Client, 4:Rep)
impersonateEntityId = The Id of the entity you want to impersonate (clientId, repId)
firmId = The advisory firm Id provided by Orion (alClientId)
partnerId = Integration partnerId provided by Orion
Process Tips or Controls:
- The Developer Portal has additional guides on Impersonation and SAML which may provide additional details helpful in constructing these solutions.