Untitled

Third Party Link Out Basic standards
KB0035566  -  Latest Version

889 views
Introduction:   

Use this knowledge base article as a guideline to provide to Vendors with Third Party Link Out Basic Standards for DealerCONNECT.  

 

Instructions:

Stellantis - DealerCONNECT Third Party Link Out Basic Standards

Link Out applications will be expected to meet the following standards prior to the DCQA Functional review meeting.  Failure to meet standards will delay your launch.  

Security:

The link from DealerCONNECT needs to be a Single Sign On into your application (I.E. Ping Federate SAML or OIDC).  
All links needs to be in HTTPS.
DealerCONNECT Single Sign cannot be passed to any other applications.
An end user cannot link out to other applications from a DealerCONNECT or DealerCONNECT link out application.
Users must not be presented with a logon page other than the DealerCONNECT logon page.
Vendor must adhere to and perform testing to ensure they are in compliance with Stellantis TLS Security requirements.
Vendor will be required to follow security industry standards to ensure all application code does not include source code vulnerabilities.
Vendor must remediate all security defects within the application identified by Stellantis.
Vendor may be required to provide a report from your security scanning tool.
Accessibility:

DealerCONNECT security functions must be used to determine what access the user has in a Third Party Link Out Application.  Security functions represent the access allowed to the user.  Security functions are created and maintained in DealerCONNECT by the DealerCONNECT security team.  Third Party Link Out applications are expected to read the list of security function(s) from the SAML assertion to control the user access (authorization) in their application.  There should be no additional security access rights management in the Third Party Link Out application.  DealerCONNECT should be the single point of truth for access within an application.  User management security(tables/mapping of roles/position codes) is NOT allowed in the vendor application.  All security entitlements (user access) will come from DealerCONNECT through SSO. If there any questions your DCQA project coordinator.
Example 1:  All users have the same access rights in the Third Party Link Out Application.  The DealerCONNECT application team and business owner must complete the Security Matrix for each impacted market(s) and send it to your DealerCONNECT Project Coordinator who will schedule a Security Matrix Review with the DealerCONNECT Security team.  The DealerCONNECT Security team will create one security function only. 

 

Example 2:  The Third Party Link Out Application requires users to have read only, edit, or approval functionality.  The DealerCONNECT application team and business owner must complete the Security Matrix for each impacted market(s) and send it to your DealerCONNECT Project Coordinator who will schedule a Security Matrix Review with the DealerCONNECT Security team.  Add a separate column for read only, edit, and approval functionality in the Security Matrix.  Map each position code that can access the application link to the appropriate access (read only, edit, and/or approval).  The DealerCONNECT Security team will create separate functions for each access type.

 

Please contact the UMIAD team support group N_USA_XXX_USER MGT INFRASTRUCTURE ADMIN for additional question.

Navigation / Window Handling:

All link outs must be functioning 100% in the DC Stage environment one week prior to the scheduled launch date
Data for DealerCONNECT test Dealer Codes need to be set up for testing applicable markets and franchises. 
99970 US Market for all franchises including Chrysler, Jeep, Dodge, Dodge Truck, Ram, Fiat, Alfa
99981 Fiat and Alfa
99982 Fiat
99983 Alfa
99984 Chrysler, Jeep, Dodge, Ram, Fiat, Alfa
99985 Chrysler, Jeep, Dodge, Ram
99986 Fiat, Alfa
C0554 Canada Market for Chrysler, Jeep, Dodge, Dodge Truck, Ram
M5000 Mexico Market for Chrysler, Jeep, Dodge, Dodge Truck, Ram, Fiat, Alfa
76999 Non-Franchise Market
11700 International (Argentina) Market for all franchises including Chrysler, Jeep, Dodge, Dodge Truck, Ram, Fiat, Alfa
21939 Puerto Rico
 See attached for additional international test dealer codes if needed.  
If the application generates an error, display that error message with a description or reason why the error message was generated  and provide the end user with instructions on what to do next THEN allow the end user to navigation back into the 3rd party application. Do not abend the application, close the application window or send the end user to another DealerCONNECT screen. 
Link outs should open a new tab when the link is clicked the first time.
Subsequent clicks on the same link should revert back to the same open tab.
When selecting a different link out, it is acceptable to open the link out in a new tab.
When selecting a different dealer in DealerCONNECT and then clicking the application link again the 3rd party application should refresh with the revised dealer code.
UI Standards:

The dealer code should be displayed on the application screen.
When a dealer toggles to a different dealer code in DealerCONNECT, the application should also revert to the same dealer code
DealerCONNECT reads the end user browser language preference to translate text on screen. A language toggle within the application is also acceptable.
The user should be allowed to have one link out application session open at a time.  
When a dealer logs out of a link out session, the link out session should be ended.  Provide a message screen to the user that the log off was successful.  Close this window.  
Applications that Dealers use should be accessed through DealerCONNECT. If a Dealer navigates to the 3rd party site directly without clicking on the link in DealerCONNECT, they should be re-directed to the DealerCONNECT logon page.
DealerCONNECT users must have a separate URL that is accessible from the DealerCONNECT portal. 
If the Third Party Application is a retail site that cannot have a DealerCONNECT specific URL, then the following standards will apply.  
When a dealer logs out of a link out session, the link out session should be ended.  Direct the user to a page with no additional navigation options.  Provide a message screen to the user that the log off was successful.  Close this window.  
The link out session should end after 2 hours or sooner if there is no activity in the application.  Direct the user to a page with no additional navigation options.  Provide a message screen to the user that the current session has ended due to inactivity.  Close this window.  
If the user navigates to the Third Party Application directly without going thru DealerCONNECT, display a text message to login thru DealerCONNECT. 
Inactivity:  

The link out session should end after 2 hours or sooner if there is no activity in the application.  Provide a message screen to the user that the current session has ended due to inactivity.  Close this window.  
Process:  

Vendor must demonstrate the applications functionality (including Single Sign-on in DealerCONNECT Stage) during the DCQA Functional review meeting.
Vendor must complete the DCQA Third party link out technical Design document highlighting the technology and components used to build the site as part of the DCQA process.
For new releases the Vendor / Business team will be required to submit a high level description document identifying the changes within the release to the DCQA team. · Vendor must demonstrate functionality in new releases during the DCQA Functional review meeting. · Vendor must adhere to the DealerCONNECT release cycle that is scheduled weekly on Thursday mornings.
Application must be fully functional including a completed Functional review, business owner signoff and DCQA signoff by Noon on the Monday prior to the Thursday DealerCONNECT launch cycle
Vendor will be required to upgrade and perform testing on the application to meet new Stellantis browser standards when released.