In this topic
- Introduction
- What is SSO?
- How does SSO work?
- SSO Protocol and Capability
- Employee SSO Login Process
- SSO Set Up Process
Introduction
This topic describes Single Sign On (SSO) and how it works.
What is SSO?
Single sign on (SSO) is a session and user authentication service that permits a user to use one set of login credentials to log into another service. For example, an employee of a client won’t need to use their email address to log into Payroll. Instead, they’ll enter their email address (or use a special link) and the system will automatically know who they are based on the fact that they are logged into their employer’s system.
This has several benefits:
- You have more control over which users have access to the system
- If an employee ceases employment, you can automatically revoke their payroll system access at the same time as you revoke the employee’s other accesses
- Employees don’t need to remember a username and password for Payroll
- You don’t need to assist with unlocking accounts or resetting passwords. If an employee has somehow locked their work account, your IT department can unlock it rather than payroll
- You can enforce other security measures on log in, such as only allowing logins to from a work computer (these features are controlled through your identity provider if available).
How does SSO work?
There are two systems involved in an SSO authentication system:
- The Identity Provider (IdP) – The identity provider is the identity management system that can prove that a user is who they say they are (e.g. authenticate the user), some examples are: Okta, Active Directory, OneLogin. This is your system that is used to manage your employee’s access to your systems.
- The Service Provider (SP) – The service provider is a system which employs the services of an IdP to authenticate its users. Payroll is a service provider.
There are 2 ways that a user can log in using SSO:
- SP Initiated: The user can open our SSO login screen using their web browser. When the user enters their email address, our system will detect that they are SSO-enabled and will redirect them to their employer’s IdP for authentication.
- IdP initiated: The user can follow a link directly from their employer’s system to initiate the SSO authentication without the need to enter their email address.
Either way, after the user successfully authenticates, they are redirected back to Payroll.
SSO Protocol and Capability
There are several protocols which can be used to facilitate the communication between the IdP and SP, including OAuth, OpenID and SAML. Our implementation of SSO uses the SAML2 protocol.
SAML2 can be used for both authentication (i.e. is the user is who they say they are) and authorisation (i.e. what is the user allowed to do).
We do not currently implement any of the authorisation mechanisms
Employee SSO Login Process
This is the process that an employee will need to follow when logging onto Payroll using SSO. This process is for service provider initiated logins. If you would like to follow an IdP initiated login approach, then the details and process would be specific to your identity provider and outside the scope of support we can provide.
Enter email address
To start the SSO login process, the user can go to the SSO login screen and enter the email address that is linked your identity provider. This must also be the same email address that is stored against their employee record.
Authentication
The employee will be redirected to your identity provider for authentication.
If the user is successfully authenticated, they will be redirected back to Payroll as ‘authenticated’ and allowed to access the system.
If the user is not authenticated, they will be redirected back to Payroll as ‘unauthenticated’ and will be asked to enter their Payroll password.
Multifactor Authentication (MFA)
Currently, users who have a web role which requires them to complete Multifactor Authentication (MFA) will still need to do MFA after logging in via SSO, even if MFA is conducted within your identity provider.
Note: If a user completes MFA using an authenticator app, they will still be able to save their login for 30 days, which means they won’t be prompted to provide a code when logging in on that device.
SSO Set Up Process
To set up SSO on your account, please contact the support team.