This knowledge base article will explain:
- How enableHR SSO has been set up;
- How enableHR SSO allows users to login automatically to their profile;
- The different access levels with enableHR SSO: Authentication & Authorisation.
How is enableHR SSO Set up?
SSO in enableHR is done via the SAML protocol. SAML (Security Assertion Markup Language) is an industry standard for exchanging authentication and authorisation information between an Identity Provider (Active Directory, G-Suite, etc) and a Service Provider (enableHR).
How does SSO enable users to log in to their profile automatically?
Good question! Basically, once enableHR is configured to authenticate user information via SAML, users attempting to access enableHR will no longer need to re-enter a user name and password. Instead, enableHR will redirect the user to the Identity Provider (IdP) which will confirm whether or not that user can access enableHR. Once a user has logged into the company IdP (if they’ve already logged in, they may not need to do anything), their browser is sent back to enableHR with a signed payload identifying them.
If the user has an enableHR profile already activated, they will be authenticated as a user of enableHR and be delivered to the default landing page of enableHR, logged in to their profile and ready to go!
If the user DOES NOT currently have an enableHR profile, it is possible for enableHR to create one based on the credentials validated from the IdP.
What are the different access levels with enableHR SSO?
Authentication VS Authorisation
In “Authentication Only” mode when new users are created, their access is granted based on defaults that you can choose. However, users may also require some subsequent configuration to make them fully functional within the system (for example, by assigning branches or additional roles). Existing users are passed straight through without changing their access. Any changes to access are performed within enableHR, as you probably do today.
In “Full Authorisation” mode, our Client Experience and Implementations teams work with your technical staff to define what information your IdP will send us, and how this relates to access within enableHR. Every time a user logs in, we make sure their access is kept in sync based on what your IdP tells us (whether they are new or already exist). Any changes to access are performed within your IdP, it’s the source of truth.