Overview - Single Sign-On (SSO)

This knowledge base article will explain:

  1. What are the benefits of SSO?
  2. How enableHR SSO has been set up;
  3. How enableHR SSO allows users to login automatically to their profile;
  4. The different access levels with enableHR SSO: Authentication & Authorisation.

What are the benefits of SSO?

SSO provides an enhanced user experience by making it easier and safer to work across and access multiple online platforms. The key benefits that enableHR users will experience with SSO are:

  • The ability to mitigate security risk for access to 3rd-party sites by centralising the management and control of user passwords to dedicated systems that you control;

  • The ability to reduce password fatigue from having a different username and password combinations across different systems;

  • Get back the time usually spent re-entering passwords for the same identity and become more productive in your day-to-day work;

  • If your business already has multi-factor authentication set up, then this will be inherited for accessing enableHR through the configuration of SSO.


How is enableHR SSO Set up?

SSO in enableHR is done via the SAML protocol. SAML (Security Assertion Markup Language) is an industry standard for exchanging authentication and authorisation information between an Identity Provider (Active Directory, G-Suite, etc) and a Service Provider (enableHR).

 

How does SSO enable users to log in to their profile automatically?

Good question! Basically, once enableHR is configured to authenticate user information via SAML, users attempting to access enableHR will no longer need to re-enter a user name and password. Instead, enableHR will redirect the user to the Identity Provider (IdP) which will confirm whether or not that user can access enableHR. Once a user has logged into the company IdP (if they’ve already logged in, they may not need to do anything), their browser is sent back to enableHR with a signed payload identifying them.

If the user has an enableHR profile already activated, they will be authenticated as a user of enableHR and be delivered to the default landing page of enableHR, logged in to their profile and ready to go!

If the user DOES NOT currently have an enableHR profile, it is possible for enableHR to create one based on the credentials validated from the IdP.

 

What are the different access levels with enableHR SSO? 

Authentication VS Authorisation

In “Authentication Only” mode when new users are created, their access is granted based on defaults that you can choose. However, users may also require some subsequent configuration to make them fully functional within the system (for example, by assigning branches or additional roles). Existing users are passed straight through without changing their access. Any changes to access are performed within enableHR, as you probably do today.

In “Full Authorisation” mode, our Customer Experience and Implementations teams work with your technical staff to define what information your IdP will send us, and how this relates to access within enableHR. Every time a user logs in, we make sure their access is kept in sync based on what your IdP tells us (whether they are new or already exist). Any changes to access are performed within your IdP, it’s the source of truth.

 

 

Have you read: 

Does Single Sign-on work differently for enableHR and Self Service (eSS) users?

How do I get started with Single Sign-on for enableHR?

Related to