How can we help you?

Single Sign-on (SSO) - How to Set Up


Have you read our Overview - Single Sign-On (SSO)

This Knowledge Base article will explain how to get started and configure SSO for your enableHR account.

Due to the technical nature of the SAML configuration, we are here to help as much as possible to get you started. However, don’t forget that your Identity Provider is your own system, and so there are some things we can do our best to support you with but are out of our hands.

Step 1: Set up enableHR as a service provider

Before you get started, you’ll need to set up enableHR as a Service Provider in your Identity Provider. We have guides to do this for common providers (G-Suite, Active Directory and ADFS or Azure Active Directory), but your own configuration and setup might be different from what we have in those guides. Once you’ve done that, you’ll need to grab the Federation Metadata from your IdP.

Guides for setting up enableHR as a service provider for:

Please Note: For clients planning to use Microsoft Azure for Single Sign On, please be aware that there may be additional costs involved with upgrading your Azure subscription to the Premium offering before SAML Single Sign On is made available for Azure.


Step 2: Switch on SSO within core enableHR

After you have set up enableHR as a Service provider, you can switch on enableHR’s SSO and enhance the experience for all your users. Follow the steps below:

1.  Log into your account as an Account Administrator (this is usually the person who signed up for the enableHR account in the first place, although they may have given access to other users)

2.  Click through Account Settings to the Security -> SSO tab

3.  From this screen you’ll need to do the following in order: 

  • Enable SSO for your account (you can also come back here to turn it off) - this is the flag that determines whether or not Single Sign On is active or inactive on your account. Ticking this box will enable your SSO settings to apply from that point onward.

  • Provide the federation metadata - this is where the third party SAML 2.0 Identity Provider Metadata is provided in XML format. The metadata will always be generated by the client's  Identity Provider and the contents of the .XML file will simply need to be pasted in this text box.

  • Choose how you want to authenticate your users; - this setting determines who the source of truth will be in relation to roles & permissions maintained for individual users. There are two settings available in this box:

    • Access - In this mode, the client's Identity Provider becomes the source of truth in terms of determining what roles & permissions are provisioned to the user on a login-by-login basis. Any existing roles & permissions are wiped and re-determined upon the next login attempt. Please see point below.

    • AuthenticationOnly - In this mode, the enableHR becomes the source of truth in terms of determining what roles & permissions are provisioned to the user as per standard functionality. For new users accessing enableHR for the first time, their roles & permissions are determined by the system's automation rules (accounting for the new user access selection below) with subsequent successful login attempts maintaining their roles & permissions in the system until changed by an Account Admin or someone with access to user permissions.

  • Choose how now user access is provisioned - this setting determines what happens for users logging into the system (from the SSO page) for the very first time. In this setting, there are three options:

    • NONE - This setting determines that any and all new users should be fielded into the enableHR main application first but with no roles, permissions or branches assigned (essentially, authenticated but nothing else). Once the user profile has been created, it is expected that Account Admins manage the users roles, permissions and branches on a user-by-user basis.

    • ENABLEHR - This setting determines that any and all new users should be fielded into the enableHR main application first. The roles & permissions will be determined by the automation settings for a default (non-eSS) user however, as enableHR has no notion of what a "default" set of branch permissions are, we will not be able to automate branch permissions and so, the system will give the user no branch access (which is safer than trying to assume what someone should / shouldn't have)

    • ESS - This is our recommended setting as it is the safest from a data security point of view. New users into the system are immediately fielded into Self Service (provided that we're able to match a record and authenticate them into the system). From there, if a user requires access to the main application, their user permissions will need to be managed and adjusted by an Account Admin before they will be able to gain access.

  • Specify the login URL for your application (in case the user needs to be asked to authenticate again) - This is typically the page that users need to navigate to (from the Identity Provider) in order to see the option for enableHR which allows them to login. The login URL is typically also specified somewhere within the IdP Metadata.

4.  If you want to use full authentication and authorisation with your IdP being the source of truth, you’ll also need to reach out to our Client Experience team who will work with you on mapping access between the two systems.

Related articles: 

Overview - Single Sign-On (SSO)

Does SSO work differently for enableHR and Self Service users?

Have more questions? Submit a request