SSO - Set up enableHR as a service provider on Okta

Step 1. Create Application in Okta

1. Click Add Application

2. Click Create New App (do not use the existing Canned Application in Okta - this is SWA only)

3. As below, select Web and SAML 2.0 and then click Create

mceclip0.png

4. Upload a Logo if desired, name the App "enableHR" and then click Next

mceclip1.png

5. Enter the General settings shown below.

mceclip2.png

Once the above is complete, the fields should say:

Single sign on URL: https://login.enablehr.com/app/saml (same for both NZ and AU clients)

Use this for Recipient IRL and Destination IRL: Ticked

Allow this app to request other SSO URLs: Unticked

Audience URI (SP Entity ID): https://login.enablehr.com/app/saml (same for both NZ and AU clients)

Default RelayState: Blank

Name ID format: EmailAddress

Application username: Email

Update application username on: Create and update

6. Create the three Attribute Statements, taking care to include the capitalisation and spaces.

Please note: as is the case in the intial set up of all our other SSO partners, the Name of the attributes HAS to be identical to how it's displayed below (including case and space).

When the SSO request comes in, those attributes (in that exact format) is what our system looks for and any deviation will cause problems upon testing.

First Name has to be spelt "First Name"

Last Name has to be spelt "Last Name"

Email / User ID has to be spelt "Email / User ID"

mceclip3.png

7. Select “I’m an Okta customer adding an internal app”,

mceclip4.png

8. Click Finish.

mceclip5.png

9. Click the View Setup Instructions button.

mceclip6.png

Step 2. Configure EnableHR

1. You will be presented with the settings and the XML IDP metadata required for the next step to finish this configuration within EnableHR.

You only need items 1 & 2 plus the Identity Provider (IdP) metadata (not really that "Optional" at the end).

mceclip7.png

2. Logged into the enableHR account as an Account Administrator and click Settings → Account Settings 

mceclip8.png
3. Click the Security tab, then the SSO tab.

mceclip9.png

4. Fill in the details on the page as follows:

  • Leave Identity Provider (IdP) blank or Please Select....(This is a hard-coded list of partners we intended to work with during the design phase and has no bearing on whether or not SSO works or how it works)

mceclip10.png

  • Tick the Enable SAML Identity Provider box (This flags / marks an account in our database as using SSO and enables the function)

mceclip11.png

  • Paste the entire XML of the IDP metadata you copied from the View Setup Instructions section into the SAML Identity Provider box

mceclip12.png

  • Select the appropriate Authentication Mode. If you intend to manage users and their roles within EnableHR then set to "AuthenticationOnly" mode. Otherwise, if you intend to use "Access (Authorisation)" mode, you will need to contact enableHR / HRA Cloud Client Experience to work through the settings as the role configuration with Okta is previously untested.

mceclip13.png

  • Set New User Access as desired. Generally, we advise ESS - eSS Employee as that is the safest option.

mceclip14.png

  • Paste the “Identity Provider Single Sign-On URL” from the View Setup Instructions section into the Login URL field

mceclip15.png

5. Click Update

mceclip16.png


Step 3 - Test

1. Assign the Application in Okta to an existing static user in EnableHR - if the same account
as your Admin account ensure you have another Admin account available if you need to
back out changes.

2.Have the user access the EnableHR application - you should see their user account switch
to SSO (Green SSO icon beside the user).

Please Note: If you are going to manage your users and their roles/permissions within EnableHR (AuthenticationOnly mode), you don’t need to access the SSO Role Configuration tab.

If you want to pass roles and permissions data to EnableHR via Okta (Access mode) then you will need to contact EnableHR support to get assistance as we do not have previous examples or references testing this and will need to work through it via trail-and-error.

Related to