This article is for customers rolling out SSO for the first time in Identity, if you are a migrating customer who is currently already using SSO in People® check out our migration article here.
If you want further information on Access Identity SSO, check out our introduction article.
Please note: Once SSO is set up for a domain, this will be forced for all users under that domain, there will not be an option for manual logins (email and password).
The steps to configure Access Identity SSO
Access identity SSO is linked directly to a domain rather than to a user. Once a domain is set up for SSO, all users with email addresses that use that domain will be covered by the SSO.
Most companies have only one or very few setup steps, and your users, even those newly added, will not need to perform any steps to utilise the SSO path once the below is completed.
-- Step 1 --
Identify your domains
Your domains will be on the right-hand side of your email addresses after the @ symbol for your users. Usually, it's your company name followed by .com or .co.uk, for example, the email: firstname.lastname@example.org, the domain would be "theaccessgroup.com".
Please gather together at least one email address from each domain you wish to register and ensure that you have the ability to test email messages with at least 1 user per domain that is to be registered, in order to complete the following steps.
If in doubt, your IT team should be able to support you with understanding what your domains are.
-- Step 2 --
Identify who manages your domain
Usually, someone from your IT department will have access to the domain DNS. You will need to locate whomever can add a TXT record to this to verify ownership of the domain.
-- Step 3 --
Identify who manages your authentication
Usually, your IT department will manage your domain, and they will be able to set up an OIDC endpoint to interact with Access Identity.
Common providers are ADFS and Azure AD for which we supply example steps; however, most authentication providers support this protocol. Someone will need to be able to set this up for you.
-- Step 4 --
Register for identity
To register each domain with Access Identity, you need to register at least 1 email address per domain. To do this, go to https://identity.accessacloud.com/ and click the Create New Account button.
Please Note: If you already registered with Access Identity due to using other Access Products, once clicking the link: https://identity.accessacloud.com/ You can either enter your password or reset your password to access your Identity account if you have forgotten this.
You will need to do this with one email per domain you wish to set up. Ideally, this person should be someone with administration rights in your business in case you need to come back and edit this later.
This is a once off task with one user per domain. Once set up is complete, all other users will be automatically moved to Access Identity, without any impact to how they login in.
-- Step 5 --
Once you have registered, you will need your IT team or your Domain manager to follow and complete the steps in our federation document once per domain; the document details how to configure AD FS 2016 and Azure AD; the steps for other OpenID Connect Identity Providers will be very similar.
Within the Federation document this states you need to contact your account manager to enable the user federation, this is not applicable during this domain set up and you do not need to contact your account manager.
It also shows the following pop up once you have completed these steps, you can ignore the pop up message shown below as this means we have to complete the final set up tasks.
**Please note that 2FA and SSO is included in all PeopleHR packages **
-- Step 6 --
Contact the PeopleHR Support team to activate your licence for SSO.
-- Step 7 --
Run a test
Once you have done this, please sign out of Access Identity. To test your setup, go back to the homepage https://identity.accessacloud.com/ and type your email address in. When you click next, you should be diverted automatically to your internal authentication server and be able to authenticate yourself.
You're good to go 🎉
If you can do this and successfully get back to Access Identity, your domain is set up, and all users with the same email domain will be ready to use SSO when you are migrated to identity.
What do we do if we don't have a company domain?
If you do not own a domain and user emails contain iCloud/yahoo etc, the users will be unable to log in via the SSO mechanism.
We do offer social sign-in options for Gmail, Microsoft, and LinkedIn, which will allow users to authenticate through them directly, all other domains will need to login with a username and password going forward.
Users are getting asked to login with email and password?
If users are asked to login manually, please double check with your IT team that the domains have been registered correctly.
If you have any questions, please contact email@example.com.