This article is for users that currently have SSO enabled in People® and have received the below pop up on their Dashboard:
What is changing?
Users will now login to PeopleHR via Access Identity. This means that you need to register your domains with Access Identity to continue using SSO for your users.
Once you have registered by following the below instructions select 'Mark Compete', this will confirm to us that you have completed the required steps for your domain(s) so that we can complete the setup task for you.
This article describes the steps that you need to complete by the 30th November 2021 to ensure a smooth transition for your users through the SSO login; if these steps are not followed, all users will revert to username and password logins.
If you want further information on Access Identity SSO, check out our introduction article.
Access Identity SSO is linked directly to a domain rather than to a user. Once a domain is set up for SSO, all users with email addresses that use that domain will be covered by the SSO.
Please note: Once SSO is set up for a domain, this will be forced for all users under that domain, there will not be an option for manual logins (email and password).
Most companies have only one or very few setup steps, and your users, even those newly added, will not need to perform any steps to utilise the SSO path once the below is completed.
Optional SSO Features No Longer Available
Now that SSO is provided on a per domain level we will no longer be able to offer individual options for SSO such as; optional SSO for deactivated users and users not in a domain having Access to SSO.
If a user's email address is not part of a registered domain, they will login with username and password. Once we complete the move for Access Identity for you, they will be presented with a new login flow, including the requirement to set an Access Identity password, on their first login. Further detail on that are available here.
Steps to Configure Access Identity SSO
Access Identity SSO is linked directly to a domain rather than to a user. Once a domain is set up for SSO:
· all users with email addresses that use that domain will be covered by the SSO.
· this will be forced for all users under that domain; there will not be an option for manual logins (email and password).
-- Step 1 --
Identify your domains
Your domains will be on the right-hand side of your email addresses after the @ symbol for your users. Usually, it's your company name followed by .com or .co.uk, for example, the email: email@example.com, the domain would be "theaccessgroup.com".
Please gather together at least one email address from each domain you wish to register and ensure that you have the ability to test email messages with at least 1 user per domain that is to be registered, in order to complete the following steps.
If in doubt, your IT team should be able to support you with understanding what your domains are.
One of these checks is to ensure that for all domains that you are going to register, all of the users in that domain have SSO activated on their record.
This is required to ensure that when we migrate, those users will log in using the new SSO login flow.
If a user does not have SSO activated, but their domain is registered for SSO they could lose the ability to login to PeopleHR, depending on how they've logged in as an Optional SSO user.
Steps to Complete Migration
In order to complete this, we now need you to ensure that all users for your registered domains have SSO activated. This will ensure that when we migrate, every user who has an account for the registered domain(s), will log in via the new SSO login flow. This can be done in 1 of 2 ways - Per User or In Bulk.
Option 1: Per User
Update the user record and click Activate SSO in the overview of their Profile.
Option 2: In Bulk
Go to Bulk Actions
Click on the 'Others' tab
Select Update SSO.
Select all employees that should be activated. Important: Only select employees that you know are for a registered domain.
Select Activate SSO
-- Step 2 --
Identify who manages your domain
Usually, someone from your IT department will have access to the domain DNS. You will need to locate whomever can add a TXT record to this to verify ownership of the domain.
-- Step 3 --
Identify who manages your authentication
Usually, your IT department will manage your domain, and they will be able to set up an Open ID Connect (OIDC) endpoint to interact with Access Identity.
Note: OIDC allows clients to confirm an end user's identity using authentication by an authorisation server.
Common providers are ADFS and Azure AD for which we supply example steps; however, most authentication providers support this protocol. Someone will need to be able to set this up for you.
-- Step 4 --
Register for Identity
To register each domain with Access Identity, you need to register at least 1 email address per domain. To do this, go to https://identity.accessacloud.com/ and click the Create New Account button.
Please Note: If you already registered with Access Identity due to using other Access Products, once clicking the link: https://identity.accessacloud.com/ You can either enter your password or reset your password to access your Identity account if you have forgotten this.
You will need to do this with one email per domain you wish to set up. Ideally, this person should be someone with administrative rights in your business in case you need to come back and edit this later.
This is a once-off task with one user per domain. Once set up is complete, all other users will be automatically moved to Access Identity, without any impact to how they login in.
-- Step 5 --
Once you have registered, you will need your IT team or your Domain manager to follow and complete the steps in our federation document once per domain; the document details how to configure AD FS 2016 and Azure AD; for other OpenID Connect Identity Providers, please contact the support team if you are not able to complete this, as the steps will be very similar.
Within the Federation document this states you need to contact your account manager to enable the user federation, this is not applicable during this domain set up and you do not need to contact your account manager.
It also shows the following pop-up once you have completed these steps, you can ignore the pop-up message shown below as this means we have to complete the final setup tasks.
**Please note that 2FA and SSO is included in all PeopleHR packages **
-- Step 6 --
Make sure you select 'Mark complete' on the pop-up message shared at the start of this article, once the above is completed.
We in Access now need to complete some final setup tasks for you. Once done, Support will be in contact to let you know, so that you can proceed with step 7 to test the new setup
-- Step 7 --
Run a test
Once you have done this, please sign out of Access Identity. To test your setup, go back to the homepage https://identity.accessacloud.com/ and type your email address in. When you click next, you should be diverted automatically to your internal authentication server and be able to authenticate yourself.
You're good to go 🎉
If you can do this and successfully get back to Access Identity, your domain is set up, and all users with the same email domain will be ready to use SSO when you are migrated to Identity.
What do we do if we don't have a company domain?
If you do not own a domain and user emails contain iCloud/yahoo etc, the users will be unable to log in via the SSO mechanism.
We do offer social sign-in options for Gmail, Microsoft, and LinkedIn, which will allow users to authenticate through them directly, all other domains will need to login with a username and password going forward.
Users are getting asked to log in with an email and password?
If users are asked to login manually, please double-check with your IT team that the domains have been registered correctly.
If you have any questions, please contact firstname.lastname@example.org.