Versions Compared

Version Old Version 4 New Version 5
Changes made by

Kelly Collins

Kelly Collins

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details The following details. This works in the same way as SSO for the payslip portal. 

If clients are asking what information they need, they can access Single sign on - a client guide



What information does RSM need? 

  • The OpenID Connect Configuration URL
  • The Client ID
  • The Client Secret
  • Optionally, your public key


What authentication methods are supported

...

?

OAuth 2.0

OpenID Connect

Contents

Table of Contents
minLevel4

Metadata

Image Removed

An SSO provider may expose some of their configuration. 


How to set it up

Go to Admin in the top menu heading and select client SSO, then in the client field find the client. 

Metadata

This field you will need to enter OpenID connect configuration URL

This doesn't exist? Enter the Metadata URL and click Populate Details to populate the screen with all details made available. If any details are missing, populate the missing details and click Populate Details again to use the missing values to fill in the Authorization Endpoint.

The Populate Certificate button will only populate the certificate (if available). This is useful for OAuth 2.0 providers.

Image Added

Options

Image Removed

Enable SSO Once  Once this is checked, all client portal users with a matching Email Suffix 1 or 2 will be able to login by SSO. If this is checked (even if other details are left blank) employees will have a payslip portal user created on commit where they have an email and it's not currently in use as a payslip portal username. The username will be their email address.

Validate Audience This may be checked if the company wishes to validate the audience. They will need to configure their authentication to provide an audience matching the Payslip Portal URLImage Added

Validate Issuer This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the Issuer

...

Once a user is returned from the Authorization Endpoint, the request will be logged showing any issues.


FAQ

Unable to get claims. Ask client to add a claim named UserID to return the users email address.

First try checking Validate Issuer. The claims returned are affected by this setting.

User can't login by SSO

If a user is unable to login by SSO once enabled, first:

...