This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details. This works in the same way as SSO for the payslip portal.
...
What information does RSM need?
- The OpenID Connect Configuration URL
- The Client ID
- The Client Secret
- Optionally, your public key
What authentication methods are supported?
...
OpenID Connect
How to set it up
Go to Admin admin in the top menu heading and select client SSO, then in the client field find the client.
...
This field you will need to enter OpenID connect configuration URL
This doesn't exist? Enter the Metadata URL and click Populate Details to populate the screen with all details made available. If any details are missing, populate the missing details and click Populate Details again to use the missing values to fill in the Authorization Endpoint.
The Populate Certificate button will only populate the certificate (if available). This is useful for OAuth 2.0 providers.
Options
Once Enable SSO - Once this is checked, all client portal users with a matching Email Suffix email suffix 1 or 2 will be able to login by SSO.
Please note: If this is checked (even if other details are left blank) employees will have a payslip client portal user created on commit where they have an email and it's not currently in use as a payslip portal username. The username will be using their email address against their record.
Validate Issuer issuer -This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the Issuerthe issuer.
Validation
Issuer If Validate Issuer Issuer if validate issuer is checked, the returned issuer must match this value.
Claims
...
The payslip client portal supports two claims. If none are entered or available, the default identity name will attempt to be matched to the users Payslip Portal Emailclient portal email address.
Email Claim claimThe name of the claim that will contain the users Payslip Portal Email. client portal email address. For example @RSMUK.COM
Unique Id Claim claimThe name of the claim that will contain a unique identifier for the user. This may also contain the users email or a unique id for the user. It will be used to verify the user in addition to the email after the first login.
Identification
Client Id id - This allows the company's authentication provider to identify the Payslip Portal client portal and use the correct configuration.
Email Suffix suffix - Users matching one of the provided suffixes suffix will login by SSO. This allows left users or users without a company account to login with a password.
Security
Certificate Certificate - The public certificate used to validated the returned token if Validate Audience or Validate Issuer are checked. Not required for OpenID Connect.
Payslip Portal URL This will be pre populated based on the address used to login to InPay. It's used to populate the Authorization Endpoint and to match the sent audience if Validate Audience is checked.
Log Out URL Log out URL -This URL will be called just before a user logs out to log them out of their company account. Some providers may choose not to support this.
Client Secret secret - This is the most sensitive piece of data entered on this page. The company must provide this by secure means (E.G. a Client Portal message). Never share this by unsecure means. After populating this field and saving, it's not possible to view the value.
Endpoints
These may be populated from the Metadata URL or entered.
...
Once a user is returned from the Authorization Endpoint, the request will be logged showing any issues.
FAQ
Unable to get claims. Ask client to add a claim named UserID to return the users email address.
First try checking Validate Issuer. The claims returned are affected by this setting.
User can't login by SSO
If a user is unable to login by SSO once enabled, first:
...
We don’t currently support IdP-Initiated SSO. This is where they would have an address for their SSO provider E.G. inpay.es.rsmuk.com/payslipportal4/?sso=CompanyName
