This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details. This works in the same way as SSO for the payslip portal.
...
What information does RSM need?
- The OpenID Connect Configuration URL
- The Client ID
- The Client Secret
- Optionally, your public key
What authentication methods are supported?
...
Client secret - This is the most sensitive piece of data entered on this page. The company must provide this by secure means (E.G. a Client Portal message). After populating this field and saving, it's not possible to view the value.
Endpoints
These may be populated from the Metadata URL or entered.
...
Authorization Endpoint If a username is entered on the login screen of a user that has an email with a suffix matching one of the provided suffixes, they will be sent to this address. They will then log in to their company account and be sent back to InPay with a code.
Sharing details with clients and logging
...
Once a user is returned from the Authorization Endpoint, the request will be logged showing any issues
FAQ
Unable to get claims. Ask client to add a claim named UserID to return the users email address.
First try checking Validate Issuer. The claims returned are affected by this setting.
User can't login by SSO
If a user is unable to login by SSO once enabled, first:
...
Once they've completed these steps, set the Email Claim and Unique Id Claim in InPay to email
Do you support SAML or SAML 2.0?
No, but most identity providers can support OAuth 2.0 or OpenId Connect.
...
- "google openId Connect": https://developers.google.com/identity/protocols/oauth2/openid-connect
- "oracle idcs openid connect": https://blogs.oracle.com/developers/authenticating-users-with-oracle-idcs-via-openid-connect-and-micronaut
The client would like some instructions
See Single Sign On, this will be of use even if they are using a different provider.
...
First confirm the Payslip Portal users saved email address is correct. If so, forward the error messages to the company's internal IT department.
Error message showing token response with no email
This may be that the claim is not being returned. Update the Authorization End Point to request the email scope: scope=openid+email
The full Authorization End Point would then be similar to https://SSOPROVIDER.COM/oauth2/default/v1/authorize?response_type=code&client_id=000000000000000&scope=openid+email&redirect_uri=https://inpay.es.rsmuk.com/payslipportal4/login.aspx&nonce=&state=
How do I login without entering my username?
Once a user has logged in once, their username will be populated on subsequent attempts (it’s stored in a cookie).
...