This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details. This works in the same way as SSO for the payslip portal.
If clients are asking what information they need, they can access Single sign on - a client guide
| Table of Contents | ||
|---|---|---|
|
What information does RSM need?
- The OpenID Connect Configuration URL
- The Client ID
- The Client Secret
- Optionally, your public key
What authentication methods are supported?
...
Go to admin in the top menu heading and select client SSO, then in the client field find the client.
Metadata
This field you You will need to enter OpenID connect configuration URL
Options
Enable SSO - Once this is checked, all client portal users with a matching email suffix 1 or 2 will be able to login by SSO.
...
Validate issuer - This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the issuer.
Validation
Issuer if If the validate issuer is checked, the returned issuer must match this value.
Claims
The client portal supports two claims. If none are entered or available, the default identity name will attempt to be matched to the users user's client portal email address.
Email claim - The name of the claim that will contain the users client portal email address. For example @RSMUK: @RSMUK.COM
Unique Id claim - The name of the claim that will contain a unique identifier for the user. This may also contain the users email or a unique id for the user. It will be used to verify the user in addition to the email after the first login.
...
Certificate - The public certificate used to validated validate the returned token if if Validate Audience or Validate Issuer are checked. Not required for OpenID Connect.
...
Client secret - This is the most sensitive piece of data entered on this page. The company must provide this by secure means (E.G., a Client Portal client portal message). After populating this field and saving, it's not possible to view the value.
...
Unable to get claims. Ask client to add a claim named UserID to return the users email address.
First try checking Validate Issuer. The claims returned are affected by this setting.
User can't login by SSO
If a user is unable to login by SSO once enabled, first:
- Check the log for any error messages to forward to support
- Check that the users email address is correct and ends with the text in Email Suffix 1 or Email Suffix 2 email suffix
- Advise the user to register
...
- "google openId Connect": https://developers.google.com/identity/protocols/oauth2/openid-connect
- "oracle idcs openid connect": https://blogs.oracle.com/developers/authenticating-users-with-oracle-idcs-via-openid-connect-and-micronaut
The client would like some instructions
...
Message: AADSTS50020: User account 'employeename@company.co.uk' from identity provider
'live.com' does not exist in tenant 'company name' and cannot access the application
'identifier'(Payslip Portal) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
First confirm the Payslip Portal users saved email address is correct. If so, forward the error messages to the company's internal IT department.
Error message showing token response with no email
...
The closest we can get to populating on the first attempt is to put the username into the address E.G. https://inpay.es.rsmuk.com/payslipportal4clientportal/?username=support@in-time.co.uk
We don’t currently support IdP-Initiated SSO. This is where they would have an address for their SSO provider E.G. inpay.es.rsmuk.com/payslipportal4clientportal/?sso=CompanyName