This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details. This works in the same way as SSO for the payslip portal.
...
What information does RSM need? Anchor What information does RSM need? What information does RSM need?
| What information does RSM need? | |
| What information does RSM need? |
The OpenID Connect Configuration URL
The Client ID (This may show as Application ID in your identity provider)
The Client Secret
Optionally, your public key
What authentication methods are supported?Anchor What authentication methods are supported? What authentication methods are supported?
| What authentication methods are supported? | |
| What authentication methods are supported? |
OAuth 2.0
OpenID Connect
How to set it upAnchor How to set it up How to set it up
| How to set it up | |
| How to set it up |
...
Enable SSO - Once this is checked, all client portal users with a matching email suffix will be able to login by SSO.
Please note: If this is checked (even if other details are left blank) employees will have a client portal user created using their email address against their record.
Validate issuer - This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the issuer.
...
The client portal supports two claims. If none are entered or available, the default identity name will attempt to be matched to the user's client portal email address. Check the log after a failed attempted SSO login to see available claims.
Email claim - The name of the claim that will contain the users client portal email address. For example: @RSMUK.COMmost setups, this will be email
Unique Id claim - The name of the claim that will contain a unique identifier for the user. This may also contain the users email or a unique id for the user. It will be used to verify the user in addition to the email after the first login. For most setups, this will be email
Identification
Client id - This allows the company's authentication provider to identify the client portal and use the correct configuration.
...
Authorization Endpoint If a username is entered on the login screen of a user that has an email with a suffix matching one of the provided suffixes, they will be sent to this address. They will then log in to their company account and be sent back to InPay with a code. After saving the setup for the first time, ensure that this URL loads showing a login page. If not, there will be an issue with the setup on the clients side.
Sharing details with clients and logging
...
FAQAnchor FAQ FAQ
| FAQ | |
| FAQ |
Unable to get claims. Ask client to add a claim named UserID to return the users email address.
First try checking Validate Issuer. The claims returned are affected by this setting.
User can't login by SSO
If a user is unable to login by SSO once enabled, first:
- Check the log for any error messages to forward to support
- Check that the users email address is correct and ends with the text in email suffix
- Advise the user to register
If they're using Azure (the meta data url will start with login.microsoft...), are still having issues and you're seeing large amounts of text in the log. Ensure the client has added the email claim by sending these instructions:
...
Once they've completed these steps, set the Email Claim and Unique Id Claim in InPay to email.
Do you support SAML or SAML 2.0?
...
Once a user has logged in once, their username will be populated on subsequent attempts (it’s stored in a cookie).The closest we can get to populating on the first attempt is to put the username into the address E.G. https://inpay.es.rsmuk.com/clientportal/?username=support@in-time.co.uk
We don’t currently support IdP-Initiated SSO. This is where they would have an address for their SSO provider E.G. inpay.es.rsmuk.com/clientportal/?sso=CompanyName