Versions Compared

Version Old Version 27 New Version Current
Changes made by

Lewis Allen

Sundar Acharya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

...

The following authentication methods are supported:

  1. OAuth 2.0

  2. OpenID Connect

Contents

Table of Contents
minLevel4

Usage

SSO removes the need for Payslip Portal users to use a password. Once setup and enabled, the user can login using their company account.

...

Validate Issuer This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the Issuer

Validation

...

Issuer If Validate Issuer is checked, the returned issuer must match this value.

...

Once a user is returned from the Authorization Endpoint, the request will be logged showing any issues.

Instructions For IdP Initiated SSO Login

Prerequisite:

  1. The provider details must include the aforementioned SSO details as well as the value of the IdP Code.

    image-20250210-130151.pngImage Added

  2. The username and email associated with the user must match (IdP Users).

    image-20250210-130207.pngImage Added

Steps to Login:

  1. Navigate to company’s designated IDP login URL or : siteURL/idpsso?p={{UniqueIdPCode}}

    image-20250210-131719.pngImage Added


  2. Click on the respective Login type

    1. IdP Login allows users to access application by starting the authentication process from the respective Identity Provider (IDP). In our case, it is “Portal IdP Login”.

    2. “Use Default login” allows users to access application by redirecting to default login page.

FAQ

Unable to get claims. Ask client to add a claim named UserID to return the users email address.

First try checking Validate Issuer. The claims returned are affected by this setting.

User can't login by SSO

If a user is unable to login by SSO once enabled, first:

  1. Check the log for any error messages to forward to support

  2. Check that the users email address is correct and ends with the text in Email Suffix 1 or Email Suffix 2

  3. Advise the user to register

If they're using Azure (the meta data url will start with login.microsoft...), are still having issues and you're seeing large amounts of text in the log. Ensure the client has added the email claim by sending these instructions:

  • Sign in to the the Azure portal.

  • After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.

  • Search for and select select Azure Active Directory.

  • Under Under Manage, select select App registrations.

  • Find the application you want to configure optional claims for in the list and select it.

  • Under Under Manage, select select Token configuration.

  • Select Add optional claim, select the ID token type, select email from the list of claims, and then select Add.

...

No, but most identity providers can support OAuth 2.0 or OpenId Connect.

A search for the name of the identity provider and OpenId Connect will usually give instructions as the first result. e.g:

The client would like some instructions

...

The full Authorization End Point would then be similar to https://SSOPROVIDER.COM/oauth2/default/v1/authorize?response_type=code&client_id=000000000000000&scope=openid+email&redirect_uri=https://inpay.es.rsmuk.com/payslipportal4/login.aspx&nonce=&state=

How do I login without entering my username?

...