Single sign on - RSM Admin guide
- Kelly Collins
- Robert Hendry
This guide walks you through how to assign single sign on (SSO) for a client and enter their authentication details. This works in the same way as SSO for the payslip portal.
If clients are asking what information they need, they can access Single sign on - a client guide
What information does RSM need?
What authentication methods are supported?
What information does RSM need?
The OpenID Connect Configuration URL
The Client ID (This may show as Application ID in your identity provider)
The Client Secret
Optionally, your public key
What authentication methods are supported?
OAuth 2.0
OpenID Connect
How to set it up
Go to admin in the top menu heading and select client SSO, then in the client field find the client.
Metadata
You will need to enter OpenID connect configuration URL
Options
Enable SSO - Once this is checked, all client portal users with a matching email suffix will be able to login by SSO.
Validate issuer - This may be checked if the company wished to validate the issuer. They will need to configure their authentication to provide an issuer matching the issuer.
Validation
If the validate issuer is checked, the returned issuer must match this value
Claims
The client portal supports two claims. If none are entered or available, the default identity name will attempt to be matched to the user's client portal email address. Check the log after a failed attempted SSO login to see available claims.
Email claim - The name of the claim that will contain the users client portal email address. For most setups, this will be email
Unique Id claim - The name of the claim that will contain a unique identifier for the user. This may also contain the users email or a unique id for the user. It will be used to verify the user in addition to the email after the first login. For most setups, this will be email
Identification
Client id - This allows the company's authentication provider to identify the client portal and use the correct configuration.
Email suffix - Users matching the provided suffix will login by SSO. This allows left users or users without a company account to login with a password.
Security
Certificate - The public certificate used to validate the returned token if Validate Audience or Validate Issuer are checked. Not required for OpenID Connect.
Log out URL - This URL will be called just before a user logs out to log them out of their company account. Some providers may choose not to support this.
Client secret - This is the most sensitive piece of data entered on this page. The company must provide this by secure means (E.G., a client portal message). After populating this field and saving, it's not possible to view the value.
Endpoints
These may be populated from the Metadata URL or entered.
Token Endpoint This will be called with the code returned from the Authorization Endpoint to get the access_token and id_token for the user. If the details match those of the requested user, they will be logged in.
Authorization Endpoint If a username is entered on the login screen of a user that has an email with a suffix matching one of the provided suffixes, they will be sent to this address. They will then log in to their company account and be sent back to InPay with a code. After saving the setup for the first time, ensure that this URL loads showing a login page. If not, there will be an issue with the setup on the clients side.
Sharing details with clients and logging
To easily confirm the correct configuration has been entered with a client. Click the Show Plain Details button.
Once a user is returned from the Authorization Endpoint, the request will be logged showing any issues.
FAQ
Unable to get claims
First try checking Validate Issuer. The claims returned are affected by this setting.
User can't login by SSO
If a user is unable to login by SSO once enabled, first:
- Check the log for any error messages to forward to support
- Check that the users email address is correct and ends with the text in email suffix
If they're using Azure (the meta data url will start with login.microsoft...), are still having issues and you're seeing large amounts of text in the log. Ensure the client has added the email claim by sending these instructions:
Sign in to the Azure portal.
After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.
Search for and select Azure Active Directory.
Under Manage, select App registrations.
Find the application you want to configure optional claims for in the list and select it.
Under Manage, select Token configuration.
Select Add optional claim, select the ID token type, select email from the list of claims, and then select Add.
Once they've completed these steps, set the Email Claim and Unique Id Claim in InPay to email.
Do you support SAML or SAML 2.0?
No, but most identity providers can support OAuth 2.0 or OpenId Connect.
A search for the name of the identity provider and OpenId Connect will usually give instructions as the first result. e.g:
- "google openId Connect": https://developers.google.com/identity/protocols/oauth2/openid-connect
- "oracle idcs openid connect": https://blogs.oracle.com/developers/authenticating-users-with-oracle-idcs-via-openid-connect-and-micronaut
Error message showing token response with no email
This may be that the claim is not being returned. Update the Authorization End Point to request the email scope: scope=openid+email
The full Authorization End Point would then be similar to https://SSOPROVIDER.COM/oauth2/default/v1/authorize?response_type=code&client_id=000000000000000&scope=openid+email&redirect_uri=https://inpay.es.rsmuk.com/payslipportal4/login.aspx&nonce=&state=
How do I login without entering my username?
Once a user has logged in once, their username will be populated on subsequent attempts (it’s stored in a cookie).
We don’t currently support IdP-Initiated SSO.