Single Sign On
- Mark Holland (Unlicensed)
- Craig Fordham
- Robert Hendry
- David Cresswell
You can link your PeopleLog system, or our Payslip Portal, with your Microsoft Active Directory system so that your users will not need a separate username and password. You can then put a link on your Intranet that will take your employees directly into the system. This provides a better experience for your employees.
Configuration
In order to use this feature, you would need your IT team to configure a application in your Active Directory. If you use Azure, you would do this by creating an application with the details shown below.
Please note that we cannot offer assistance with the configuration. Please contact your IT Team or Services provider if you have any problems.
Firstly, login to your Azure portal and click "Active Directory"
Then, click "App registrations" and then click "New registration" link
In the next page, enter a name (e.g. RSM) and enter one of the following into the Rediect URL box
- For People Manager, enter https://peoplelog.co.uk/OIDCCallback
- For Payslip Portal, enter https://inpay.es.rsmuk.com/payslipportal4
- For Pay Manager, enter https://inpay.es.rsmuk.com/rhino4
- For InTime, enter https://<yourInTimeDomain>//openid/auth
- For the ESL Client Portal, enter https://portal.es.rsmuk.com/ClientPortal/Account/Login
Click the Register button and you will see a screen similar to the one shown below.
From the next page, copy the "Application (client) ID". We'll need you to send that to us later.
Now click the "End Points" tab and copy the values from the "OpenID Connect metadata document" field. We'll need you to send that to us later.
Make sure the "ID Tokens" tab is ticked
Now set up a client secret. Click the "Certificates and secrets" link, then click "New client secret". In the popup, enter a description. We recommend that you chose Never in the expires field. Then click Add.
When the page refreshes, copy the value immediately. If you move away from this screen you will not be able to copy this value again and you'll have to repeat the process. You need to send that value to us later.
Add an email claim (Payslip Portal only if not using openid+email scope):
Under Manage, select Token configuration.
Select Add optional claim, select the ID token type, select email from the list of claims, and then select Add.
You now have all the information you need for us to configure your single sign-on. Please provide the following details to your support team.
- The OpenID Connect Configuration URL
- The Client ID
- The Client Secret
- Optionally, your public key
Once our support team have received these details, they will perform the configuration and invite you to test your access.
InTIME
In InTIME an administrator can configure this themselves, using the process below.
- Navigate to Administration(Cog)→Security Settings Menu
- Add the "OpenID Connect metadata document" (collected above) to the "Metadata URL" field and click the "Load Configuration" button
- Add "code" to the "Response Type" field.
- Add "openid email" to the "Requested Scopes" field.
- Add the "Client ID" (collected above) to the "Client ID" field.
- Add the "Client Secret" (collected above) to the "Client Secret" field.
- Click "Save" at the bottom.
- Optionally you can "Require Single-Sign-On Authentication for user types" to require SSO for ALL user of a specific type OR you can enable it individually by the "Requires SSO" tick box on the user. Remember you can ONLY do SSO for users who are in your Azure.
- On the login page put the email in the first page and when you click OK it should connect to your Azure for authentication.
- On the Login page add you email to the