Set up Access Identity single sign on (SSO)

Access identity SSO is linked directly to a domain rather than a user. Once a domain is set up for SSO, all users with email addresses that use that domain will be covered by the SSO.

Once SSO is set up for a domain, all users under that domain can no longer manually log in.

📌Note: All users under a certain domain will need to be supported by your authentication provider.

The SSO certificate doesn't need to be uploaded anymore.

To configure Access Identity SSO, follow the steps as described in the table below:

Step	Details
Identify your domains	Typically, the domain is your company name followed by .com or .co.uk, for example, in this email address test.test@theaccessgroup.com, the domain is theaccessgroup.com. If in doubt, contact your IT team.
Identify who manages your domain	Typically, someone from your IT department has access to the domain DNS. Get in touch with them and request them to add a TXT record to verify ownership of the domain.
Identify who manages your authentication	Usually, your IT department manages your domain, and they're able to set up an OpenID Connect (OIDC) endpoint to interact with Access Identity. Common providers are ADFS and Azure AD for which we supply example steps, however, most authentication providers support this protocol.
Register for identity	To register each domain with Access Identity, you need to register at least one email address per domain. To do this, go to https://identity.accessacloud.com/ and click Create New Account. Note: If you have already registered with Access Identity due to using other Access products, once clicking https://identity.accessacloud.com/ you can either enter your password or reset your password to access your Identity account if you have forgotten this. Do this with one email per domain you wish to set up. Ideally, this person should be your administrator in case you need to come back and edit this later. This is a once-off task with one user per domain. Once the setup is complete, all other users automatically move to Access Identity, without any impact on how they login in. Repeat this step and further steps once per domain.
Setup SSO	Once you've registered, your IT team or your domain manager need to complete the Access Identity Federation configuration. You do not need to contact your account manager at this stage. Note: 2FA and SSO are included in all PeopleHR packages.
Activate SSO	To enable the Federation settings within the Security Policy and apply these settings to your users, you need to assign the security policy to your verified Domain and ensure that the Enable federation option is enabled.
Run a test	Sign out of Access Identity. To test your setup, go back to https://identity.accessacloud.com/ and type your email address in. When you click next, you should be diverted automatically to your internal authentication server and be able to authenticate yourself. If you can do this and successfully get back to Access Identity, your domain is set up, and all users with the same email domain are ready to use SSO when they next log in.

📌Note: If you do not own a domain and user emails contain iCloud or Yahoo and so on, the users are unable to log in via SSO. We do offer social sign-in options for Gmail, Microsoft, and LinkedIn, which allow users to authenticate through them directly. All other domains need to log in with a username and password going forward.

If users are asked to log in manually, double-check with your IT team that the domains have been registered correctly.

📌Note: IT won't need any extra permissions in PeopleHR to action SSO. They would only need to have access to the Identity account they created.