Access Identity SSO links directly to a domain rather than a user. Once you set a domain up for SSO, all users with email addresses using that domain are covered by the SSO.
Once you set up SSO for a domain, all users under the domain can no longer manually log in.
When configuring SSO or 2FA please ensure your business allows emails from noreply@accessacloud.com so you can receive the verification emails.
Note: Your authentication provider needs to support all users under a certain domain. You don't need to upload the SSO certificate anymore.
There are two phases to enable SSO:
Phase one: Configure SSO. You need to do this before the date we provide for Access Identity enablement.
Phase two: Complete this as soon as possible after you enable Access Identity. We recommend you let your users know and schedule time the following day to complete phase two.
Phase 1: Configure SSO
To configure Access Identity SSO, follow the steps in each section below.
Identify your domains
Your domains are on the right-hand side of your email addresses after the @ symbol. Usually, it's your company name followed by .com or .co.uk, for example, if the email address is test.test@theaccessgroup.com, the domain is theaccessgroup.com.
We recommend you use at least one email address from each domain you need to register, and ensure you can test emails with at least one user per domain.
If you're unsure, we recommend you contact your IT team.
Identify who manages your domain
Usually, someone from your IT department or HR team has access to the domain name server (DNS). You need to identify who can add a TXT record to this, to verify ownership of the domain.
Identify who manages your authentication
Usually, your IT department manages your domain, and they can set up an OpenID Connect (OIDC) endpoint to interact with Access Identity.
Common providers are ADFS and Azure AD for which we supply example steps, however, most authentication providers support this protocol.
Register for Access Identity
If you haven't already, you need to register each domain with Access Identity, and register at least one email address per domain. To do this, go to https://identity.accessacloud.com/ and click Create New Account.
Once you've done this, all other users automatically move to Access Identity, without any impact on how they log in.
Set up SSO
Once you register, your IT team or domain manager need to complete the Access Identity Federation configuration for each domain. The document details how to configure AD FS 2016 and Azure AD, the steps for other OpenID Connect Identity Providers will be similar.
You don't need to contact your account manager at this stage.
Note: 2FA and SSO are included in all Paycircle packages.
Activate SSO
To enable the federation settings within the security policy and apply these to your users, assign the security policy to your verified domain and enable the Enable federation option.
Run a test
Sign out of Access Identity then, to test your setup, go back to https://identity.accessacloud.com/ and type your email address in. When you click next, you should be diverted automatically to your internal authentication server and be able to authenticate yourself.
If you can do this and successfully get back to Access Identity, your domain is set up, and all users with the same email domain are ready to use SSO when they next log in.
Phase 2: Disable SSO in Paycircle and invite admins
Once you've configured SSO, you need to disable it in Paycircle and invite admins. To do this, follow the steps in each section below.
Turn off SSO in Paycircle
In the Access area of your bureau settings, turn off Single sign-on. This changes all bureau admins from SSO to standard admins.
Invite bureau admins to register
Some bureau admins may never have registered for Paycircle in the standard way, having previously been set up with their email address and SSO authentication ID. Because of this, you need to send their invitation to register for Paycircle.
Note: Registration links expire after 24 hours. You can resend their invitation if this happens.
Register for Paycircle
Each admin needs to register for Paycircle using an email with the correct domain. As part of their registration, their accounts migrate to Access Identity. Once signed in, their accounts use the new SSO policy you set up.
Note: If an admin registered for Paycircle before you enabled SSO, they can sign in using their original username and password, and their account also migrates to Access Identity.
Sign into Paycircle
When users next log into Paycircle, rather than clicking Use single sign-on, they simply enter their username or email address, click Next and they'll redirect to Access Identity.