Hello, what can we do for you?
Search our help center for quick answers
  1. Inova Payroll
  2. Integrations
  3. Other

Inova UKG - Configuring SSO (Single Sign-On) for Clients

Updated:
Follow

This guide details configuring SSO in Inova UKG, including exporting Service Provider metadata, setting up the IDP application, matching usernames, importing IDP metadata, testing SSO, and activating the configuration. It notes additional IDP setup is required and advises contacting the IDP support for help. The guide also covers bypass login URLs, mobile app considerations, and disabling SSO safely.

Client Instructions

Additional Information

Overview

Clients may elect to utilize Single Sign-On (SSO) in Inova UKG to enhance user accessibility and streamline login processes.

SSO is an authentication process that allows users to access multiple applications with a single set of login credentials, usually their system email.  SSO simplifies user access by connecting to a third-party service, typically an Identity Provider (IDP), which manages the authentication.  When SSO is enabled, users are redirected to the IDP's authentication page instead of the standard Inova UKG login screen.  Setup involves obtaining a metadata file from the IDP and ensuring that the usernames in Inova UKG align with the username from the IDP.  

This guide provides step by step instructions for configuring SSO within the Inova UKG platform.  Additional setup must be performed within the IDP product as well.  As a convenience, guidance on the IDP setup is included in this document, but it is not intended to be used as a resource for the IDP product and Inova does not provide support on third party applications.  

If additional information or assistance is needed regarding the setup in the IDP, it is recommended that you reach out to the IDP support team.

Client Instructions

Step 1 - Export Service Provider Metadata XML from Inova UKG and record the Inova UKG username format

  1. Log in to Inova UKG.
  2. Go to the Team > My Team > Employee Information screen.
  3. Note the username format and if it is the full email, first initial last name, number, etc.  
  4. Go to the Global Setup > Company Setup screen.
  5. Select the Login Config tab.
  6. Enable the checkbox next to Enable Single Sign-On (SAML 2.0).
  7. Copy and paste the Bypass Redirect URL that appears into a word document or bookmark it in your web browser.  This Bypass URL will allow you to bypass single sign on and access the Inova UKG login if the IDP is down or the certificate expires.
  8. Select Export Service Provider Metadata and save the sp-metadata.xml file.

Step 2 - Create and configure a new application and claim on the Identity Provider site and export an Identity Provider (IDP) metadata file

You may configure your SSO application on the IDP side by importing the service provider metadata XML file downloaded in Step 1 above.  If the metadata upload is not available, you can manually assign the Audience URL from Inova UKG as the Entity ID and the Endpoint URL from Inova UKG as the ACS (Reply) URL in the new SSO configuration.  You will also need to specify the unique user identifier that will match the Username in Inova UKG and grant users permission to use your IDP's SSO application.  

 For further help with the SSO configuration in the IDP, contact a member of their support team.

 Once the SSO Configuration is completed on the IDP side, obtain the IDP Metadata XML file (also referred to as the Federation metadata file) and note the Login URL for the steps below.

Step 3 - Make sure the Username in Inova UKG matches the unique identifier specified in the Identity Provider configuration

  1. Update the Inova UKG username field for all employees with the unique identifier from the IDP.  This may be the IDP username, mail nickname, or other field specified in Step 2.  You may update the username field in Inova UKG by importing an employee file containing the new usernames.  Consult your Inova Account Manager if assistance is needed with this step.

Step 4 - Import the Metadata from Identity Provider (IDP) into Inova UKG

  1. Go to the Hamburger Menu > Global Setup > Company Setup.
  2. Select the Login Config tab.
  3. Check the box next to Enable Single Sign-On (SAML 2.0) if not enabled already.
  4. Select Import Metadata from Identity Provider.
  5. Browse to find the metadata XML file you created in Step 2 above. In order to test SSO before enabling it, do not check the box for “Set Redirect URL For SP-Initiated SSO and SLO” on the Import pop up window, since this will set the redirect to the IDP only.
  6. Select the desired XML file and click OK.
  7. Save changes.

Step 5 – Test the SSO setup

It is recommended that you test the SSO configuration before setting the redirect URL in Inova UKG. You may follow the steps below or use another method for testing. If testing is not needed or already been performed, skip to Step 6.

  1. Instruct test employee to navigate to office.com website.
  2. Test employee will log in with their Microsoft credentials.
  3. Select All applications on the left hand pane.
  4. Locate the application that was created in Step 2.
  5. Selecting the new SSO application should trigger the Inova UKG window to appear with the test employee successfully logged in.

Step 6 – Activating the SSO configuration

  1. Once testing is completed, repeat Step 4 and select the checkbox for “Set Redirect URL For SP-Initiated SSO and SLO” when importing the metadata XML file this time. This will direct employees to the IDP site for logging in.
  2. If you are utilizing the HCMToGo mobile app and would like to enable SSO for mobile login, check the appropriate box under the Mobile Login section.
  3. If you would like to permit employees to login without using SSO, enable the checkbox to Disable Only Login Using SSO.
  4. Update other options as needed.
  5. Save changes.

Additional Resources

  • Applicants and new hires may need to use the Bypass Redirect URL to log in, since they may not have an IDP account yet.
  • The HCMToGo mobile app will not prompt for biometrics if using SSO.  Additionally, SSO may not be supported on some Android phones.
  • If you need to disable SSO for any reason, it is important to clear out the IDP information URLs before disabling the SSO checkbox to prevent getting locked out of Inova UKG.
  • Questions or issues regarding SSO should be directed to your dedicated Account Manager at support@inovapayroll.com.