Single sign-on

Single sign-on (SSO) is an authentication scheme that allows logging in securely to multiple related applications with only one set of credentials. This method implies authenticating users for applications as well as synchronizing user attributes.

Benefits of SSO & why your company needs it

A security officer controls traffic

It improves security capabilities

Through your centralized identity and access management system, you can manage user access privileges, and thus define who is allowed to access smartPeople.

It allows data synchronization

Through SSO, you can ensure that the user’s master data (e.g.: first name, last name, department, etc.) is synchronized.

A user is happy

It streamlines user experience

For the authentication, users do not have to enter a separate set of username and password. They can just use their corporate credentials.

There is also no need to maintain their master data in multiple applications.

SSO setup and integration process

Customer side

You need to provide the following details about your enterprise application to the HRForecast Customer success team:

1. IdP endpoint

It stands for identity provider endpoint, and is also called Login URL.

2. Metadata URL

It is also called Application federation metadata URL.

If there is a special request from your side for email claim and separate SSOs for different subenvironments, you need to inform the HRForecast Customer success team about it as well.

HRForecast side

We set up SSO on our side and send you the following metadata:

1. Callback URL

It is also called Reply URL.

2. Issuer

It is also called IdP issuer or Identifier (Entity ID).

Customer side

You receive Callback URL and Issuer from the HRForecast customer success team to add them to the system. Once done, you test it by logging in to smartApps with the help of SSO.

SSO setup

The process of setting up SSO on your side can vary depending on the application you use. From the example below, you can learn how it is done for Azure Active Directory.

If you use another application, the process may look different for you than the one illustrated by the example.

Here is a list of steps you need to take to set up SSO on your side:

  1. Create access tokens
  2. Synchronize user attributes
  3. Manage user access

smartPeople has two environments:

  • staging (dev-CLIENT.hrforecast.de/smartpeople)
  • production (CLIENT.hrforecast.de/smartpeople)

So, two separate access tokens shall be created, each per environment. This means that definite users or groups of users can be granted access to each of these environments separately.

Create access tokens

First, you need to log in to the Microsoft Azure portal.

Once logged in, navigate to Azure Active Directory > Enterprise application to create a new enterprise application (on the screenshot below, it is smartapps-hrforecast-3).

Your Enterprise applications in Azure Active Directory

Now that you have a new enterprise application, open it, and then click Get started in the 2. Set up single sign on box.

Click Get started under Set up single sign on

Once the Set up Single Sign-On with SAML* page opens, copy the following  data and send it to the HRForecast customer success manager:

  • The App Federation Metadata Url value. You can find it under SAML Signing Certificate.
  • The Login Url value. You can find it under Setup [enterprise application name].

* SAML stands for Security Access Markup Language. It is an open standard that is also designed to provide the Single sign on functionality.

Copy values from the page

Synchronize user attributes

If you have a special request for email claim, you need to inform the HRForecast customer success manager about it and provide Unique User Identifier (Name ID). You can get this value under Required claim on the User Attributes & Claims page in Azure Active Directory.

In addition to the email claim, the following claims should be transferred, at minimum: firstname and lastname.

Manage user access

On your side, you need to assign access to your application for definite users or groups of users. To this end, follow the steps listed below:

  1. In the Microsoft Azure portal, navigate to Azure Active Directory > Enterprise application > Properties.
  2. On the Properties page, manage the User assignment required? setting as needed:
      • Either enable the setting by switching the toggle to Yes. As a result, a user or a group of users must first be assigned to the application so they can access it. It is done manually. Below you can find a description how to do this.
      • Or disable the setting by switching the toggle to No. In this case, any user who navigates to the application is granted access to it.

It is recommended to enable this setting when your application is configured for the SAML-based SSO mode.

Manage the User assignment required? setting

To manually assign access to the application for a user or a group, navigate to Azure Active Directory > Enterprise application > Users and groups.

Assign a user or a group

Callback URL and Issuer

Once you get Callback URL and Issuer from the HRForecast customer success manager, in Azure Active Directory, navigate to your enterprise application and then open the Set up Single Sign-On with SAML page by clicking Get started in the 2. Set up single sign on box. Afterwards, paste the Callback URL value to the Reply URL (Assertion Consumer Service URL) field and the Issuer value to the Identifier (Entity ID) field. You can find these fields under Basic SAML Configuration.

Copy values from the page

Please be aware that FusionAuth does not support request signing.

Next step

Well done! Next up, focus on integration processes.