Single Sign-On (SSO) Integration Guide

This document aims to provide a step-by-step guide for your operational and technical teams to set up SSO with AIHR using Auth0 as our identity management platform. The guide covers the configuration process, the exchange of connection files, and the benefits of using SSO.

Jump to:

1. Introduction
2. Benefits
3. Limitations
4. Prerequisites
5. Configuration Steps
6. Testing the SSO Integration
7. Team Management (Authorization)

Introduction to SSO

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. AIHR uses Auth0 to provide SSO, ensuring a seamless and secure login experience for users from our customers' domains.

Benefits of SSO

• Improved Security: Reduces the need for multiple passwords, minimizing the risk of password fatigue and security breaches.
• User Convenience: Users can log in once and gain access to multiple applications, improving their experience and productivity.

Limitations

While AIHR strives to provide a seamless and efficient SSO experience, there are certain limitations to be aware of:

• No Tenancy Support: AIHR does not support tenancy. This means that customers will not receive a dedicated subdomain (e.g., clientx.aihr.com) as AIHR operates as one global community.
• No White-Label Landing Pages: AIHR does not provide customized, white-labeled landing pages. Given the diverse entry points into the AIHR ecosystem (including multiple applications, emails, and notifications), it is not feasible to ensure users consistently land on a specific client's landing page.

These limitations are in place to maintain a unified and cohesive user experience across our global platform. More info about identifier-first approach.

Prerequisites

Before setting up SSO, ensure the following:

• You have an active license with AIHR.
• It is possible to set up the test environment without an active license too
• Your organization uses a supported identity provider (IdP).
• You have administrative access to your IdP.
• Your IdP supports SAML or another supported protocol by Auth0.

Configuration Steps

Exchange of XML Connection Files

1. Generate Metadata XML File:

• From your identity provider, generate the SAML metadata XML file. This file contains the necessary configuration details for setting up SSO.
• We usually generate it for 2 different environments; test and production.

2. Provide AIHR with Your Metadata XML File:

• Email the generated XML file to your AIHR account representative. Our team will use this file to configure the SSO on our end.

3. Receive AIHR Metadata XML File:

• AIHR will provide you with our SAML metadata XML file, which contains our configuration details.

Configuring SSO on Your Side

1. Import AIHR Metadata:

• Import the AIHR metadata XML file into your IdP. This typically involves creating a new application or connection in your IdP and uploading the XML file.

2. Configure Attribute Mapping:

• Map the required user attributes (e.g., email, first name, last name) between your IdP and AIHR. Ensure that the email attribute is correctly mapped, as it will be used for user identification.

// AIHR desired mapping
// Please sanitise and lowercase all email addresses
// "user_id" needs to be a unique identifier. Any format is accepted.

{
    "email": "example.user@aihr.com",
    "family_name": "User",
    "given_name": "Example",
    "user_id": "fbdbf23f-80f9-4cd0-bd21-c24cebfd5dbd"
}

1. Set Up SSO Policies:

• Define the SSO policies and user access controls within your IdP to ensure only authorized users can access AIHR services.

Adding Customer Email Domains to Universal Login

1. Provide Your Email Domain(s):

• Send the list of your organization's email domains to your AIHR account representative.

2. Configure Domain in AIHR:

• AIHR will add your email domain(s) to our Universal Login settings. This allows users with email addresses from these domains to be redirected to your IdP for authentication.

Testing the SSO Integration

1. Initiate a Test Login:
   • Attempt to log in to AIHR using an email address from your configured domain into app.aihr.com.
2. Verify Redirection:
   • Confirm that the login attempt redirects to your IdP's login page.
3. Complete Authentication:
   • Log in using your IdP credentials and verify that you are successfully redirected back to AIHR and granted access.
4. Check User Attributes:
   • Ensure that user attributes are correctly passed and displayed in AIHR.

Team Management (Authorization)

Although we use SSO for user authentication, access management still occurs within the AIHR platform. This means that even after setting up the SSO connection, users might not immediately have access to AIHR tools and content upon their initial login. To grant access, there are two methods:

1. Inviting Members to the License:

• License holders and managers can invite members to the license. Once an invited member logs in to AIHR using SSO, no further confirmation from the license holder or managers is required, and the member will automatically be part of the license, gaining access to tools and content on AIHR.

• For large lists of members, AIHR learning consultants can assist with the initial invitation process. To invite members in bulk, please send the list of emails to your account representative.

2. Requesting Access After Login:

• After a successful login with SSO, if there is an active license on AIHR for your organization, users can request to join that license. The license holder or managers must then confirm the request on app.aihr.com for the user to be granted access to AIHR tools and content.

Any issues or questions? please contact your AIHR account representative or the Support Team below