What is Single Sign-On (SSO) Mode?
SSO Mode is an alternate configuration for Sprout HR and Payroll login which enables users to have a single set of credentials to access all of the Sprout Applications. Additionally, when the user is logged in to one application already and tries to access other Sprout Apps that are part of SSO, they will not be asked to login again. This feature also enhances the overall user authentication aspects of Sprout’s core applications from security features, configurability, integration capability and user experience.
SSO Mode also enables the SSO Integration to other external identity providers such as Azure Active Directory, Keycloak, Okta, PingOne and many others that support the open standards that are needed (SAML2.0 or Open ID Connect/OAuth2.0). Under SSO Integration Mode, user identity and access management is delegated to the external identity provider system.
New apps that are part of the Sprout Ecosystem such as the HR Onboarding Module, Ecosystem Dashboard and other mini apps to be released in the future are by default SSO Enabled.
What are the supported configurations?
For the first release of 2023-Q1, SSO Mode is supported under the following configurations (both SSO Standalone Mode and SSO Integration Mode for a given tenant/client:
- Sprout HR only
- Sprout HR and Payroll with Full Sync Mode
- Sprout Mobile (with SSO Standalone only)
- Sprout Payroll only
Having both Sprout HR and Payroll in SSO but full sync turned off is not a supported configuration because we only need to have one place to manage users. HR and Payroll Full Sync configuration enables User Management within Sprout HR for both applications.To know more about HR and Payroll Full Sync, kindly refer to this article: Employee Profile Syncing on Sprout HR and Payroll
All the embedded apps such as Sprout Insight, Pulse, Performance+ SSO, and InstaCash shall still work under Single Sign-On mode as long as they are accessed through the Sprout HR Dashboard.
For Sprout Mobile, SSO redirection to the Web App is not supported due to security risks. However, under SSO mode the user credentials will be the same as for Sprout Mobile. Another important note is that SSO Integration mode is not yet supported on Sprout Mobile by 2023-Q1 release as new screens in Mobile are required to facilitate the OIDC/OAuth2.0 flow of delegated login and access.
Finally, when SSO is activated, it is activated for the whole tenant/client (eg. the whole Sprout HR URL). It is not possible to activate SSO login only for specific users.
How does this work?
SSO Mode is not activated by default for all of Sprout’s clients yet and there is no possible way to enable this within the existing web applications.
To turn this on, a request must be submitted to Sprout Experts or your Customer Success Manager. Turning this feature on will involve resetting all of the existing Employees/Users’ credentials.
It is recommended that the primary email address is configured correctly for each user as the invitation link will be sent there during account activation for SSO. Sprout will take care of all the backend activation for this feature aside from an action needed for each Employee/User to activate their respective SSO Accounts.
Related Article:
- Single Sign On (SSS): SSO Integration Mode
- Single Sign On (SSO): Tech Specifications
- Single Sign-On (SSO): Common Issues and Resolutions
- Single Sign-On (SSO): Key Features for HR and Payroll
- Single Sign-On: Additional Features
Comments
0 comments
Article is closed for comments.