Skip to main content

Single Sign-On (SSO): Key Features for HR and Payroll

Ivy De Ramos
  • Updated

Below are the following notable changes in Sprout Core Applications when Single Sign-On Mode is activated.

Unified Login

Picture1.png

Whether it is Sprout HR (same URL) or Sprout Payroll (different URL), if the user is not logged in they will see a new login screen. If SSO Integration is enabled, other options for logging in will be available. Configuring the system to auto-redirect to the external Identity Provider during login is also possible.

 

Payroll Access

Under SSO Mode, Sprout Payroll will have a new URL.

 

Currently, all payroll users log in with https://payroll.sprout.ph/ with their company code at the prefix of the user name.

 

After SSO, payroll users will need to log in to a new URL dedicated to their tenant. (e.g. https://<tenant/client name>-payroll.sprout.ph). Then the user will no longer need the company code as a prefix and will use the same credentials they have for Sprout HR

 

Employee Profile Management

HR Only & HR-Payroll Full Sync Configuration

In this configuration, the management of User accounts for SSO sits inside Sprout HR.

 

Sprout HR 201 Profile (Single Add & Edits)

For HR Only Mode, creation of new Employees also creates the SSO User Account automatically behind the scenes.

 

The HR Admin may no longer specify the temporary password of the user. The user would have to set the password themselves via the Email Invitation link. This is why email is a requirement for SSO mode as it will be also used for account recovery.

 

Picture2.png

IMPORTANT: Users must have unique email addresses configured. If there is an Employee Profile that has shared email addresses, we can only select 1 profile to grant SSO Access and modify the other Profiles to have different primary email addresses if they need to access HR and/or Payroll.

 

When a new employee is created with an already existing email address, the creation of the User will fail internally in the system and changes would have to be made via change request form.

 

For HR-Payroll Full Sync Companies, it is the same with HR Only Companies with the addition of a new section under Current Payroll Information to specify the Payroll User Access.

Picture3.png

 

When the HR Admin provides a Payroll User Access for this Employee, a Payroll User will be created for this Employee as well. And therefore, this Employee will have Payroll User access to Sprout Payroll depending on the role given.

 

 

Payroll User Access has 2 elements:

  • Payroll Company
    • This is the configured Payroll Company that is in sync with your Sprout HR Company
  • Payroll Role

Payroll Users can be seen in the Users tab in Sprout Payroll:

Picture4.png

 

If the HR Admin left this section blank, the Employee will only have Employee Access in Sprout Payroll.

Under HR-Payroll Sync mode, if the person has both Employee and Payroll User Access, this person can only access the Payroll User features and would have to refer to Sprout HR My Stuff for Payroll related Employee Access (eg. Payslip, 2316, YTD).

Modification of Payroll User Access is also supported by the system. When Payroll User Access is revoked, the corresponding Payroll User is deleted in Sprout Payroll. An Employee in Sprout HR can have more than one payroll user access and for these Employees/Users they will have the capability to select the Payroll Company in Sprout Payroll. To know more about Adding an Employee via HR Administration Tools: How Do I Add a New Employee via Administration Tools?

 

Changing the Login Name / User Name

The change username process might take a few seconds to completely synchronize until Sprout Payroll, but it is still supported in SSO Mode.

 

Picture5.png

Changing the Email Address (Primary)

Changing the primary email address of the Employee triggers a VERIFY EMAIL address step.

The system can be configured to require an email address to be verified before allowing login but by default, this is turned off.

Picture6.png

Picture7.png

Changing the HR email via 201 form or bulk edit will reset all prior 3rd party IDP account linking.

Sprout HR 201 Profile (Bulk Add & Edit)

Under SSO mode, the bulk template is updated to accommodate the assignment of the Payroll Role. To know more about Bulk upload in Sprout HR, kindly refer to this article: A Comprehensive Guide on the Bulk Upload (Employee Information)

Picture8.png

 

In SSO Mode, when a PayrollRole is specified, the system will create a User in Sprout Payroll with the provided PayrollRole if this Payroll User does not exist yet or update the Payroll Role if this user already exists in Sprout Payroll.

 

In Edit Bulk Template, the user will be asked to re authenticate using SSO credentials before being able to download the bulk template file. If a person from Company A needs to have Payroll User Access in Company B (eg. Approver role in Payroll), the HR Admin will not be able to specify that in the Bulk Template and must be done via the 201 form under Current Payroll Information (Refer to C.1.1)

 

Same rule applies in Bulk Upload and Single Add or Edit, particularly for the requirement of a unique email address.

 

Payroll Users Tab

Under HR-Payroll Full Sync Configuration, the Payroll Users Tab is disabled.

Picture9.png

Same with Employee Full Sync, the HR Admin can only manage Payroll Users within Sprout HR - Current Payroll Information (See Sprout HR 201 Profile (Single Add & Edits))

 

HR API for Employee 201 Management

By the end of 2023 Q1, the APIs will also partially support SSO related scenarios.

When the tenant/client has turned on SSO Mode and tried to create an Employee via Public API, the new Employee will automatically have an SSO account and will receive a new User Invitation.

When the system called the Employee API also provides a Payroll User Access under Current Payroll Information in the payload of the API, the Payroll User will also be created in Sprout Payroll.

Due to capacity constraints and a lack of use cases in the short term, Edit Payroll User Access might not be supported in API in 2023 Q1. To learn more about Sprout’s Public APIs, refer to the following link: https://developers.sprout.ph

 

Payroll Only Configuration

Payroll Add and Edit User

Same with Sprout HR 201 management, there is no notable difference in creating and editing Users in Sprout Payroll as long as the rule of having a unique username and primary email address is followed per Employee and Payroll User. The system will automatically manage the SSO accounts behind the scenes.

 

To know more about Payroll User management, refer to the following link: How Do I Add Another Admin User on Sprout Payroll?

 

Payroll Add and Edit Employee Record (single and bulk)

Same with Sprout HR 201 management, there is no notable difference in creating and editing Employees in Sprout Payroll.

 

To know more about managing employee profile in Sprout Payroll, refer to the following links:

The same rules apply when managing users in Sprout Payroll vs. Sprout HR.

 

Payroll Employee vs. Payroll User

If a person is both an Employee and User in Sprout Payroll under SSO mode and this person needs to have access to both, 2 accounts need to be created with different credentials and primary email addresses. One for the Employee Access & one for the Payroll User access. The system performs a pre-validation if the User is trying to create either an Employee or User with an already existing email address.

 

Related Article:

Single Sign-On Mode (SSO): Overview

Was this article helpful?
0 out of 1 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk