Skip to main content

Single Sign-On: Additional Features

Ivy De Ramos
  • Updated

Aside from the key features of Single Sign-On (SSO) discussed here, there are additional notable features affected once SSO is enabled. Keep on reading below to know more!

 

Employee Resignation or Termination

When an employee resigned or is terminated, the Employee will not be able to access Sprout HR or Payroll and if they are still able to get past the login page, they will see an “Access Denied” or “Unauthorized” page when they get to Sprout HR or Payroll.

Picture1.png

Payroll User Access is still different from Employee 201 status in Sprout HR. For Employee Resignation or Termination, please make sure that the corresponding Payroll User Access is deleted also:

Picture1.png

Sprout Mobile

There is no notable change in Sprout Mobile aside from the fact that if the user has migrated to SSO, the user needs to provide the SSO credentials as the old one will not work anymore.

 

To reiterate, Sprout Mobile does not support login via SSO Integration in 2023-Q2 as additional implementation is needed to facilitate the OAuth2.0 flow. However, Sprout Mobile can still be accessed if the tenant is under SSO Integration mode but with the User’s Sprout credentials (not the external identity provider credentials).

 

New User Invitation

In all of the ways a User is created (Web App Admin Tools, API), this user will receive an email to set the password for their account. If the Employee can’t see the email, kindly recheck if it’s in the spam folder.

 

The validity of the link can be configured by Sprout on our end.

Picture2.png

If the link already expired:

  • The admin can retrigger the sending of the invitation link under Access Levels. See Password Management per User
  • The employee can set their password via Forgot Password button on the login page:

Picture3.png

 

Password Policy

Picture2.png

Since in SSO mode passwords are no longer managed by Sprout HR and Payroll but managed within another service in Sprout, the existing password policy in legacy login will no longer apply. However, there will be a default password policy set for your client/tenant during SSO activation and this password policy can be configured by Sprout on our end.

 

To know more about what configuration on the Password Policy would be possible, refer here.

 

Password Management per User

For Admins:

  • Admins or HR Users that typically have access to the “Access Levels” section in the Employee 201 file, may no longer set a temporary password for the Employee and can only trigger a reset password email under Access Levels. In the event that there is a need to set up a temporary password, this can be done by Sprout on our end via a change request form.

Picture3.png

 

For all Users:

  • Users can reset their password in the login page. This flow requires an email so that the password change link can be accessed.
  • Users can also trigger a change password in the HR menu under User Profile

Picture4.png

This will require the user to authenticate first before being allowed to change the password for obvious security reasons.

 

Multi-Factor Authentication

Existing MFAs (eg. SMS and Email-based OTPs) in legacy Sprout HR can still be activated however they will be triggered after successful login to SSO and will only apply to Sprout HR. Under SSO Mode, there is already support for Google integration instead.

 

Current Limitations:

  • Clock In home page is not supported under SSO mode. There are other existing alternatives for achieving the same outcome that the Clock In Home page intended.
  • More of a rule rather than a limitation, SSO Accounts need to have unique username and email addresses. Email is used for password management in SSO.
  • There is no UI where admins could freely set temporary passwords for Users, this UI will come with the User Manager module in the Sprout Ecosystem Dashboard in the future.
  • Sprout Mobile can’t support SSO Integration mode at least in Q1 of 2023, but Sprout Mobile shall be usable in SSO Standalone mode.
  • For resigned and terminated employees, their profile will be deactivated in Sprout HR and Payroll, however internally on Sprout’s system, their Users can still be active in the SSO Service until clean up. This means they can technically still log in to Sprout but since they are already an inactive employee, they will not have access to Sprout HR or Payroll.
  • SSO for both HR and Payroll can only be supported for the same tenant/client if HR-Payroll Sync is activated.
  • If the admins would like to edit Payroll User Access in a way that they change the existing Company parameter, they should delete the existing records first and add Payroll User Access from scratch to ensure that it works. This will be for UI enhancement.

 

Related Article:

Single Sign-On Mode (SSO): Overview

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk