On this page...
What is Single Sign-On?
Single Sign-On (SSO) simplifies the user authentication process by allowing users to access multiple applications without the need to repeatedly enter login credentials. This streamlined access is facilitated through an Identity Provider using the Security Assertion Markup Language (SAML) standard, ensuring secure communication of user identities between applications.
SSO integration is available across all areas of the Humanforce software, including the Back Office, Humanforce Web, and Mobile App. This guide focuses on configuring SSO specifically for the Humanforce Web application. For instructions on configuring SSO for other Humanforce WFM applications, refer to the following links:
Identity Providers
To implement SSO, Humanforce must be linked to an Identity Provider. An Identity Provider serves as a platform for securely communicating credentials between applications within the organization.
Popular Identity Providers
Humanforce SAML/SSO Admin Settings
Access the SAML/SSO Admin section in Humanforce by navigating to: Admin > Security Configuration > SAML/SSO Admin. Here, you'll find three tabs:
- Web – Service Provider: Contains Humanforce SAML details for desktop browsers.
- Web – Identity Provider: Contains third-party Identity Provider (IdP) SAML details for desktop browsers.
- Settings: Configures how SSO is handled by Humanforce.
Setting up SSO
For detailed instructions on setting up SSO with specific Identity Providers, refer to the following articles:
Steps to Configure SSO
- 1. Enter the Service Provider Details
- 2. Configure the Identity Provider
- 3. Upload the Metadata file
- 4. Update Humanforce SAML/SSO Settings
- 5. Test Single Sign-On
1. Enter the Service Provider Details
Complete the relevant Service Provider tab in the SAML/SSO Admin section of Humanforce.
Field | Explanation |
Service Provider Name |
A customisable string used to identify the service provider (also referred to as Entity ID). This string in both the service and identity providers must be entered identically. Use a value that uniquely identifies the current website. The root URL of the current website is a good choice (this is the default value). |
Humanforce Website Url (this website) |
Enter the URL of the Humanforce installation, only include the main domain (ie. http://client.humanforce.com). In most cases the pre-populated default value will be correct. |
Assertion Consumer Service Url | This will automatically update once the Humanforce Website URL has been entered. |
Certificate Filename (.pfx) |
Uploading a certificate is not required in the majority of cases. This is only necessary if your Identity Provider requires Authentication Requests to be signed. This is a very niche scenario with minimal security advantage. |
Upload Certificate | |
Certificate Password |
2. Configure the Identity Provider
Typically Identity Providers will have a management console where applications may be configured. Humanforce should be added as an application in this management console. Using the information identified in the previous step, create a new SAML application in the management console. Refer to the table below to identify what data in Humanforce corresponds to fields often required by the Identity Provider.
Field | Explanation |
SP Entity ID and/or Audience URI and/or Audience Restriction | Enter Service Provider Name as defined in step 1. |
Destination URL | Enter the Humanforce Website Url defined in step 1. |
Sign-on URL and/or Recipient URL and/or Assertion Consumer Service | Enter the Assertion Consumer Service Url defined in step 1. |
Application Username and/or Verification Type | Select which data from the identity provider should be used to log-in to Humanforce (ie. email address, employee code, active directory username, etc.). |
Name ID format and/or Verification Type Alias | System name of the application username being passed to Humanforce, this will be required in step 4. |
Once setup is complete, an XML file should be available to download with metadata for the new SAML application from the Identity Provider. This file will be required in step 3.
Downloading the metadata file from popular Identity Providers
Okta | Go to Application Settings then Sign On and click Identity Provider metadata. |
Onelogin | Go to the More Actions menu and click the down arrow > SAML Metadata |
Centrify | In Admin Portal, click Trust, then under Identity Provider Configuration click Download Metadata file. |
Microsoft Entra ID | In the configuration page for the SAML app, click the SAML XML Metadata link. |
Ensure access has been assigned to the people or groups who require access to Humanforce through the identity provider for the new SAML application.
Each identity provider is different, but they all follow a similar process. See below for detailed instructions on setting up a custom SAML app with popular identity providers.
3. Upload the Metadata file
Complete the relevant Identity Provider tab in the SAML/SSO Admin section of Humanforce by importing the XML metadata file downloaded in step 2. If changes to any fields are required, make these changes in the identity provider and import a new metadata file. It is not possible to successfully configure the Identify Provider in Humanforce without a valid metadata file.
Field | Explanation |
Identity Provider Name | no action required |
Single Sign-On Url | no action required |
Single Logout Url | no action required – some metadata files may not provide this. This is the url users are directed to after logging out of Humanforce |
Validate SAML Assertion Signatures | no action required. This setting is enabled by default and should not be disabled. It may be removed in future versions. |
Use Signed Authentication Requests | Enable this if your Identity Provider requires authentication requests to be signed. This is typically not required. As outlined above, if you are using this feature a PFX certificate file and its password must be provided on the Service Provider tab. |
Import Metadata Button | This will open a prompt to upload the XML file downloaded in the previous step. Locate and upload this file, then select Save Changes |
4. Update Humanforce SAML/SSO Settings
Complete the Settings tab in the SAML/SSO Admin section of Humanforce as necessary.
Field | Explanation |
SSO Mode |
Select the desired SSO Mode:
Note: ONLY use "SSO Only" mode if SSO has been tested and confirmed to be working. |
Verification Type | Select the verification type defined in Step 2 when setting up the SAML application in the identity provider. (ie. Email Address 1). This is the Humanforce field aligning with the SSO ID being used for authentication. |
Verification Type Alias | Type the alias as defined in Step 2 when setting up the SAML application in the identity provider (ie. Email Address). |
5. Test Single Sign-On
Once all changes have been saved Single Sign-On will be operational.
6. Reimport Metadata (maintenance over time)
If any details in your Identity Provider change you will need to export a new metadata file and import that into Humanforce (step 3). This includes whenever the identity provider signing certificate changes or expires. Humanforce does not automatically fetch updated certificate or other metadata from your identity provider.
If you are using SSO Only mode it is recommended that you change Humanforce to Dual Mode before making changes in your Identity provider. If you do not do this and SSO verification fails you will be unable to access your system until you log a support ticket to have the system put in Dual Mode by the Humanforce Support Team.