1. Employment Hero Help Centre (AU)
  2. HR Platform
  3. Account Management and Security
  4. Security

Select your platform and then browse by platform category

Who are you and what section are you in?

Set up single sign-on (SSO) using Okta

Dominic Beckham
Updated
EH Content Team

Available for the following HR plan: Platinum
Available for the following user access level: Admin

With SAML-based single sign-on (SSO), employees can access Employment Hero through an identity provider (IdP) of their choice. Single Sign-on (SSO) allows users to use one set of login credentials to access multiple applications. With SSO, employees can sign in to Employment Hero using their existing credentials from an identity provider (IdP) like Microsoft Entra, Google, or Okta.

This article shows how to set up SSO using Okta. You can also learn how to set up SSO using Google or Microsoft.

  Interactive learning

Interactive demo: Connect your IdP to Employment Hero
This interactive demo shows how to connect your IdP to Employment Hero. You will first need to set up your IdP using Okta. Instructions on how to do this are in Step 1 below.

How to set up SSO SAML on Okta

Step 1: Set up your IdP
To begin, you should establish a connection between Employment Hero and Okta. To do this you will need to log in to the Okta Admin console and create a new app integration using the credentials below. For more information see this link. 
  1. Within the Okta Admin console, click the Applications menu.
  2. Click Create App integration.
  3. For the sign-in method, select SAML 2.0.
  4. Click Next. 
  5. Set up the SAML SSO general settings, including:
    • App name.
    • App logo (optional)
    • App visibility.
      Create SAML screen 1.jpg
  6. Click Next.
  7. Configure your SAML using the following credentials:
    • Audience URI (SP Entity ID): EmploymentHero
    • Single sign-on URL: https://secure.employmenthero.com/sso/saml/consume
    • Audience URI (SP Entity ID): EmploymentHero
    • Default RelayState: Leave blank
    • Name ID format: Unspecified
    • Application username: Okta username
    • Update application username on: Create and update
    • Tick the checkbox called "Use this for Recipient URL and Destination URL.
    • Complete setup.
      SAML set up (1).jpg
  8. After you have set up the Okta SAML SSO App, you will need to click on "View SAML setup instructions" and use the Identity Provider Single Sign-On URL, Identity Provider Issuer and X.509 certificate in the next step of your setup.
    SAML instructions.jpg

Important

Your provider may ask for the following information to configure ‌the IdP:

Please note that the above URL is not an active URL and just needs to be input for the SSO setup process.

Step 2: Connect your IdP to Employment Hero
  1. Click the Settings button in the menu on the left-hand side of your homepage.
  2. Click the Single Sign-on button under the General Settings heading.
    Screenshot of homepage with Single Sign on settings button highlighted
  3. Enter your SAML Sign-on URL. (You can find this in the View SAML set-up instructions screen in step 1.)
  4. Enter your Issuer URL. (You can find this in the View SAML set-up instructions screen in ‌step 1.)
  5. Enter your Key x509 Certificate. (You can find this in the View SAML set-up instructions screen in ‌step 1.)
  6. Click Test Configuration & Save.
    Screenshot of the Manage SSO page with the input fields and Test configuration button highlighted
  7. You will be taken to Okta's login page.
    Screenshot of sign in screen with Next button highlighted
  8. Enter your username and password, along with any additional security measures required by Okta.
  9. Once complete, you will be taken back to your Manage SSO page, where you will see a green Verified tick next to the SSO/SAML Configuration header.
    Screenshot of the Manage SSO page with verification tick highlighted
Step 3: Turn on Single Sign-on for employees
  1. Scroll down on the Manage SSO page, to the section titled SSO/SAML.
  2. Press the Not Enabled toggle on the right-hand side.Screenshot of SSO oage with Not enabled toggle highlighted
  3. An email will automatically be sent to all employees with a company email address linked to their account. They will now be able to use Single Sign-on.

 

General information about Single Sign-on

Can I use any other identity providers?
Currently, you can use Okta, Google and Microsoft.
Will my employees be able to Single Sign-on to the Employment Hero platform via the app dashboard of our IDP provider (Okta, Google, Microsoft)?
Yes, once you’ve created the Employment Hero SSO application on your chosen IDP and assigned it to your employees, they will be able to sign in directly from the app dashboard of your preferred IDP.
What happens when my organisation is no longer on a Single Sign-on supported plan?

The SSO feature will be automatically turned off, and those with administrative or ownership privileges will be informed of this automatic process. Additionally, impacted users will be notified of the changes to how they log in.

Troubleshooting issues during setup

Why is my Key X-509 Certificate not working?
Check that you have included the entire certificate, including the "----BEGIN CERTIFICATE----" and "-----END CERTIFICATE----" sections. 
Why does a user need to complete 2FA through ‌IdP and Employment Hero?
We cannot determine when a user finishes 2FA using the IdP or what 2FA regulations the client follows with their IdP. Therefore, we will still insist on users completing 2FA through Employment Hero to meet our high-security standards for 2FA.

Troubleshooting issues after setup

What should I do if no one in my organisation can log in once SSO is enabled?
Contact Employment Hero. With the permission of your organisation's Admin or Owner, we can disable Single Sign-on for your organisation.
Why have I lost the ability to edit my/other member’s company email?
As login is now associated with a member’s company email, we have restricted the ability to update this value to Admins and Owners only. This is to reduce the risk of a malicious update, which may result in a member being unable to log in or another user gaining unauthorised access.
What happens when an employee leaves the business if Single Sign-on is enforced on their account?
Once an employee is terminated in the Employment Hero platform, SSO will no longer apply to their account. The terminated employee can still access their profile using their personal email and password, which they set up during onboarding.

Handling errors and multiple accounts

Where does Employment Hero log in users with multiple accounts across various organisations, all using the same SSO-enabled email?
The organisation with the lowest ID. The user will be able to switch between organisations upon successful authentication for that organisation.
Where does Employment Hero log multiple user accounts with the same SSO-enabled email, but in different organisations, when they need Single Sign-on into all?

The organisation with the lowest ID. Only one user will be able to log in via SSO, other users will have to:

  • Have SSO disabled in their other organisation, so they can login via account email and password
  • Have no company email in their other organisation, so then can login via account email and password
  • Have a different company email address in their other organisation so they can login via SSO using a different email address

Related to:

Was this article helpful?
1 out of 2 found this helpful