1. Employment Hero Help Centre (AU)
  2. HR Platform
  3. Account Management and Security
  4. Security

Select your platform and then browse by platform category

Who are you and what section are you in?

Manage and sign in to your account using single sign-on (SSO)

Paula Mercado
Updated

Available for the following plans: Standard, Premium 
Available for the following User Access levels: Employee, Contractor, Restricted Access User, Full Access User

Single sign-on (SSO) allows you to access your payroll business using a single set of login credentials from an identity provider (IdP) of your choice, such as Microsoft Entra, Google, or Okta. This establishes a Federated Identity Management (FIM) connection, allowing an external service to handle authentication for a more central and seamless experience for end users.

This article shows you how to manage the following:

Set up your SSO connection

Before connecting to the payroll platform, you must configure your chosen Identity Provider (IdP) with the correct credentials. The platform also automatically audits every time SSO is enabled or disabled.

Configure Okta for SAML SSO
  1. Log in to your Okta Admin console and navigate to Applications.
  2. Click Create App integration and select SAML 2.0.
  3. Enter your App name and click Next.

Okta App name setup

  1. Under SAML Settings, use these credentials:
    • Single sign-on URL: Enter the URL that matches your payroll platform. E.g. if your payroll platform URL is https://example.yourpayroll.com.au/ then use https://example.yourpayroll.com.au/Security/SamlSsoConsumer.
    • Audience URI (SP Entity ID): Enter your preferred value (e.g. YourPayroll).
    • Assertional Consumer Service URL: Enter the URL that matches your payroll platform. E.g. https://example.yourpayroll.com.au/Security/SamlSsoConsumer.
    • Default RelayState: Leave this field blank.
    • Name ID format: Set to Unspecified.
    • Application username: Set to Okta username.
    • Update application username on: Set to Create and update.

Okta SAML settings

  1. Tick Use this for Recipient URL and Destination URL and click Finish.
  2. Click View SAML setup instructions to find your Sign-on URL, Issuer URL, Entity ID, and Key x509 Certificate.

Okta SAML instructions

Configure Google for SAML SSO
  1. Log in to your Google Admin Portal and go to Web and mobile apps.
  2. Click Add custom SAML app from the Add App menu.
  3. Enter an App name and click Continue.

Google SAML setup

  1. Copy the SSO URL, Entity ID, and Certificate provided by Google, then click Continue.

Google SSO details

  1. Under Service provider details, enter:
    • ACS URL: Enter the URL that matches your payroll platform. E.g. if your payroll platform URL is https://example.yourpayroll.com.au/ then use https://example.yourpayroll.com.au/Security/SamlSsoConsumer.
    • Entity ID: Enter your preferred value (e.g. YourPayroll).
  2. Click Continue then Finish.

Google Service provider details

Google configuration finish

Configure Microsoft Entra for SAML SSO
  1. Sign in to the Microsoft Entra admin center.
  2. Navigate to the Applications menu, then Enterprise Applications, and then All Applications.
  3. Click New Application.

Entra New Application

  1. If you are redirected to Browse Microsoft Entra Gallery, select Create your own Application.

Entra Create own app

  1. Enter a name for your application and choose the checkbox Integrate any other application you don't find in the gallery (Non-gallery).
  2. Click Create.

Entra creation finish

  1. Once the application is created, select Single sign-on from the side menu and click SAML.

Entra SAML selection

  1. Click Edit on the Basic SAML Configuration and enter:
    • Identifier (EntityID): Enter your preferred value (e.g., YourPayroll).
    • Reply URL (Assertion Consumer Service URL): Enter the URL that matches your payroll platform (e.g., https://example.yourpayroll.com.au/sso/saml/consume).
    • Sign-on URL: Ensure this field is removed.

Entra configuration details

Entra configuration save

  1. Save the configuration and copy the Login URL, Microsoft Entra Identifier, and Certificate provided by Microsoft Entra to complete the connection within the payroll platform.

Entra endpoints copy

Enable SSO for your employees

Step 1: Connect your IdP to your account
  1. Navigate to Payroll Settings Security Dashboard Single Sign-on (SSO) Settings.

Payroll SSO Setting location

  1. Enter your SAML Sign-on URL, Issue URL, Entity ID, and Key x509 Certificate.
  2. Click Test Configuration & Save.
  3. You will be taken to your IdP's login page (Google, Microsoft, or Okta).
  4. Enter your username and password, along with any additional security measures required by your provider (e.g. MFA).
  5. Once completed, you will be taken back to the Single Sign-On (SSO) Settings page.
Step 2: Activate SSO for specific users
  1. Navigate to the SSO Access tab.

SSO Access Tab view

  1. For users with an SSO email, select the checkbox corresponding to them.
  2. Click Enable SSO.
  3. An email will automatically be sent to all selected users letting them know they can now use Single Sign-on.

Pro Tip

You can also use the "Ability to import SSO emails" or manually update them for faster setup.

Sign in using SSO

Sign in from the login page
  1. Go to the login page. If you do not have an account saved, enter your email address. If you already have a saved account, click Sign in with a new account and enter your email address.
  2. A Sign in with Single Sign-On option will appear; click it.
  3. Enter your workspace email (refer to the email you received if unsure).
  4. Enter your account password for Google, Microsoft, or Okta to verify your identity.
  5. Depending on your IdP's security settings, you may need to complete additional measures such as two-factor authentication (2FA).
  6. Once successfully logged in, you will be redirected back to your payroll’s dashboard.
Sign in using an IdP Dashboard tile

Users can sign in directly from their IdP app dashboard. Note that the application name depends on your specific business setup.

  • Google SSO tile: Select the tile from your Google Workspace Dashboard.
  • Microsoft SSO tile: Select the tile from your Microsoft 365 Apps page.
  • Okta SSO tile: Select the tile from your Okta "My Apps" dashboard.

Manage SSO certificates

Add a secondary certificate

Dual certificate support ensures zero downtime during certificate rotation.

  1. Navigate to Payroll Settings Security Dashboard Single Sign-On (SSO) Settings.
  2. Click Add another certificate.
  3. Upload your secondary certificate and click Test Configuration & Save.
Safe certificate deletion

To prevent accidental lockouts, the system re-verifies the remaining certificate before allowing a deletion. If the remaining certificate is invalid or expired, the platform will explicitly notify the user that a valid certificate must remain in place and block the deletion.

  • Green badge: More than 60 days to expiry.
  • Yellow badge: 14 to 60 days to expiry.
  • Red badge: Less than 14 days to expiry or expired.

Troubleshoot login issues

Recover access after certificate expiry

If the SSO certificate has expired and everyone is locked out, Full Access Users can use the Self-Service Recovery path:

  1. Navigate to the standard login page.
  2. Use your payroll credentials (email, password and 2FA) to log in.
  3. You will be redirected to the SSO Enforcement page where you can temporarily disable SSO to upload a new certificate to restore access immediately.
General Troubleshooting
  • Cannot log in: Ensure you are using the correct SSO email address linked to your payroll account.
  • Persistent issues: Contact your business' admin for further assistance.
  • Error code 403 (app_not_enabled_for_user): Ensure the Payroll app is correctly assigned to the user in your IdP admin settings.
  • Key x509 Certificate not working: Verify that you have copied the entire certificate text, including the "BEGIN" and "END" headers.

SSO FAQs

Why do I need to complete 2FA through both my IdP and Payroll?

Payroll handles 2FA independently to remain compliant with ATO regulations. Authentication with your IdP does not bypass the platform's independent security requirements.

What happens if the business is no longer on an SSO-supported plan?

The SSO feature will be automatically turned off. Full Access Users will be informed of this automatic process, and impacted users will be notified of the changes to how they log in.

What happens when an employee with enforced SSO leaves the business?

Once terminated in the Payroll platform, SSO will no longer apply to their account.

Onboarding and SSO

Single Sign On will be enforced when it has been enabled for the employee; it is not required during the onboarding phase until that point.

Managing multiple accounts with the same SSO email

If you have accounts across various businesses using the same SSO-enabled email, you can switch between businesses after logging in. Alternatively, you can have SSO disabled in your other business so you can login via account email and password.

Access to SSO Settings

SSO Settings are only accessible to Full Access Users.

How do I sign in to EH Work after Single Sign-on is applied?

Users continue to login to the EH Work app via Email + Password + 2FA. Employees will be prompted to SSO when required after login.

Who is exempt from SSO enforcement?

Brand Level Users, Partner Level Users, and Admins are not required to SSO into an SSO-enabled business if they are not also a direct business user or employee/contractor.

Was this article helpful?
0 out of 0 found this helpful