1. Employment Hero Help Centre (UK)
  2. HR Platform
  3. Account Management and Security
  4. Security

Select your platform and then browse by platform category

Who are you and what section are you in?

Set up single sign-on (SSO) using Microsoft

Dominic Beckham
Updated
EH Content Team

Available for the following plan: Employment Unlimited
Available for the following HR classic plan: Platinum
Available for the following user access level: Admin

With SAML-based single sign-on (SSO), employees can access Employment Hero through an identity provider (IdP) of their choice. Single Sign-on (SSO) allows users to use one set of login credentials to access multiple applications. With SSO, employees can sign in to Employment Hero using their existing credentials from an identity provider (IdP) like Microsoft Entra, Google, or Okta.

This article shows how to set up SSO using Microsoft. You can also learn how to set up SSO using Google or Okta.

  Interactive learning

Interactive demo: Connect your IdP to Employment Hero
This interactive demo shows how to connect your IdP to Employment Hero. You will first need to set up your IdP using Microsoft Entra. Instructions on how to do this are in Step 1 below.

How to set up SSO SAML using Microsoft

Step 1: Create a new application

To begin, you should establish a connection between Employment Hero and Microsoft. To do this you will need to log in to the Microsoft Entra admin center and create a new app integration using the credentials below.

  1. Sign in to the Microsoft Entra admin center.
  2. Click the Applications menu, then Enterprise Applications, then All Applications.
  3. Click New Application.
    Microsoft Entra admin 1.jpg
  4. If you are redirected to Browse Microsoft Entra Gallery, select Create your own Application.
    Create new application.jpg
  5. Enter a name for your Employment Hero SSO Application.
  6. Select the checkbox: Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.
    Create new application (1).jpg

    Important

    Do not select any app suggested by Microsoft, such as "Employment Hero", even if it matches your entry. Since you are creating your own application for your specific requirements, it's important to avoid selecting these suggestions.
Step 2: Configure the application
You will now configure your newly created app for SSO. To do this:
  1. Select Single sign-on from the sidebar.
  2. Select SAML.
    Select SAML
  3. Click Edit next to the application you created.
    Basic SAML configuration.jpg
  4. Configure your SAML configurations with the following Identifier(EntityID): EmploymentHero 

    Reply URL ( Assertion Consumer Service URL): https://secure.employmenthero.com/sso/saml/consume

    Sign-on URL: https://secure.employmenthero.com/sso/saml/initBasic SAML Config.jpg

  5. Once completed, copy the following information provided by Microsoft Entra to set up your SSO on Employment Hero:
    - Login URL
    - Microsoft Entra Identifier
    - Logout URL
    Copy information

Step 3: Connect the application to Employment Hero
  1. Click the Settings button in the menu on the left-hand side of your homepage.
  2. Click the Single Sign-on button under the General Settings heading.
    Screenshot of homepage with Single Sign on settings button highlighted
  3. Enter your SAML Sign-on URL. (You can find this in the View SAML set-up instructions screen in step 1.)
  4. Enter your Issuer URL. (You can find this in the View SAML set-up instructions screen in ‌step 1.)
  5. Enter your Key x509 Certificate. (You can find this in the View SAML set-up instructions screen in ‌step 1.)
  6. Click Test Configuration & Save.
    Screenshot of the Manage SSO page with the input fields and Test configuration button highlighted
  7. You will be taken to Microsoft's login page.
    Screenshot of sign in screen with Next button highlighted
  8. Enter your username and password, along with any additional security measures required by Microsoft.
  9. Once complete, you will be taken back to your Manage SSO page, where you will see a green Verified tick next to the SSO/SAML Configuration header.
    Screenshot of the Manage SSO page with verification tick highlighted
Step 4: Turn on Single Sign-on for employees
  1. Scroll down on the Manage SSO page, to the section titled SSO/SAML.
  2. Press the Not Enabled toggle on the right-hand side.Screenshot of SSO oage with Not enabled toggle highlighted
  3. An email will automatically be sent to all employees with a company email address linked to their account. They will now be able to use Single Sign-on.

General information about Single Sign-on

Can I use any other identity providers?
Currently, you can use Okta, Google and Microsoft.
Will my employees be able to Single Sign-on to the Employment Hero HR platform via the app dashboard of our IDP provider (Okta, Google, Microsoft)?
Yes, once you’ve created the Employment Hero SSO application on your chosen IDP and assigned it to your employees, they will be able to sign in directly from the app dashboard of your preferred IDP.
What happens when my organisation is no longer on a Single Sign-on supported plan?

The SSO feature will be automatically turned off, and those with administrative or ownership privileges will be informed of this automatic process. Additionally, impacted users will be notified of the changes to how they log in.

Troubleshooting issues during setup

Why is my Key X-509 Certificate not working?
Check that you have included the entire certificate, including the "----BEGIN CERTIFICATE----" and "-----END CERTIFICATE----" sections. 
Why does a user need to complete 2FA through ‌IdP and Employment Hero?
We cannot determine when a user finishes 2FA using the IdP or what 2FA regulations the client follows with their IdP. Therefore, we will still insist on users completing 2FA through Employment Hero to meet our high-security standards for 2FA.

Troubleshooting issues after setup

What should I do if no one in my organisation can log in once SSO is enabled?
Contact Employment Hero. With the permission of your organisation's Admin or Owner, we can disable Single Sign-on for your organisation.
Why have I lost the ability to edit my/other member’s company email?
As login is now associated with a member’s company email, we have restricted the ability to update this value to Admins and Owners only. This is to reduce the risk of a malicious update, which may result in a member being unable to log in or another user gaining unauthorised access.
What happens when an employee leaves the business if Single Sign-on is enforced on their account?
Once an employee is terminated in the HR platform, SSO will no longer apply to their account. The terminated employee can still access their profile using their personal email and password, which they set up during onboarding.

Handling errors and multiple accounts

Where does Employment Hero log in users with multiple accounts across various organisations, all using the same SSO-enabled email?
The organisation with the lowest ID. The user will be able to switch between organisations upon successful authentication for that organisation.
Where does Employment Hero log multiple user accounts with the same SSO-enabled email, but in different organisations, when they need Single Sign-on into all?

The organisation with the lowest ID. Only one user will be able to log in via SSO, other users will have to:

  • Have SSO disabled in their other organisation, so they can login via account email and password
  • Have no company email in their other organisation, so then can login via account email and password
  • Have a different company email address in their other organisation so they can login via SSO using a different email address

Related to:

Was this article helpful?
1 out of 6 found this helpful