Available for the following plan: Employment Unlimited
Available for the following HR classic plan: Platinum
Available for the following user access level: Admin
With SAML-based single sign-on (SSO), employees can access Employment Hero through an identity provider (IdP) of their choice. You can set this up through Microsoft Entra, Google, or Okta.
Interactive learning
How to set up SSO SAML on Okta
- Within the Okta Admin console, click the Applications menu.
- Click Create App integration.
- For the sign-in method, select SAML 2.0.
- Click Next.
- Set up the SAML SSO general settings, including:
- Click Next.
- Configure your SAML using the following credentials:
- Single sign-on URL: https://secure.employmenthero.com/sso/saml/consume
- Audience URI (SP Entity ID): EmploymentHero
- Default RelayState: Leave blank
- Name ID format: Unspecified
- Application username: Okta username
- Update application username on: Create and update
- Tick the checkbox called "Use this for Recipient URL and Destination URL.
- Complete set up.
- After you have set up the Okta SAML SSO App, you will need to click on "View SAML setup instructions" and use the Identity Provider Single Sign-On URL, Identity Provider Issuer and X.509 certificate in the next step of your set up.
Important
Your provider may ask for the following information to configure the IdP:- Entity ID = EmploymentHero
- Assertional Consumer Service URL = https://secure.employmenthero.com/sso/saml/consume
Please note that the above URL is not an active URL and just needs to be input for the SSO set up process.
- Click the Settings button in the menu on the left-hand side of your homepage.
- Click the Single Sign-on button under the General Settings heading.
- Enter your SAML Sign-on URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Issuer URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Key x509 Certificate (you can find this in the View SAML set-up instructions screen in step 1).
- Click Test Configuration & Save.
- You will be taken to Okta's login page.
- Enter your username and password, along with any additional security measures required by Okta.
- Once complete, you will be taken back to your Manage SSO page, where you will see a green Verified tick next to the SSO/SAML Configuration header.
How to set up SSO SAML using Google
To begin, you should establish a connection between Employment Hero and Google. To do this you will need to log in to the Google Admin Portal and create a new app integration using the credentials below. For more information see this link.
- Navigate to the Google Admin Portal.
- Click Web and mobile apps on the side menu.
- Click Add custom SAML app from the drop-down Add App menu.
- Type in your preferred App name for Employment Hero SAML SSO and click Continue.
- Following Option 2, copy the SSO URL, Entity ID and Certificate to be used later. Click Continue.
- Under the Service provider details, input the following details:
ACS URL:https://secure.employmenthero.com/sso/saml/consume
Entity ID:EmploymentHero
- Click Continue.
- You will not be required to do attribute mapping. You can finish the setup process by clicking Finish.
- Click the Settings button in the menu on the left-hand side of your homepage.
- Click the Single Sign-on button under the General Settings heading.
- Enter your SAML Sign-on URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Issuer URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Key x509 Certificate (you can find this in the View SAML set-up instructions screen in step 1).
- Click Test Configuration & Save.
- You will be taken to Google's login page.
- Enter your username and password, along with any additional security measures required by Google.
- Once complete, you will be taken back to your Manage SSO page, where you will see a green Verified tick next to the SSO/SAML Configuration header.
How to set up SSO SAML using Microsoft
To begin, you should establish a connection between Employment Hero and Microsoft. To do this you will need to log in to the Microsoft Entra admin center and create a new app integration using the credentials below.
- Sign in to the Microsoft Entra admin center.
- Click the Applications menu, then Enterprise Applications, then All Applications.
- Click New Application.
- If you are redirected to Browse Microsoft Entra Gallery, select Create your own Application.
- Enter a name for your Employment Hero SSO Application.
- Click on the checkbox: Integrate any other application you don't find in the gallery (Non-gallery).
-
Click Create.
Important
Do not select any app suggested by Microsoft, such as "Employment Hero", even if it matches your entry. Since you are creating your own application for your specific requirements, it's important to avoid selecting these suggestions.
- Select Single sign-on from the side bar.
- Select SAML.
- Click Edit next to the application you created.
- Configure your SAML configurations with the following Identifier(EntityID):
EmploymentHero
Reply URL ( Assertion Consumer Service URL):https://secure.employmenthero.com/sso/saml/consume
Sign-on URL:https://secure.employmenthero.com/sso/saml/init
-
Once completed, copy the following information provided by Microsoft Entra to set up your SSO on Employment Hero:
- Login URL
- Microsoft Entra Identifier
- Logout URL
- Click the Settings button in the menu on the left-hand side of your homepage.
- Click the Single Sign-on button under the General Settings heading.
- Enter your SAML Sign-on URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Issuer URL (you can find this in the View SAML set-up instructions screen in step 1).
- Enter your Key x509 Certificate (you can find this in the View SAML set-up instructions screen in step 1).
- Click Test Configuration & Save.
- You will be taken to Microsoft's login page.
- Enter your username and password, along with any additional security measures required by Microsoft.
- Once complete, you will be taken back to your Manage SSO page, where you will see a green Verified tick next to the SSO/SAML Configuration header.
General information about Single Sign-on
The SSO feature will be automatically turned off, and those with administrative or ownership privileges will be informed of this automatic process. Additionally, impacted users will be notified of the changes to how they log in.
Troubleshooting issues during setup
Troubleshooting issues after setup
Handling errors and multiple accounts
The organisation with the lowest ID. Only one user will be able to log in via SSO, other users will have to:
- Have SSO disabled in their other organisation, so they can login via account email and password
- Have no company email in their other organisation, so then can login via account email and password
- Have a different company email address in their other organisation so they can login via SSO using a different email address
If some employees encounter an error saying the app is not enabled for user, please ensure the Employment Hero app is assigned to the user in Google Workspace. You can manage which Google Groups/Organisational Units the app is enabled for by navigating to Google Workspace Admin -> Apps -> Web and mobile apps -> Employment Hero -> User access. For more information on how to set up Google SSO, see Google's support page.
Comments
Article is closed for comments.