Authentication
Authentication is the action of verifying the identity of a user or process. ADP Workforce Manager supports two types of authentication: Basic and Federated.
With Basic Authentication, the user’s password is stored within ADP Workforce Manager, and the user authenticates using the built-in authentication service. Basic Authentication is the easiest authentication to use, but it provides the least flexibility and integration with other products. With Basic Authentication, you can access only the core ADP Workforce Manager workforce management (WFM) components.
Multi-Factor Authentication (MFA) improves account security in that any login to a user account requires a one-time passcode in addition to the username and password. The one-time passcode (OTP) is required once every seven days for each device, and can be received by email, SMS message, or an app-based token. MFA is strongly recommended for all user accounts
Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.
Note: For instructions, see the Multi-Factor Authentication (MFA) topic.
With Federated Authentication, the user’s password is stored in another system (called an Identity Provider or IDP). The identity provider delivers authentication credentials to the service provider (SP) at the user's request. The user is authenticated via IDP, which in turn delivers confirmation of that user’s identity to ADP Workforce Manager by way of federation. Federated Authentication requires additional configuration and maintenance, but it comes with more flexibility and integration with other products.
Key features of Federated Authentication include:
- Single Sign-On (SSO) — Use single sign-on to authenticate when logging in one time to access multiple service providers.
- (Recommended) Multi-Factor Authentication (MFA) works the same way as for Basic Authentication.
The authentication method (basic or federated) is set for each employee in the Employee section in the People Information component. You can use both authentication methods within the same tenant. Users would simply use different URLs to access the system. For federated authentication, you can also have multiple identity providers within the same tenant.
If your organization has some employees who use Basic Authentication and some who use Federated Authentication, the Basic Authentication page contains links to the federated URLs. Because multiple IDPs are supported within the same tenant, multiple links can be included. Link text is customizable.
The following table outlines the capabilities of the various client requirements.
Client Requirements | MFA Available | Authentication Type | DIDP*** | DIDP Proxy |
---|---|---|---|---|
WFM access only with their own IDP | Yes* | Federated | No | No |
WFM access only without their own IDP | No | Basic | No | No |
WFM access only without their own IDP for all users | Yes** | Federated | Yes | No |
Full suite access with their own IDP(s) | Yes* | Federated | No | Yes |
Full suite access without their own IDP | Yes** | Federated | Yes | No |
Full suite access without their own IDP for all users | Yes** | Federated | Yes | Yes |
* | If needed, MFA must be addressed by the client’s own IDP. | |
** | If needed, MFA must be addressed by the client’s own IDP and/or DIDP. | |
*** | DIDP supports email, text, and token-based MFA. |