Upgrade SSO Configuration

How to upgrade your SSO configuration for the UKG Authentication upgrade.

UKG Authentication can support a maximum of 7 SSO connections.

Important: If you see the Configure your Single Sign-On (SSO) connection (Required) section in the upgrade checklist, the tenant has an SSO URL. (Optional) You can choose to skip SSO configuration if SSO is configured but not being used. If SSO is being used, do not skip this procedure.
Note: The following people are required to complete this configuration: An IT Member who has access to the IDP, and an HR Administrator who has access to the SSO tool for the UKG Pro suiteUKG Pro Workforce Management. Each of the following steps indicates which person completes that step. Alternatively, a single administrator who has access to both systems can complete this configuration.
  1. (HR Administrator role) Do one of the following:
    • If you are configuring SSO before the upgrade, expand Configure your Single Sign-On (SSO) connection (Required) from the Authentication Upgrade checklist (select Administration > Authentication Upgrade).
    • If you are configuring SSO after the upgrade, select System Management > Security > Authentication > SSO Configuration.
    • If you are configuring SSO after the upgrade, select Main > Administration > Identity SSO Config.
  2. (HR Administrator role) Do one of the following:
    • (If the tenant uses SSO, do not skip this step.) Select the Configure SSO button and click Configure SSO. The Configure SSO tab opens.
    • (Recommended for production tenants only if you want to skip SSO configuration) If SSO is configured but not used, and this is a production tenant, click Switch to direct login.
    • (Not available in production tenants) If SSO is not configured, and this is a non-production tenant, click Skip SSO. This is recommended for non-production tenants. You can skip all of the following steps.
  3. (HR Administrator role) If you selected Configure SSO, the SSO Connections tab opened. Click Add SSO.
  4. If you use any of the following IDPs, click the appropriate link below. Otherwise, go to the next step.
  5. (IT Member role) Create a new SSO Connection in your IDP and do not edit the existing SSO connection that is being used currently. Generate the Metadata URL in the application for the identity provider (IDP). You must have the Entity ID and Assertion URL to generate the Metadata URL, so use placeholder values for these fields until you can get the real values from the HR Administrator in the next step.
    Note:

    The values of the UKG ProUKG Pro Workforce Management Username and the SAML unique response from the identity provider must be identical because these are used to grant access. Verify the Username with the other administrator. Example: If the Username is name@company.com, the SAML response from the IDP must also be name@company.com.

  6. (HR Administrator role) Configure the following:
    1. Enter the Configuration name in the Button label field. This name identifies the SSO configuration to the employees. It must be unique, contain no spaces, and should include "SSO" and "UAT" or "PROD". Examples: UKGSSOUAT for the UAT, NPR, or Test environment and UKGSSOPROD for the Production environment.
    2. In Current IdP Information, select Metadata and enter the Metadata URL that you got from the IT Member.
    3. In Security settings, select both Notify IdP about callbacks and Sign SAML request to establish the most secure connection.
    4. In Bindings, select HTTP POST (recommended) to send data securely in the body of the request.
    5. Keep the default NameId for the SAML assertion attribute. Normally, you do not change this value.
    6. Click Next.
    7. Copy the Metadata URL and give it to the IT Member.
  7. (IT Member role) Configure the new IDP as follows:
    1. Enter or paste the Metadata URL in the Address bar of a browser.
    2. From the XML file that opens, copy the Entity ID and Assertion Location attributes for your IDP fields.
    3. Replace the placeholder values that you entered earlier with these values.
  8. (IT Member role) Add the user accounts that need to access UKG ProUKG Pro Workforce Management. Otherwise, the users will be able to enter their SSO credentials but will be denied access by the IDP.
  9. (HR Administrator role) Test the connection from UKG ProUKG Pro Workforce Management as follows:
    1. Click Test connection to open the tab.
    2. In the IDP login page, log in with your user credentials.
    3. If the login failed, close this tab and verify with the IT Member whether they added the user account for the account that you are testing. If the user account was added, but the error persists, for the moment you can select I tested the SSO connection successfully and click Next.
    4. If the login succeeded, select I tested the SSO connection successfully and click Next.
  10. (HR Administrator role) Map the vanity URL to the SSO connection as follows:
    1. Select the vanity URL to use for this SSO connection. All available URLs are listed.
    2. Click All Done!
  11. (HR Administrator role) (Optional) To test, edit, or delete a connection, click the three vertical dots button for that SSO connection and select Test connection, Edit, or Delete.
  12. (HR Administrator role) (Optional) If Test Connection failed earlier, the IT Member added the user account, but the error persists, click the three dots and select Edit.
    1. Remove the Metadata URL value that the IT Member provided, copy the URL again, and paste the same value again in Metadata URL.
    2. Click Next.
    3. If Test Connection continues to fail, make sure that the Entity ID and Assertion Location values are entered correctly in the IDP.
    4. If the error persists, contact UKG for support.
  13. (HR Administrator role) To add another SSO connection, click Add SSO and repeat the previous steps.
  14. (HR Administrator role) When all SSO connections are tested successfully, return to the Authentication Upgrade tool and expand Configure your Single Sign-On (SSO) connection (Required) to refresh and check the settings.
    1. Select Administration > Authentication Upgrade.
    2. Expand Configure your Single Sign-On (SSO) connection (Required) .
    3. Click Refresh. Make sure that the check mark turns green.