Authentication

With Basic Authentication, the user’s password is stored within UKG Pro Workforce Management, and the user authenticates using the built-in authentication service. Basic Authentication is the easiest authentication to use, but it provides the least flexibility and basic integration with other products. With Basic Authentication, you can access only the core UKG Pro Workforce Management workforce management (WFM) components.

Multi-Factor Authentication (MFA) improves account security in that any login to a user account requires a one-time passcode in addition to the username and password. The one-time passcode (OTP) is required once every seven days for each device, and can be received by email, SMS message, or an app-based token. MFA is strongly recommended for all user accounts, and is required for manager and administrator roles.

With Federated Authentication, the user’s password is stored in another system (called an Identity Provider or IDP). The identity provider delivers authentication credentials to the service provider (SP) at the user's request. The user is authenticated via IDP, which in turn delivers confirmation of that user’s identity to UKG Pro Workforce Management by way of federation. Federated Authentication requires additional configuration and maintenance, but it comes with more flexibility and integration with other products.

Key features of Federated Authentication include:

• Single Sign-On (SSO) — Use single sign-on to authenticate when logging in one time to access multiple service providers.
• Full-Suite Access — With Federated Authentication, you can use HCM, Workforce Planner, or Telestaff in addition to the core Workforce Management (WFM) suite of products.

UKG offers the following for customerswho do not have their own IDP but could benefit from using one, either because they are a full suite customer or because they require MFA:

• An identity provider hosted in the Dimensions Cloud called Dimensions IDP (DIDP)
• The Dimensions IDP Proxy (DIDP Proxy) service that acts as an IDP to an SP but then redirects to one or more IDPs. This allows full suite customersto use multiple IDPs or to work around any configuration issues with their own IDP.
  Note: UKG Authentication does not support DIDP or DIDP Proxy, and systems are being migrated from DIDP to UKG Authentication.
• SSO Username: UKG Authentication adds the SSO Username field which is populated with the Username by default. If you need SSO Username to be different from the Username, you can update it in People Information or by an API.

The authentication method (basic or federated) is set for each employee in the Employee section in the People Information component. You can use both authentication methods within the same tenant. Users would simply use different URLs to access the system. For federated authentication, you can also have multiple identity providers within the same tenant.

If your organization has some employees who use Basic Authentication and some who use Federated Authentication, the Basic Authentication page contains links to the federated URLs. Because multiple IDPs are supported within the same tenant, multiple links can be included. Link text is customizable.

The following table outlines the capabilities of the various customer requirements.