Configure SSO for Okta

How to configure SSO for UKG Authentication and OktaTM.

UKG Authentication can support a maximum of 7 SSO connections.

Note: The following people are required to complete this configuration: An IT Member who has access to Okta, and an HR Administrator who has access to the SSO tool for the UKG Pro suiteUKG Pro Workforce Management. Each of the following steps indicates which person completes that step. Alternatively, a single administrator who has access to both systems can complete this configuration.
  1. (IT Member role) Log in to Okta.
  2. (IT Member role) Create a new Enterprise Application instance; do not select an existing instance.
  3. (IT Member role) Create the Metadata URL as follows:
    1. Single Sign On URL: Enter a placeholder value. Example: https://fsso.placeholder.com
    2. Select Use this for Recipient URL and Destination URL.
    3. Do not select Allow this app to request other SSO URLs .
    4. Audience URI (Entity ID): Enter a placeholder value. Example: https://fsso.placeholder.com
  4. (IT Member role) The remaining Claims and Attributes are the same as for the existing applications.
  5. (IT Member role) Click Next and Next.
  6. (IT Member role) In the Sign On tab, in , click Copy and give the Metadata URL to the HR Administrator.
  7. (HR Administrator role) Log in to the UKG Pro suiteUKG Pro Workforce Management.
  8. (HR Administrator role) Do either of the following:
    • If you are configuring SSO before the upgrade, select Main Menu > Authentication Upgrade, Then, select Configure your Single Sign-On (SSO) connection and click Configure SSO.
    • If you are configuring SSO after the upgrade, select System Management > Security > Authentication > SSO Configuration. Then, select and click Configure SSO.
    • If you are configuring SSO after the upgrade, select Main > Administration > Identity SSO Config. Then, select and click Configure SSO.
  9. (HR Administrator role) Configure the following:
    1. Enter the Configuration name in the Button label field. This name identifies the SSO configuration to the employees. It must be unique, contain no spaces, and should include "SSO" and "UAT" or "PROD". Examples: UKGSSOUAT for the UAT, NPR, or Test environment and UKGSSOPROD for the Production environment.
    2. In Current IdP information, select Metadata and enter or paste the Metadata URL for Okt.
    3. In Security settings, select both Notify IdP about callbacks and Sign SAML request to establish the most secure connection.
    4. In Bindings, select HTTP POST (recommended) to send data securely in the body of the request.
    5. Keep the default NameId for the SAML assertion attribute. Normally, you do not change this value.
    6. Click Next.
  10. (HR Administrator role) Copy the Metadata URL and give it to the IT Member.
  11. (IT Member role) Paste the Metadata URL in the Address bar of a browser.
  12. (IT Member role) From the XML file that opens, copy the entityID and ASC Locations for your IDP fields.
  13. (IT Member role) Return to Okta and do the following:
    1. Replace the Audience URI (Entity ID) with the entityID from the XML file.
    2. Replace the Single Sign On URL (Assertion Consumer Service URL) with the ASC Locations from the XML file.
    3. Assign the appropriate Users and Groups to the application.
  14. (HR Administrator role) In the UKG Pro suiteUKG Pro Workforce Management, do the following:
    1. Click Test Connection to open the tab.
    2. Log in with your user credentials.
    3. If the login failed because of an incorrect configuration in Okta, the error shows Okta's or your organization's logo. Ask the IT Member to check that the User, Group, Entity ID, Assertion URL, and Sign-on URL are correct in Okta. Close the tab.
    4. Select I configured the IdP by entering the metadata URL in the settings and click Next.
    5. Map the vanity URL to the SSO connection as follows: Select the vanity URL to use for this SSO connection. All available URLs are listed. Click All Done! If the IT Member needs the SSO URL, copy this URL and give it to the IT Member.
  15. (HR Administrator role) (Optional) To test, edit, or delete a connection, click the three vertical dots button for that SSO connection and select Test Connection, Edit, or Delete.
  16. (HR Administrator role) To add another SSO connection, click Add SSO and repeat the previous steps.
  17. (HR Administrator role) (Optional) If Test Connection failed earlier, the IT Member added the user account, but the error persists, click the three dots and select Edit.
    1. Remove the Metadata URL value that the IT Member provided, copy the URL again, and paste the same value again in Metadata URL.
    2. Click Next.
    3. If Test Connection continues to fail, make sure that the Entity ID and Assertion Location values are entered correctly in the IDP.
    4. If the error persists, contact UKG for support.
  18. (HR Administrator role) When all SSO connections are tested successfully, return to the Authentication Upgrade tool and expand Configure your Single Sign-On (SSO) connection (Required) to refresh and check the settings.
    1. Select Administration > Authentication Upgrade.
    2. Expand Configure your Single Sign-On (SSO) connection (Required) .
    3. Click Refresh. Make sure that the check mark turns green.