Signing In¶
Employees and Administrators can sign in to paiyroll® using a paiyroll® username and password. Employees can also sign in using a Sign in service such as an account on one of several social networking sites or your Company’s Single Sign On (SSO) system. This eliminates the need to set and remember a password for paiyroll®.
Note
If you have forgotten your password, you can reset it. If you have forgotten your username, your support contact should be able to verify the value in paiyroll®.
Sign in using an alternate Sign in service¶
Once you have signed in using your social networking account or SSO, you will have streamlined access to paiyroll®, but ongoing access and security procedures vary from site to site, and from time to time. You can typically manage these using the “Apps” or “Security” sections of your social networking account or by contacting your Company’s SSO support team.
Note
If you cannot sign in using a Sign in service, check for these possible reasons:
The Sign in service account must have an associated email address. This can be missing if your account is set up with just a phone number.
The email address must match the one in paiyroll®. Your support contact should be able to verify the value in paiyroll®.
The email address must have been verified, often involving a check using your phone. This must have been successfully completed.
If the social networking site has initiated a re-verification, this must have been successfully completed.
The email address must be reachable.
If the Sign in service account has multiple email addresses, only one marked as the primary will be used.
If you have multiple accounts in paiyroll® which share the email address, you cannot use an alternate Sign in service. You can only sign in using a paiyroll® username and password.
Using your Company’s Single Sign On (SSO) service¶
paiyroll® supports both OIDC-based and SAML 2.0-based SSO. To use it with your Company’s SSO service requires configuration by your Company’s SSO team, and then on paiyroll® to set up an Identity Provider:
for each SSO service needed. This will allow your employees to access paiyroll® using a browser either manually or directly using bookmarked link(s).
Configuring an OIDC SSO service¶
Overview¶
Your Company’s SSO team will need to configure their OIDC SSO service with paiyroll® metadata. Depending on the system they may have to:
Identify or configure the name of the email address “claim”.
Create a Client ID/Client Secret pair.
Configure the Client Authentication <https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication> method.
Enter the paiyroll® redirect URI.
The following sections give details on configuring specific OIDC SSO services.
First Option FranchiseEZE¶
To configure your Company’s service:
Generate the Client ID/Client Secret pair. This can be done using any standard tool. For example, using the node.js crypto library:
const crypto = require('crypto'); const idToken = crypto.randomBytes(32).toString('hex'); const secretToken = crypto.randomBytes(32).toString('hex'); console.log('CLIENT ID: ' + `id_${idToken}`); console.log('CLIENT SECRET: ' + `secret_${secretToken});Configure the Client Authentication <https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication> method to client_secret_basic.
You may need to disable the requirement for PKCE.
Enter the paiyroll® redirect URI:
https://login.paiyroll.com/social/complete/oidc/
To configure paiyroll® using :
Select Template OIDC.
Set the Name.
Enter the URL of your Company’s logo.
Enter the Metadata URL obtained for the “well-known” endpoint. This is the URL that ends with “.well-known/openid-configuration”:
https://wwwww.xxxxx.com/aaaaa/bbbbb/.well-known/openid-configuration
Enter the Email attribute using email as the email address claim’s name.
Enter the Client ID.
Enter the Client secret.
Configuring a SAML SSO service¶
Overview¶
Your Company’s SSO team will need to configure their SAML SSO service with paiyroll® metadata. Depending on the system they may either have to:
Enter the link to the paiyroll® SAML metadata.
Or, alternatively they may have to:
Download the paiyroll® SAML metadata.
Install the downloaded metadata in their SAML SSO service.
(For convenience, this link is also available at the foot of the SSO login page). You will then need information from the SSO team to configure paiyroll® to use your Company’s SSO service as an Identity Provider.
The following sections give details on configuring specific SAML SSO services.
Entering the Email attribute¶
Particular care is needed when entering the Email attribute for the Identity Provider as this is highly dependent on your Company’s SAML SSO service. If your Company’s SAML SSO service is not described below, one of these values will typically be used:
email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Locate and use the auth:ClaimType’s Uri attribute for Email address of the user in your SAML SSO service’s metadata.
Microsoft Azure Active Directory (AD)¶
To configure your Company’s service:
Create an Azure AD SaaS “app”.
Enter the Identifier (Entity ID) from the md:EntityDescriptor line’s entityID attribute from paiyroll® SAML metadata, for example:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="P10D" entityID="https://login.paiyroll.com/social/social/sso/metadata"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> ...
Enter the Reply URL from the md:AssertionConsumerService line’s Location attribute from paiyroll® SAML metadata, for example:
... <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.paiyroll.com/social/complete/saml/" index="1"/> </md:SPSSODescriptor> ...
To configure paiyroll® using :
Select Template SAML -> Microsoft Azure AD.
Set the Name.
Enter the URL of your Company’s logo.
Enter the Metadata URL obtained from your app’s App Federation Metadata URL:
https://login.microsoftonline.com/xxxxxxxx-yyyy-zzzz-aaaa-bbbbbbbbbbbb/federationmetadata/2007-06/federationmetadata.xml?appid=ssssssss-tttt-uuuu-vvvv-wwwwwwwwwwww
Enter the Email attribute:
Download and view the app’s Federation Metadata XML.
Locate and use the auth:ClaimType’s Uri attribute for Email address of the user:
<auth:ClaimType ...> ... </auth:ClaimType> <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"> <auth:DisplayName>Email</auth:DisplayName> <auth:Description>Email address of the user.</auth:Description> </auth:ClaimType> <auth:ClaimType ...> ... </auth:ClaimType>
In this example, the value to use is “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”.
There is no need to enter an Entity Id. Since Azure only uses one, this will be filled in for you.
Limiting alternate Sign in services¶
Implicit in the use of both social networking sites and SSO is the idea that granting the ability to login to paiyroll® is delegated to the processes and people of the alternate Sign in service. In an age of security awareness, the question of trust in these processes and people must be addressed.
So, what happens when an alternate Sign in service grants access to paiyroll®? The basic concept is that the alternate Sign in service asserts that the person (or evil bot) requesting access is truly allowed the use of a given email address, say “famous.person@hollywood.com”.
In a conventional implementation, the application being accessed would accept this assertion, and access to the account with email address “famous.person@hollywood.com” would be allowed. For SSO, but not for social networking sites, paiyroll® goes beyond this norm and further checks that the account with email “famous.person@hollywood.com” belongs to an Employee under the same Client as the SSO Identity Provider involved.
This “sandboxing” ensures that even if the SSO administrators for some other paiyroll® Client erroneously allow “evil.hacker@bad.place.com” to pretend to have the email address of one of your Employees “our.ceo@best.company.com”, the sign in attempt would fail.
Disabling alternate Sign in services¶
Alternate Sign in using social networking sites is enabled by default. To disable it, simply go to Client setup and tick .
Note
This action will result in all existing “cached” logins to be deleted and (when re-enabled) the affected Employees will need to sign in again.
Alternatively, you can completely disable login for a single user from Employee setup and un-tick .
Administrators enable access via SSO by configuring SSO Identity Providers. To disable SSO access using a given Identity Provider, simply un-tick the setting.