You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Set Up SSO with UltiPro
The EmpowerID SSO framework allows you to integrate UltiPro with EmpowerID, making EmpowerID the identity provider for your organization's UltiPro account. In this way, users can access their corporate UltiPro accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins, or those of another trusted (third-party) identity provider that has been integrated with EmpowerID.
As a prerequisite to creating an SSO Connection for UltiPro as a service provider in EmpowerID, you must have an UltiPro account. Additionally, UltiPro uses ADFS2 to federate with third-party applications, therefore you must send UltiPro the certificate you are using in your EmpowerID configuration so they can configure ADFS2 appropriately.
Create an UltiPro SSO application and connection
On the navbar, expand Apps and Authentication and click Applications.
From the Actions pane, click the Create Application action.
This opens the Application Details form, which contains various tabs and fields for creating the application.
Name – Enter a name for the application
Display Name – Enter a display name for the application
Description – Enter a description for the application
Instructions – Optional
Full URL (Exact Match Path) – Leave empty
Create a Tracking Only Account Store – Leave unselected (Although you have the option to create a tracking-only account store for UltiPro, the best practice is to connect EmpowerID to UltiPro so you can inventory and synchronize the user data in your UltiPro account with EmpowerID. This lets you create new UltiPro accounts in EmpowerID and have them appear in UltiPro and vice-versa.)
Select Existing Account Store (Directory) – Search for and select your UltiPro account store
Select a Location – Click the link and then search for and select an EmpowerID location in which to create the application
Publish in IT Shop – Select this option if you want eligible users to be able to request an account in the application from the IT Shop
Allow Claim Account – Select this option to let users claim application
Login is Email Address (Receive OTP to Claim) – Select this option if the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in to it from EmpowerID.
Allow Request Account – Select this option to let users to request or claim an account in the application from the IT Shop
Make Me the Owner – Select this option if you want to be the application owner
Icon – Enter ~ Images/AppLogos/UltiPro.png to use the UltiPro image provided by EmpowerID. This image appears in the Personal Applications page of the EmpowerID Web application for users with access to UltiPro.
Select SAML as the Single Sign-On Connection Type.
Select Create a New SAML Connection.
Display Name – Enter the name for the UltiPro SSO connection that you want to appear to users in the EmpowerID user interfaces. By default EmpowerID populates the value of this field with the name you gave to the application above.
SAML Name Identifier Format – Value should be Unspecified
Issuer – Value should be EmpowerID
Initiating URL – Enter /WebIdPForms/Generic/AuthenticationRequest
Tile Image URL – Leave the value as is
Description – Enter a description for the SAML connection
Click the Add button and fill in the following:
Assertion Consumer URL – Enter https://efs.ultipro.com/adfs/ls/
Priority – Optionally, enter a number to indicate the priority for the URL when more than one ACS URL is specified (the lower the number the higher the priority)
SAML Submission Method – Select HTTPPost
Click Save.
Select Enable Assertion Signature.
Signing Certificate – Search for and select the appropriate certificate to sign the SAML assertions sent to UltiPro.