Single Sign-On (SSO)

1 helpful Updated 2025-11-26 09:32:59 UTC Created 2025-07-22 03:17:33 UTC

Introduction

Easy Employer now supports Single Sign-On (SSO) for organisations that wish to integrate authentication with their identity provider. This capability is built on AWS Cognito and can be enabled on a per-client basis.

SSO is currently available for organisations using Azure Active Directory (Azure AD) via OAuth 2 / OpenID Connect. If your organisation is interested in enabling SSO, please log a support ticket to discuss implementation requirements.

Contents

Overview

Single Sign-On allows users to securely authenticate to Easy Employer using their corporate credentials, simplifying access and improving security.

This is ideal for organisations that manage users through Azure Active Directory and wish to centralise login control.

What is SSO (Single Sign-On)?

Single Sign-On (SSO) is a secure login method that allows users to access multiple systems or applications using a single set of credentials—usually their work email and password managed by their organisation’s identity provider (e.g. Microsoft Azure Active Directory).

Benefits of SSO:

  • Improved security: Access to organisation applications is managed centrally

Example:

If your organisation uses Microsoft Azure Active Directory (Azure AD), and SSO is enabled for Easy Employer, you can log in using your Microsoft 365 credentials—no separate Easy Employer password required.

How It Works

NOTE: Group Policy–based configuration is not supported. Integration must be completed through SSO setup and metadata exchange only.
  • Easy Employer uses AWS Cognito to handle the SSO authentication process.
  • SSO is configured individually for each client organisation that opts in.
  • Once enabled, users will log in to the Easy Employer web platform using their Azure AD credentials.
  • The user's communication email located in their profile is used for this service
  • When SSO is enabled in Easy Employer, please note the following changes:
    • Login email address may change
      • The email address that users currently log in with may be different from the email they use for Microsoft login.
      • If a user is currently using a personal email address, their login email will change to their work email once SSO is enabled.
    • Mobile app login
      • SSO is not currently supported on the Easy Employer mobile app.
      • The mobile app will use the Microsoft login email address (work email) for authentication.
      • Users must log in to the mobile app using their PIN code (guide here); passwords will not work.
    • Access reset when SSO is enabled
      • All existing login access to Easy Employer will be reset once SSO is enabled - users will no longer be able to login with their previously set login email (e.g. their personal email) for the mobile app or for the website (they have to use the SSO login)
    • User profile email address requirements
      • The communication email address listed in each user’s profile is the address used for the SSO connection.
      • Action required before SSO is enabled: Ensure all users’ profiles are updated so their work email address is listed as the communication email (organisation -> users -> click the user -> email located under personal details:
      • Email forwarding: employees may need to set up an email forward to forward Easy Employer communications to their personal email from their work email if they want Easy Employer emails being sent there  

How do you control access

  • Access control is managed in your SSO identity provider (IdP) (e.g., Azure Active Directory)
    • If a user is disabled, removed, or not assigned to the Easy Employer application in your SSO system, they will not be able to log in.
    • You can grant or revoke access centrally without making changes in Easy Employer.
  • Easy Employer defers authentication to your SSO system:
    • When a user attempts to log in, Easy Employer redirects them to your SSO provider for authentication.
    • If the IdP validates them successfully and confirms they’re assigned the Easy Employer app, access is granted.
  • Permissions within Easy Employer are still managed separately:
    • While SSO controls whether the user can log in, the roles and permissions (what they can do once logged in) are still configured in Easy Employer.

Limitations

  • SSO access is limited to the Easy Employer web platform only.
  • The Easy Employer mobile app does not support SSO. Users must continue to log in using their PIN code on mobile devices - passwords will not work
  • Currently, only Azure AD is supported. If you are using a different SSO provider, please let us know as we can look at supporting this.
  • SAML (Security Assertion Markup Language) is not currently supported

Getting Started

To explore enabling SSO for your organisation, please submit a support request. Our team will guide you through the setup process, including exchanging identity provider details and configuring AWS Cognito for your account.

Submit a support ticket to discuss enabling SSO