Contents

OneAdvanced Identity guidance

  1. Introduction

In T&A version 8.40.0.0 or higher we have provided a new login method for the T&A Web and Mobile application, which ensures secure access to your software applications, as well as, easier access to the applications you use.

This guidance is to assist Time and Attendance customers to enable OneAdvanced Identity authentication in their T&A Web and mobile applications. Specifically, this guidance is geared towards systems administrators.

Please note this guide will take you through the T&A onboarding process for OneAdvanced Identity and so may not provide like-for-like guidance for other applications.

  1. What is OneAdvanced Identity?

OneAdvanced Identity(OAI) is a platform that centralises user authentication from across products and services provided by OneAdvanced, so users have a more secure and seamless authentication process between their different applications. It also allows for users to access their OneAdvanced applications using a single set of credentials, rather than having to rely on multiple usernames and passwords across products.

For administrators, there is a single location where you can control the authentication process into your OneAdvanced systems, allowing for easier user management as well as access to OneAdvanced’s most secure authentication tools, such as Multi-Factor Authentication (MFA) and integrating with existing Active Directory (AD) instances.

  1. Getting started

You can contact either your Account Manager/Customer Success Manager to make your interest known in enabling OneAdvanced Identity in your T&A system.

Before enabling OneAdvanced Identity the following checklist should be considered to ensure that you and your users are prepared for the changes this will have on your system as well as ensuring your employee/user data is appropriate for syncing with Identity.

Check required data

  • A pre-requisite for using OAI is that all Employee and User records in the system must have a unique email address, where an employee and user are linked they will share the same email address. The email address does not have to be an organisations email address.
  • There is a new Email for SSO field on the User record, which is mandatory when Identity is enabled. This field must be populated for existing Users to be successfully migrated.
  • Employees/Users cannot have duplicate email addresses, unless they are linked, as this will impact the synchronisation between OAI and T&A.
  • An employee should not be linked to more than one users, as this will prevent all the users from being synced.
  • Email addresses should be a valid format, not be fully upper-case or contain spaces otherwise this can cause errors during the synchronisation process, which will mean the user will not be able to access the web/mobile app.

Don't worry though, as the Identity Onboarding function in T&A will perform these email checks for you and let you know which employee/user records are affected. Details are covered in the Identity Onboarding in T&A section below.

Understanding the changes

  • Review the dedicated OneAdvanced Identity Service guidance available here, to understand more about the authentication features and functionality available.
  • Users will be directed to the OneAdvanced Identity login page for your organisation, instead of a T&A login page.
  • If you are upgrading then all current users will have a change in credentials when accessing the T&A web/mobile app.
  • There is no change in the way employees/users are created in T&A. The integration between OAI and T&A works in the background, to sync them to their SSO accounts in Identity. Supervisors should review the User Management guidance notes available here.
  • Switching between an employee and linked supervisor user will be much quicker and easier with Identity enabled, as you will be taken directly to the dashboard view, and will no longer be required to login again.

Managing your Identity Service

  • As part OAI you will have access to a centralised application platform that is used by system administrators to manage your Identity service.
  • You will need to nominate a System Administrator for OAI within your organisation. The administrator is required for onboarding to take place as they will be the first person to get access to your Identity Service platform and the administrator controls for your OneAdvanced Identity service.
  • It is advisable to create additional administrators who will also be given access to your Identity Service platform and OAI administrator controls.
  • Having reviewed the OneAdvanced Identity features, you should also consider how you want to configure your OAI Organisation as this will determine your security and login flow for T&A web/mobile app. You may find this Admins section helpful.
  1. Enabling OneAdvanced Identity

This next section provides you with detailed information on how you can adopt Identity in T&A.

Requesting your Identity Service

Once you and your Customer Success/Account Manager are happy that you have covered the checklist and are ready to enable Identity in your new system or as part of your T&A upgrade to 8.40.0.0 or higher, then you can request for your organisations OneAdvanced Identity Service to be created. You will need to provide the following information

Customer Name

This is the name of your Organisation.

System Administrator Name

Provide the first name and surname of the admin who will be overseeing the onboarding process

System Administrators Email

Provide the email address of the admin who will be overseeing the onboarding process

If an implementation consultant will be working with you to enable OAI, then the above System Administrator will be requested to create an OAI user account for this person. Details on creating and managing users in your Identity Service are available here.

Configuring your Identity Organisation

Before enabling OAI in the T&A system you must ensure that you have configured your Organisation within your Identity Service, to reflect how you would like T&A web/mobile app login authentication. This may involve setting up a Federated authentication, setting your Password Policy and turning on Multi-factor authentication all of which will impact the login flow for users.

Identity onboarding in T&A

You can access the Identity onboarding function in the T&A WINTMS app, using the following steps.

Wintms.exe -> System -> Maintain Users -> Login Options ->OneAdvanced Identity

If the OneAdvanced Identity tab is not available, then the feature will need to be switched on. This can be done through INIEDIT, by navigating to ADVSSO>ENABLEIDENTITY and setting the preference to true.

  • Identity onboarding is a simple process of configuring your Identity settings and then enabling Identity.
  • We have included an optional step, to start the sync process before enabling the Identity login page, to give customers flexibility to sync employees/users before enabling the Identity login page.
Email summary

We have provided Email summary stats to give customers the assurance their email data meets the unique email address pre-requisite and will therefore be synchronised successfully once the sync process has started in step 2 or 3.

  • The email checks exclude employees with a leave date in the past.
  • The View Details link provides a list of the employees/users that do not have a unique email address.
  • In the View Details screen, there is a right-click option to copy the grid data to the Clipboard.
  • The Start Synchronisation/Enable Identity steps can still be performed even if the Email summary shows there are employees/users without a unique email address.
Configure your Identity details

Once your Identity service has been set-up you will receive your Identity Organisation Reference and a set of secure Client Credentials, this information plus the additional settings should be entered in the screen shown.

Synchronise employees and users

As mentioned above this step is optional, once the Start synchronisation button is selected the background integration process will be kicked off. This process will sync any existing employees/users with an email addresses, as well new records created once it's running, to their Identity SSO account.

This means you have the option of completing your upgrade and switching over to the Identity login page, at a later date, once you are happy that your employees/users have their SSO accounts ready for login to T&A.

Enable Identity

Once the Enable Identity option is checked/true

  • the T&A web/mobile app login method will be switched from the current login method to using the Identity login page
  • additionally, if the background synchronisation process is not already running then it will be started

Disabling Identity

Should you need to stop using the Identity login page on the web app, you can unset the Enable Identity option. The system will then use the login option configured.

Synchronisation Status

The synchronisation stats provide customers an overview of employee/users that have been successfully synced to their SSO account and those that have failed.

  • Once the Enable Identity flag has been set to true, any employees/users that have failed synchronisation will not be able to login to the web/mobile app.
  • You can use the View Details link to see why they failed to sync to Identity. The sync process will attempt to sync the employee/user again after the record is updated, to correct the issue.
Identity Welcome email

When Identity is enabled(Step 3) in T&A and a new SSO account is created the Identity service will automatically send a Welcome email to the user, which provides details on how they can set a password for their new SSO account. Once the user has completed this step they will be able to login to the T&A web/mobile app.

Note: Welcome emails are not sent out if you use the optional Synchronisation process (Step 2) to sync all employees/users before enabling Identity (Step 3). However, once you are happy that all the employees/users are synced, you can still send Identity Welcome emails by using the 'Sending welcome emails to multiple users' feature, use this link to access the help page for more instructions.

Logging into T&A using Identity

Once you have enabled Identity the login flow for T&A will be dictated by the authentication settings set in your Identity Organisation.

Find more information on the different login flows here.

Master user access to T&A web app

Windows apps do not use Identity and therefore you can use existing T&A passwords or set new passwords on the User record. However, once Identity is enabled the Master user can only be used by one SSO email account on the T&A web app. This is inline with your choice to enable Identity so that you have more secure access to your data via the web and better auditing, as multiple people can not use one account to make changes.

Should you need to use the Master user in the web app, follow the below steps

  • In the Win TMS app, Go to System -> Maintain Users -> Users
  • Select Master User and click modify
  • Update the Email for SSO field with a valid email address, once the record is synced to Identity you will be able to login.

Was this article useful?

User management with Identity

Contact