Enabling SSO (Single Sign-On) is a great way to improve security and eliminate the need to manage multiple sets of credentials. Collage HR seamlessly and securely integrates with different SSO providers, including Okta, Microsoft, and Google.
To learn more about how to enable SSO with a specific provider, visit one of the following links:
The rest of this article explains what happens after you enable SSO in Collage and describes the experience of your users and employees.
I've enabled SSO. Now what?
Once you enable SSO, users (including yourself) will no longer be able to login using their username and password and will need to authenticate through your IdP (Identity Provider).
IdPs (Identity Providers) supported by Collage include Okta, Microsoft, and Google.
Only one IdP can be active at a time. For example, if you choose to enable SSO through Google, you will need to disable it before switching to Microsoft or Okta.
All users in your company will receive an email with a link that allows them to connect their IdP account to Collage.
Note: disabled users and terminated employees will not receive this email and will not be able to connect their IdP account to Collage, even if it exists.
Before a user can access Collage through their IdP account, they will need to click on the link in the email first. Otherwise, they will see an error when trying to connect their account.
The email of their IdP account must match the email to which the "Connect" link was sent. Otherwise, they will see an error when trying to connect their account. Once an account has been successfully connected, users can login normally. (There's no need to click on the link in the email.)
For example, suppose you as an admin have enabled Google SSO in Collage. Consider the following two scenarios involving one of your employees, Bob:
Scenario 1: Bob receives a "Set up SSO for Collage" email but never clicks the "Connect" link. His Collage login email is bob@yourcompany.com, and his Google email is bob@yourcompany.com. Bob tries to authenticate through his Google account but receives an error and is unable to login, because he never authenticated through the link sent to him in the email. Bob then clicks on the link in the email, authenticates through Google, and is now logged in. From this point on, he can login with his Google account.
Scenario 2: Bob receives a "Set up SSO for Collage" email and clicks on the "Connect" link. The email he is currently using to log into Collage is his personal email, bob1234@google.com, and this is the email to which the link has been sent. However, the corporate Google account set up for him has a different email address: bob@yourcompany.com. Bob tries to authenticate through his Google account but receives an error and is unable to login, because his login email and the IdP email do not match. He reaches out to you and asks you to change his Collage login email to bob@yourcompany.com. Once this is done, another "Set up SSO for Collage" email is sent to bob@yourcompany.com automatically. Bob clicks on the link in that email and is able to connect his account. From this point on, he can login with his bob@yourcompany.com Google account.
To ensure smooth experience for your employees, make sure that their emails match the IdP-issued emails, and that they click on the link in the SSO setup email before connecting their account.
While SSO is active
As long as SSO is enabled in Collage, your users will be forced to use their IdP account to log in. They won't be able to use their username and password. Similarly, if they had set up a Google sign-in through their personal account previously, they wouldn't be able to use it anymore.
Password resets are not available while SSO is enabled.
Resolving SSO related issues
If one of your employees is having trouble connecting their account, the issue is most likely that their Collage login email does not match the email they're using to authenticate through the IdP. This situation can be resolved by navigating to Company Settings -> Users and changing the user's login email. This will automatically send them the SSO setup email at the new address.
You can also resend the SSO setup email at any point (see picture below).
Disabling SSO
Should you choose to disable SSO, your users will be able to use their username and password again. This change takes effect immediately. If a user doesn't have a password, they can reset it.