Authentication Guide2020-11-16T13:21:58+10:00

Authentication Guide

Release Date: 09 November 2020
Version: 1.0

Introduction

Aurion offers a number of ways to authenticate users, depending on your deployment type (cloud or on-premise) and the Aurion user interface you are authenticating to (Core, Self Service, or the Aurion Mobile App).

Authentication Methods

The methods available to customers to authenticate users, based on their deployment type, are:

Deployment Type / ApplicationUsername & PasswordSingle Sign-On (LDAP/LDAPS)Same Sign-On (LDAP/LDAPS)SAMLOpen ID Connect
On-Premise - CoreYesYesNoNoNo
On-Premise - Self ServiceYesNoYesYesYes
Aurion Cloud – Core* YesNoNoNoNo
Aurion Cloud - Self ServiceYesNoNoYesYes

*after log into Cloud Portal

Username and Password

Your Aurion solution provides the option to authenticate using Aurion application credentials (username and password), though one of the alternate authentication methods available offering increased security (for example, multi-factor authentication) is recommended.

Note: In Self Service, a user can also use their email address (assuming it has been defined against the user’s Aurion security record) as a Username. See the Core online help topic Single Sign-On and Authentication (login required) for a step-by-step guide to configuring Self Service email address sign-on.

Passwords are securely stored in your Aurion solution in accordance with our ISO27001-certified Information Security Standard. Password security can also be increased by configuring password complexity rules – check out the guide to configuring password requirements (login required) here.

Single/Same Sign-On

Aurion can authenticate a user against a directory using LDAP/LDAPS (Lightweight Directory Access Protocol) using Single or Same Sign-On. Directories are specialised databases used to keep track of information distributed on a network – common directory services include Active Directory.

Note: LDAPS encrypts LDAP traffic in transit, whereas LDAP doesn’t provide any encryption.

See the Core online help topic Single Sign-On and Authentication (login required) for a step-by-step guide to configuring Core Single sign-on and Self Service same sign-on.

Security Assertion Markup Language (SAML)

Federated authentication support is provided using Security Assertion Markup Language (SAML). To use SAML, you need to configure Self Service to be a SAML Service Provider (SP), which directs non-authenticated users to the customer’s SAML 2.0-compliant Identity Provider (IdP) (for example, Active Directory Federated Services) when they access Self Service.

Depending on the capabilities of your Identity Provider (IdP), you can also configure different sign-in options with SAML, including:

  • Same Sign-On – where the user is prompted for credentials;
  • Single Sign-On – where the user is not prompted for credentials), and/or;
  • Multi-Factor Authentication (MFA).

See the Core online help topic Self Service SAML SSO Implementation Guide (login required) for more information and a detailed configuration guide.

Prerequisites

Before selecting SAML as your preferred authentication method, check the following requirements:

  • Your chosen IdP must support SAML 2.0. and must be configured by you before setting up Aurion.
  • If your IdP is Active Directory Federated Services (ADFS) – 2.0+ is used for the IdP role.
  • Your IdP and Service Provider clocks must be in sync. This is best achieved by synchronising the servers to a public time server.
  • If you’re using a self-signed certificate for signing SAML requests / responses – then the idP and/or SP need to be configured to trust this certificate.

Responsibilities

If your Self Service environment is deployed in the Aurion Cloud, the Aurion Cloud Services Team will configure the appropriate SAML settings in the Self Service configuration file. You will need to provide the IdP entry point and IdP certificate. Aurion will provide the issuer, SP certificate and callback URL for you to configure the IdP. You will also need to complete setup tasks in your Aurion application. To request assistance with configuring your SAML Service Provider, contact the Customer Support Team (login required).

If Self Service is deployed on your own on-premise infrastructure, you are responsible for installing, configuring, and maintaining your IdP software (e.g. ADFS). To request assistance with configuring your SAML Service Provider (at additional cost), contact the Customer Support Team.

OpenID Connect

Aurion offers OpenID Connect for authenticating Self Service users. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, but they do not define standard methods to provide identity information. OpenID Connect implements authentication as an extension to the OAuth 2.0 authorisation process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.

OpenID can be configured by customers using Belt, or customers not using Belt, and can also be configured by customers who wish to OpenID with Azure™. For more information about OpenID Connect providers, check the listings here: https://openid.net/developers/certified/

Prerequisites

To configure OpenID, you will need the following:

  • Basic Configuration (for most Open ID providers):
    • application_id (also known as a client_id) – it is specific to the application being signed into, and there may be many of these within your tenant_id
    • tenant_id).
  • Azure™ Configuration:

See the Core online help topic OpenID Configuration Guide (login required) for more information and a step-by-step configuration guide.

Configuring Multiple Self-Service Authentication Methods

If required, you can configure multiple authentication methods for Self Service. See the Core online help topic Configure Multiple Self Service Authentication Methods (login required) for more information.

Mobile App Authentication

Your employees can download and use the Aurion Mobile App to view their key payroll information. After downloading the app from the appropriate vendor for their device (either Apple or Android), an employee must first authenticate to Self Service and generate a QR Code token to activate the app. When authenticating to Self Service, the user will need to authenticate using the method you’ve chosen from the options earlier in this document.

Once activated, the app can be configured to use the security features of the device to authenticate, such as PIN code or biometric ID.

Please note: The Aurion Mobile App is only available to your employees to use if you’ve enabled access for your workforce. Check out the guide to configuring the Aurion Mobile App for more information and a step-by-step guide to enabling the app for your team (login required). 

Aurion Cloud Portal Authentication

Registered Aurion Cloud users can access the Aurion Cloud Portal (ACP) using their account username and password. Additionally, multi-factor authentication (MFA) protects our ACP environment by using a second source of validation to verify user identity before granting access to your Aurion Core application. More information about accessing the ACP, including MFA, is available here (login required).

Your ACP account information is managed in accordance with our ISO27001 Information Security Standard, including the password policy we enforce for ACP accounts to ensure maximum security.

Updating your password

You can update your password for the ACP or Aurion Core at any time using the Change Password option in each application.

It is your responsibility to protect your account credentials and to update your ACP and Aurion Core passwords to a new password that complies with complexity rules when prompted at 90-day intervals. You will receive reminders to update your account password at regular intervals before your password expiry date. If you don’t update your password before the expiry date, you’ll need to reactivate your user account by following the instructions in the email you receive from us on the day your account expires.