Azure Authentication for ESS

This article describes how to set up Azure Authentication for the Employee Self Service module.

Prerequisites

First, check the 'Azure Authentication Enabled for ESS' checkbox in the Self Service tab of System Options for ESS.

Employee Self-Service Maintenance; standard Treeview path: HCM > File Maintenance > Employee Maintenance

Next, check the ‘Access To Self Service’ box for the employee in Employee Self-Service Maintenance. This checkbox, shown above, determines the workflow when an employee is invited to ESS.

Pgm: PYEMPLOY – Employee Profile; standard Treeview path: US Payroll > Setup > Employees > Employee Profile – Address tab

Set the employee email address in the Address tab of the Employee Profile. Which email address is selected from the screen above is determined by the selection in the Email to Use for ESS Notification field.

ESS Validation Process

If the ‘Azure Authentication Enabled for ESS’ box is checked, the Employee Maintenance screen will validate the below information before it allows users to register for ESS. The normal registration process is described in ESS Registration. The validation process is given below.

  1. The Employee Maintenance screen will validate if the email address is set up on the Employee Profile.

  2. If an email address is found, the system searches for that email address in the LDAP directory to see if it corresponds to a USERID. If multiple USERIDs are found for the same email address the program will display an error message, shown below, prompting the user to clean up their AD account setup.

    Please note that if emails are set up with multiple USERIDs, then AD may fail. If the email address is not found in the LDAP directory, then an error appears stating that an AD account is not set up for this employee and email address.

  3. The program will then search the portal sec user in CMIC for the same USERID found in the LDAP directory. If the USERID already exists in the portal sec table for another employee, the program will display an error.

    If the USERID already exists in the portal sec table without an employee, then the program will sync the employee number in the SYSCONTACT table.

    If the information is not found, the program will create a portal sec user and contact for the USERID and sync with the employee number.

  4. If all the above conditions are met, the program will then display the USERID on the screen and will allow the user to check the ESS box if all the above conditions are met. The registration email containing the ESS link and USERID is then sent to the employee.