Benefit from some great new features on edays whilst still taking advantage of your existing Cornerstone edays integration, by simply updating your SSO integration to use a third-party authentication provider such as Azure or OKTA.
Why do we recommend changing your SSO integration to a third party with edays?
What do I need to do to get started?
- Speak to your internal IT team, and feel free to share the technical documentation below with whoever manages Single-Sign-On within your business.
- Please contact your Customer Success Manager, who will need to discuss next steps with your IT team. If you introduce us to the right contacts from your IT team, we’ll advise on next steps here at edays.
Will this impact my existing integration with Cornerstone?
- Your integration with CSOD will work the exact same way as before. You can still access edays via the CSOD application.
- Authorising absence requests via email and the mobile app will now be more seamless using the third party SSO.
The Technical Bit
Enabling third-party SSO Identity providers for clients using the Cornerstone integration
When clients enable the Edge Marketplace integration between Cornerstone On Demand and edays, by default the SSO integration between the two systems is enabled with CSOD acting as the identity provider (IDP). This means edays requests a user’s identity from CSOD in order log them in to edays.
Unfortunately, there is a limitation with this setup whereby authentication requests initiated by the Service Provider (SP), in this case edays, are not supported. Only Identity Provider initiated SSO is supported, which means the user must follow a special link to edays from within Cornerstone. The downside of this is that deep-links, links from within emails to specific parts of, or actions within, edays will not work correctly. This includes one-click leave authorisation links from emails.
Using a third-party identity provider
It is possible for clients to use a third-party authentication provider whilst still taking advantage of the CSOD edays integration. To do this, the following steps should be followed:
- Configure edays in the third-party Idp. edays will send over updated SAML metadata. A service provider record should be created in the third party IdP using the supplied metadata. This would be just like setting up any new service provider.
- Send the new IdP metadata to edays. edays support will configure the client edays system to match the metadata of the identity provider.
- Configure the CSOD – edays Integration settings in Edge. In the integration’s settings page in the Edge marketplace, the client should enable “Third party IdP” and set “If third-party IdP is enabled, ID to use for SSO UserID” to “Email”. This will tell the CSOD – edays integration to pass the user’s email address over as the SSO identifier in edays.
- Configure the new to use “Email” as the identifier. In the service provider record for edays in the client’s chosen identity provider, the SAML response should be set to use “Email” as the “Name Id”. This tells the IdP to use the user’s email address as the identifier in edays. For example, in Azure AD, the configuration would look like this: