NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm

Implementing SSO from PrismHR to ClientSpace

Owned by Tony Hayes
Last updated: Aug 07, 2019 by Diane Hogan (Deactivated)
4 min read

Summary

The ClientSpace TSSO link in PrismHR allows you to seamlessly move from the Payroll application into ClientSpace without the need to log in.  Making this magic happen however requires some advanced configuration.  The following document describes this configuration and what to do if you hit errors along the way. 

  • The process utilizes the PrismHR User's PeoID to inform ClientSpace which PrismHR Server to use to validate the connection. 
  • Since ClientSpace can be configured with multiple PrismHR servers, the API Configuration form for the appropriate PeoID is used for API service endpoints.
  • Allows a logged-in PrismHR user to access ClientSpace without the need to log in to ClientSpace.   


PrismHR settings may require system administration rights. Additionally, this document only describes the configuration portion of PrismHR related to ClientSpace - additional PrismHR configuration that is needed to create the link to ClientSpace will not be covered in the scope of this document - for help with this refer to your Prism Administration documentation.

  

ClientSpace Configuration
API Configuration Form

The PrismHR API configuration form must have a Secondary ID (the PeoID) that matches the PrismHR User's PeoID

  • The API configuration record is located by matching the PrismHR User's PeoID to the API Configuration Secondary ID

Third Party Application Form (TPA)

          

TPA Name: The TPA Name MUST BE  'PrismHRTSSO' plus the PeoID with no spaces, as in 'PrismHRTSSO1*DEMO' (1*DEMO is the PeoID). This allows multiple PrismHR Servers and Users to access ClientSpace

API Configuration:  You must select the appropriate PrismHR API configuration and the Save the record.  This will generate the Application Key.

Adding TPA users to the Application

Once the TPA Entry has been saved you will need to add Third party users - these act as translation records - essentially mapping a PrismHR account to a matching CllientSpace Account.

  • Edit the TPA record
  • Click Add to begin Adding users to the Third Party Application record 
  • The TPA 3rd Party LoginID must match the PrismHR User's User ID
  • The 3rd Party LoginID must be mapped to a valid ClientSpace User.  This will be the User that will be logged into ClientSpace
  • Each PRismHR user that will log into ClientSpace via SSO will need one of these TPA user records 

PrismHR Configuration

Specifying the ClientSpace TSSO Url:

Back Office System | Change, System Parameters

Tool Menu | SSO Services

Service Url: https://extranet.clientspace.net/Next/Netwise/PrismHR/SSO

Additional PrismHR configuration is necessary, consult with PrismHR for details (beyond the scope of this doc)

Operation Overview:

PrismHR User clicks the 'ClientSpace' link (configured in PrismHR)

  • PrismHR sends the PrismHR User's PeoID and a secret token to the SSO Services Service Url that has been configured on the PrismHR server
  • ClientSpace locates an API Configuration record matching that PeoID 
    • If not found, display message "Unable to validate User in ClientSpace for PeoID 'x'.  Please contact your ClientSpace Administrator."
  • ClientSpace attempts to connect to the API using the credentials on the API Configuration record 
    • If unable to connect, display message  "Unable to connect to PrismHR for validation.  Please contact your ClientSpace Administrator." 
    • If able to connect but no session returned from PrismHR, display message "Unable to obtain a valid Session from PrismHR.  Please contact your ClientSpace Administrator."
  • ClientSpace sends the secret token back to PrismHR for validation   
    • If a validation response if not returned, display message "Unable to validate this User's Authentication Key, no response from PrismHR.  Please contact the System Administrator of the system from which you are trying to log in."
    • If validation is refused, display message "Unable to validate User in PrismHR, Error = 'error info'.  Please contact your ClientSpace Administrator and report this error."
  • If PrismHR validates the secret key, it returns the PrismHR User information to ClientSpace
  • ClientSpace attemps to locate the Third Party Application by name 'PrismHRTSSO' + 'PeoId' and the PrismHR User ID 
    • If unable to locate a TPA record for that user, display message "This User or your Server is not configured for Single Sign On in ClientSpace.  Please contact your ClientSpace Administrator"
  • If the TPA User is located, the ClientSpace User associated with that PrismHR UserID is logged into ClientSpace 
    • If login is unsuccessful, display message "Unable to log in to ClientSpace.  Please contact your ClientSpace Administrator."
  • When logged in, the ClientSpace User is redirected to the ClientSpace home page (honors the Default to Next User setting)


 ClientSpace to PrismHR SSO

SSO connectivity to PrismHr can also be configured, this is done using a custom link.  This link should be configured in the following fashion:


Link Configuration: 

  • Available on PEO Landing Pages (Workspace Landing) and Client Service Case Forms
  • Configure a custom link:
    • TableName: Workspace Landing or Client Service Case
    • Link Group: Link 1 or Link 2
    • Display Value: ‘Connect To PrismHR’
    • Display Action: Custom Function
    • Custom Function: fnConnectToPrismHR() NOTE: this process will not function in Classic, this is only a placeholder value
    • Custom Function (next): peoLanding.connectToPrismHR
    • Link Display Conditions:
      • Source: Header Proc 1
      • Trigger Field: ShowPrismHR
      • Trigger Value: True

NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm