NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm
Implementing SSO from PrismHR to ClientSpace
PrismHR settings may require system administration rights. Additionally, this document only describes the configuration portion of PrismHR related to ClientSpace - additional PrismHR configuration that is needed to create the link to ClientSpace will not be covered in the scope of this document - for help with this refer to your Prism Administration documentation.
ClientSpace Configuration
API Configuration Form
The PrismHR API configuration form must have a Secondary ID (the PeoID) that matches the PrismHR User's PeoID
- The API configuration record is located by matching the PrismHR User's PeoID to the API Configuration Secondary ID
Third Party Application Form (TPA)
TPA Name: The TPA Name MUST BE 'PrismHRTSSO' plus the PeoID with no spaces, as in 'PrismHRTSSO1*DEMO' (1*DEMO is the PeoID). This allows multiple PrismHR Servers and Users to access ClientSpace
API Configuration: You must select the appropriate PrismHR API configuration and the Save the record. This will generate the Application Key.
Adding TPA users to the Application
Once the TPA Entry has been saved you will need to add Third party users - these act as translation records - essentially mapping a PrismHR account to a matching CllientSpace Account.
- Edit the TPA record
- Click Add to begin Adding users to the Third Party Application record
- The TPA 3rd Party LoginID must match the PrismHR User's User ID
- The 3rd Party LoginID must be mapped to a valid ClientSpace User. This will be the User that will be logged into ClientSpace
- Each PRismHR user that will log into ClientSpace via SSO will need one of these TPA user records
PrismHR Configuration
Specifying the ClientSpace TSSO Url:
Back Office System | Change, System Parameters
Tool Menu | SSO Services
Service Url: https://extranet.clientspace.net/Next/Netwise/PrismHR/SSO
Additional PrismHR configuration is necessary, consult with PrismHR for details (beyond the scope of this doc)
Operation Overview:
PrismHR User clicks the 'ClientSpace' link (configured in PrismHR)
- PrismHR sends the PrismHR User's PeoID and a secret token to the SSO Services Service Url that has been configured on the PrismHR server
- ClientSpace locates an API Configuration record matching that PeoID
- If not found, display message "Unable to validate User in ClientSpace for PeoID 'x'. Please contact your ClientSpace Administrator."
- ClientSpace attempts to connect to the API using the credentials on the API Configuration record
- If unable to connect, display message "Unable to connect to PrismHR for validation. Please contact your ClientSpace Administrator."
- If able to connect but no session returned from PrismHR, display message "Unable to obtain a valid Session from PrismHR. Please contact your ClientSpace Administrator."
- ClientSpace sends the secret token back to PrismHR for validation
- If a validation response if not returned, display message "Unable to validate this User's Authentication Key, no response from PrismHR. Please contact the System Administrator of the system from which you are trying to log in."
- If validation is refused, display message "Unable to validate User in PrismHR, Error = 'error info'. Please contact your ClientSpace Administrator and report this error."
- If PrismHR validates the secret key, it returns the PrismHR User information to ClientSpace
- ClientSpace attemps to locate the Third Party Application by name 'PrismHRTSSO' + 'PeoId' and the PrismHR User ID
- If unable to locate a TPA record for that user, display message "This User or your Server is not configured for Single Sign On in ClientSpace. Please contact your ClientSpace Administrator"
- If the TPA User is located, the ClientSpace User associated with that PrismHR UserID is logged into ClientSpace
- If login is unsuccessful, display message "Unable to log in to ClientSpace. Please contact your ClientSpace Administrator."
- When logged in, the ClientSpace User is redirected to the ClientSpace home page (honors the Default to Next User setting)
NOTICE: You are in the old ClientSpace Help system. Please link to the new ClientSpace Help here https://extranet.clientspace.net/helpdoc/home/ClientSpace.htm