UKG Pro SSO Provisioning – Quick Setup Guide

The SSO Provisioning tool will automatically add users to the SSO users list for your users based on an
attribute such as email address. The email address from UKG Pro must match the email (NameID) from
your SSO Provider.

If you do not see ‘Provisioning’ under System Configuration > Federated SSO > Provisioning, you will
need to add this access to your role within System Configuration > security > role administration > find
your admin role > click on it > click web access rights > expand System Configuration > expand Federated
SSO > checkmark all 4 boxes for Provisioning > save. Refresh your page so that the permissions will
refresh.

• Navigate to System Configuration > Federated SSO > Provisioning > Configurations > add
(+).
• The description can be anything you prefer, such as ‘Add SSO Users’.
• The Type will be Add+Update, so that any changes to the UKG Pro account or
clientUsername will automatically update.
• Schedule should be set to Realtime so that the tool will add/update the SSO user entry
whenever a change is made, such as an email address update.
• Client user name (UPN) should be set to the NameID that is being passed from your SSO
Provider. For example, if your SSO Provider is sending an email as the NameID (unique
identifier), then set the option here to be employee email. This email is pulled from
your user’s UKG profile and must match the email from your SSO Provider.
 • For the Driver configuration, this is where you will set the ‘criteria’ for the employees that the
tool will add. The most common setting is to add by ‘employee status > active’, but you can add
more drivers to be more specific. These drivers work with an ‘and’ clause, meaning that it will
only add users that meet all the drivers that you set.

• Once satisfied with the drivers, click ‘validate’ at the top middle of the screen to show how
many new employees will be added by this run. Then click ‘close’.
• Click ‘save’ and let the tool start the sync within a few seconds to add the users to the SSO users
list. Afterwards, you can test the SSO connection.

How to manually add users to the SSO Users list one by one:

This is for initial testing where you may want to only add a few pilot test users to the SSO users list
without adding the rest of your employees with the SSO Provisioning tool.

• Navigate to the SSO users list (System Configuration > Federated SSO > SSO Users).
• Click add (+).
 • Click the magnifying glass to search for the user.
• Input their NameID from your SSO Provider in the Client user name field, such as their email
address for example.
• Leave all other fields default and click save. The user will now appear in the SSO Users list.

Additional Settings:

How to remove users from the SSO Users list automatically when terminated:

• Within System Configuration > Federated SSO > Provisioning > Settings, you can set up a rule to
automatically remove the SSO Users entry by employment or account status.