UKG - SSO configuration

UKG - SSO configuration

Alert
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
Quote
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for UKG using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization
Warning
To set up Multi-Pass with UKG, ensure you meet the following requirements:
- Administrator access to UKG
- MPAS Admin rights
- Make sure that all users intended to use SSO in UKG are registered in your IdP and have the necessary permissions to access UKG.
Important: The SAML values shown in Microsoft’s tutorial (Sign‑On URL, Identifier/Entity ID, Reply URL/ACS) are examples. You must obtain your organization’s actual values from the UKG Pro Client Support team.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.




UKG - SSO configuration




Step 1 — Configure Multi‑Pass as the Identity Provider (IdP)

    1. Open Multi-Pass Dashboard
    2. Select the correct tenant and go to Integrations, click on Applications

    1. Select in the custom integration section SAML.
    2. Collect the Service Provider (SP) details from UKG Pro Client Support
    3. In Multi‑Pass, fill in the UKG values:
      1. SP Entity ID = https://<company>.ultipro.com/adfs/services/trust
      2. Assertion Consumer Service (ACS) URL = https://<company>.ultipro.com/<instancename>
      3. Sign‑On URL = https://<company>.ultipro.com/ (Optional)
      4. NameID Format = Email
    4. Download the IdP metadata (Entity ID, SSO URL, x.509 certificate) for UKG.
    5. Click add integration
    6. Now we need to verify that everything is well completed in the advanced console and add mapping in the client scope.
    7. On the left side, click on "advanced console" 
    1. Click on Client and use the search bar to find UKG you just created : 
    2. Verify the next fields :
    General settings
    FieldValue
    Client ID / SP Entity IDIdentifier (Entity ID) provided by UKG - https://<company>.ultipro.com/adfs/services/trust
    Nameukg / ukg-pro / ukg-hrsd
    DescriptionSSO integration (SAML 2.0)
    Always Display in UION

    Access settings
    FieldValue
    Home URLhttps://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/<APP_NAME>
    Valid Redirect URIs (ACS)https://<company>.ultipro.com/<instance> (exact ACS from UKG)
    IdP‑Initiated SSO URL Name<APP_NAME>

    SAML Capabilities
    SettingValue
    NameID Formatemail
    Force NameID FormatON
    Force POST BindingON
    Include AuthnStatementON

    Signature and Encryption
    SettingValue
    Sign DocumentsON
    Sign AssertionsON
    Encrypt AssertionsOFF (unless UKG requires)
    1. Go to the tab called "Keys" and make sure both parameters are switched to OFF
    2. Go to the "advanced" tab
      1. Assertion Consumer Service POST Binding URL = Valid Redirect URIs (ACS) = https://<company>.ultipro.com/<instance> (exact ACS from UKG)
    3. Go to "client scope" tab
    4. Click on the assigned client and click on "configure a new mapper" then select user attribute 

    1. Complete the different fields for : firstname : 
    FieldValue
    Mapper TypeUser Attribute
    Namefirstname
    User AttributefirstName
    Friendly Namefirstname
    SAML Attribute Namefirstname

    Lastname : 
    FieldValue
    Mapper TypeUser Attribute
    Namelastname
    User Attributelastname
    Friendly Namelastname
    SAML Attribute Namelastname

    Step 2 — Configure UKG as the Service Provider (SP) & Exchange Metadata

    1. Provide the Multi‑Pass IdP metadata to UKG (or enter it in the UKG admin if self‑service is available):
      1. IdP Entity ID
      2. IdP Single Sign‑On URL
      3. IdP x.509 certificate
    2. Ensure NameID is set to EmailAddress (Multi‑Pass will send the user’s email as NameID).
    Notes
    Save changes in UKG and complete the SAML setup. Keep a local UKG admin account as a fallback.

      • Related Articles

      • SAML SSO Integration Guide

        This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...

      • Notion - SSO configuration

        Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...

      • Vanta - SSO configuration

        This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Vanta using MPAS. SSO simplifies user authentication by allowing access to multiple ...

      • Dynatrace - SSO configuration

        This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Dynatrace using MPAS. SSO simplifies user authentication by allowing access to multiple ...

      • Addigy - SSO configuration

        This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Addigy using MPAS. SSO simplifies user authentication by allowing access to multiple ...