Authentication is the action of verifying the identity of a user or process. UKG Dimensions supports two types of authentication: Basic and Federated.
With Basic Authentication, the user’s password is stored within UKG Dimensions, and the user authenticates using UKG Dimensions built-in authentication service. Basic Authentication is the easiest authentication to use, but it provides the least flexibility and integration with other products.
With Basic Authentication, users can only access the core UKG Dimensions workforce management (WFM) components.
With Federated Authentication, the user’s password is stored in another system (called an Identity Provider or IDP). The identity provider delivers authentication credentials to the service provider (SP) at the user's request. The user is authenticated via IDP, which in turn delivers confirmation of that user’s identity to UKG Dimensions via federation. Federated Authentication requires additional configuration and maintenance, but it comes with more flexibility and integration with other products.
Key features of Federated Authentication include:
- Single Sign-On (SSO) — You can use single sign-on to authenticate when logging in one time to access multiple service providers.
- Multi-Factor Authentication (MFA) — With MFA, users are authenticated/logged in with more than a single factor, where the single factor is typically a password. Additional “factors” used when logging in might be a one-time code delivered to your phone via text or email, or a piece of hardware that only you possess (like a key).
- Full-Suite Access — With Federated Authentication, you can use HCM, Planner, and/or Telestaff in addition to the core Workforce Management (WFM) suite of products.
UKG offers the following for customers who do not have their own IDP but could benefit from using one, either because they are a full suite customer or because they require MFA:
- An identity provider hosted in the Dimensions Cloud called Dimensions IDP (DIDP)
- The Dimensions IDP Proxy (DIDP Proxy) service that acts as an IDP to an SP, but then redirects to one or more IDPs. This allows full suite customers to use multiple IDPs or to workaround any configuration issues with their own IDP.
The authentication method (basic or federated) is set for each employee in the Employee section in the People Information component. You can use both authentication methods within the same tenant. Users would simply use different URLs to access the system. For federated authentication, you can also have multiple identity providers within the same tenant.
If your organization has some employees who use Basic Authentication and some who use Federated Authentication, the Basic Authentication page contains links to the federated URLs. Because multiple IDPs are supported within the same tenant, multiple links can be included. Link text is customizable.
The following table outlines the capabilities of the various customer requirements.
|Customer Requirements||MFA Available||Authentication Type||DIDP***||DIDP Proxy|
|WFM access only with their own IDP||Yes*||Federated||No||No|
|WFM access only without their own IDP||No||Basic||No||No|
|WFM access only without their own IDP for all users||Yes**||Federated||Yes||No|
|Full suite access with their own IDP(s)||Yes*||Federated||No||Yes|
|Full suite access without their own IDP||Yes**||Federated||Yes||No|
|Full suite access without their own IDP for all users||Yes**||Federated||Yes||Yes|
|*||If needed, MFA must be addressed by the customer’s own IDP.|
|**||If needed, MFA must be addressed by the customer’s own IDP and/or DIDP.|
|***||DIDP supports email, text, and token-based MFA.|