Authentication

With Basic Authentication, the user’s password is stored within UKG Pro Workforce Management™, and the user authenticates using the built-in authentication service. Basic Authentication is the easiest authentication to use, but it provides the least flexibility and integration with other products. With Basic Authentication, you can access only the core UKG Pro Workforce Management™ workforce management (WFM) components.

Multi-Factor Authentication (MFA) improves account security in that any login to a user account requires a one-time passcode in addition to the username and password. The one-time passcode (OTP) is required once every seven days for each device, and can be received by email, SMS message, or an app-based token. MFA is strongly recommended for all user accounts, and is required for manager and administrator roles.

Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.

Note: For instructions, see the Multi-Factor Authentication and Passwords topic.

With Federated Authentication, the user’s password is stored in another system (called an Identity Provider or IDP). The identity provider delivers authentication credentials to the service provider (SP) at the user's request. The user is authenticated via IDP, which in turn delivers confirmation of that user’s identity to UKG Pro Workforce Management™ by way of federation. Federated Authentication requires additional configuration and maintenance, but it comes with more flexibility and integration with other products.

Key features of Federated Authentication include:

• Single Sign-On (SSO) — Use single sign-on to authenticate when logging in one time to access multiple service providers.
• (Recommended) Multi-Factor Authentication (MFA) works the same way as for Basic Authentication.
• Full-Suite Access — With Federated Authentication, you can use HCM, Workforce Planner, or Telestaff in addition to the core Workforce Management (WFM) suite of products.

UKG offers the following for customers who do not have their own IDP but could benefit from using one, either because they are a full suite customer or because they require MFA:

• An identity provider hosted in the Dimensions Cloud called Dimensions IDP (DIDP)
• The Dimensions IDP Proxy (DIDP Proxy) service that acts as an IDP to an SP, but then redirects to one or more IDPs. This allows full suite customers to use multiple IDPs or to workaround any configuration issues with their own IDP.

The authentication method (basic or federated) is set for each employee in the Employee section in the People Information component. You can use both authentication methods within the same tenant. Users would simply use different URLs to access the system. For federated authentication, you can also have multiple identity providers within the same tenant.

If your organization has some employees who use Basic Authentication and some who use Federated Authentication, the Basic Authentication page contains links to the federated URLs. Because multiple IDPs are supported within the same tenant, multiple links can be included. Link text is customizable.

The following table outlines the capabilities of the various customer requirements.

Customer Requirements	MFA Available	Authentication Type	DIDP***	DIDP Proxy
WFM access only with their own IDP	Yes*	Federated	No	No
WFM access only without their own IDP	No	Basic	No	No
WFM access only without their own IDP for all users	Yes**	Federated	Yes	No
Full suite access with their own IDP(s)	Yes*	Federated	No	Yes
Full suite access without their own IDP	Yes**	Federated	Yes	No
Full suite access without their own IDP for all users	Yes**	Federated	Yes	Yes

*	If needed, MFA must be addressed by the customer’s own IDP.
**	If needed, MFA must be addressed by the customer’s own IDP and/or DIDP.
***	DIDP supports email, text, and token-based MFA.