Skip to main content

ADP

ADP is a cloud-based HR solution for payroll, benefits, and tax management. You can configure ADP for single sign-on (SSO) through Entrust Identity as a Service (Entrust IDaaS).

note
  • This guide was tested with previous versions of Entrust IDaaS and ADP. For newer versions, use this as a starting point and contact support@entrust.com if issues occur.
  • ADP requires a unique PersonImmutableID to identify each employee. Do not reuse this value for other users.

Prerequisites

  • Create a PersonImmutableID attribute in Active Directory for each user.
  • Ensure the ADP Employee ID/Associate ID is populated for all users.

Step 1: Create and map the custom user attribute

  1. Sign in to Entrust IDaaS.
  2. Click > Members > Attributes to open the User Attributes List page.
  3. Under Custom User Attributes, click .
  4. Enter PersonImmutableID as the User Attribute Name and select Required.
  5. Click Add.
  6. Click > Directories and open your directory.
  7. Under Custom User Attributes, map PersonImmutableID to the ADP Employee ID/ADP WFN Associate ID.
  8. Click Save, then click to synchronize with Active Directory.
  9. Verify the value on a user profile: click > Users, open a user, and confirm PersonImmutableID is populated.

Step 2: Add ADP to Entrust IDaaS

  1. Sign in to your Entrust IDaaS administrator account.
  2. Click > Security > Applications and select Add.
  3. Under SAML Cloud Integrations, choose ADP.
  4. Enter an Application Name and Application Description.
  5. (Optional) Add a logo: click next to Application Logo, upload an image with , and click OK.
  6. Choose the Authentication Flow and click Next to open General.
  7. If you have metadata, click to Upload Metadata XML and (optionally) select Merge with existing values, then click Save.
  8. If configuring manually, enter:
    • Default Assertion Consumer Service URL: value provided by ADP.
    • Service Provider Entity ID (Issuer): value provided by ADP.
    • Single Logout Service URL: provided by ADP if SP-initiated logout is supported; otherwise leave blank.
  9. From SAML Name ID Attribute, select User ID.
  10. Set SAML NameID Encoding Format to UNSPECIFIED and SAML Response Signature Algorithm to SHA256.
  11. Select the SAML Signing Certificate and (optional) Sign complete SAML response.
  12. (Optional) Configure:
    • SAML Username Parameter Name if ADP expects a custom username field.
    • Respond Immediately for Unsuccessful Responses to return to ADP after a failed login.
    • Deselect Enable Go Back Button to prevent returning to the ADP login page.
    • Select Show Default Assertion Consumer URL Service in the My Profile to display it in user profiles.
    • Add Alternative Assertion Consumer Service URLs as needed (Name and Value, optionally show in My Profile).
  13. Under SAML Attribute(s), add PersonImmutableID and set the value to the PersonImmutableID attribute.
  14. Click Submit.
note

Entrust IDaaS performs session logout based on the Authentication Session Lifetime (default 15 minutes). If ADP supports SP-initiated logout, configure its Single Logout URL; IDP-initiated logout is not supported.

Step 3: Add a resource rule

Create the required resource rule. See Create resource rules.

Step 4: Download the metadata file from Entrust IDaaS

  1. In Entrust IDaaS, click > Security > Applications.
  2. Do one of the following:
    • Click next to the ADP application.
    • Click and select SAML IDP Metadata.
  3. In SAML Application Metadata, select the certificate (and domain, if applicable) to include in the metadata file.
  4. Enter the Lifetime, in days for the metadata file (2–730).
  5. Copy the Public Endpoint for your SAML application or click Download.
note

If you use multiple domains, download a metadata file for each domain because values differ per domain.