Paylocity Integration

Integrations Request Integration
1

It would be amazing if Paylocity was added to the Marketplace! They currently have documentation available below:

:warning: CAUTION: Paylocity does not support configuration for SSO on the Company Set level. An SSO Integration must be set up for each individual company ID.

  1. Confirm the following items:
  • A subscription with one of the below supported vendors:
    • Microsoft Entra ID (formerly Azure AD)
    • Okta
    • OneLogin
    • PingIdentity
    • jumpCloud
  • Permission to HR & Payroll > User Access > SSO Configuration Menu Item in Paylocity Security Role.
  • All employees have a Paylocity username if using the SSO Provider’s credentials; Self-Registration is not necessary if using SSO, but the user account must be active.
  • Users must have a username in HR & Payroll to login via SSO.
    1. If email address is the PaylocityUser value set in the Identity Provider, all employees must have a work email in Paylocity.
    2. To accurately authenticate the user, it must match the company ID and a unique value per each employee (either the full work email address or the Employee ID) between the SSO Provider user account and the Paylocity user account.
  • Contact a [Paylocity Representative] for assistance if the company’s identity provider is not one of the supported vendors to verify if Single Sign On (SSO) is still a possibility as a custom integration. Paylocity supports SAML 2.0.
  1. Add Paylocity from the Gallery / Marketplace.
  • Search for Paylocity in chosen Identity Provider’s application marketplace.
  • Locate Paylocity app and Add.
  • View the application configuration:
    1. Enter Paylocity Company ID for PaylocityEntity. This element is present in the attributes of the SAML response.
    2. Use either the user’s Email Address or Employee ID for the PaylocityUser value. Email Address must match the Work Email in Paylocity.
    3. Confirm the PartnerID prefills with the necessary value that corresponds with each Identity Provider. If not, locate this within the Paylocity SSO Configuration. It is the dropdown value in the parenthesis starting with “P” with the selected Provider under SSO Integrations.
    4. Locate the Metadata file to download. This is optional but recommended for faster integration.
  1. Add SSO Integration in Paylocity.
  • Navigate to HR & Payroll > User Access > SSO Configuration.
  • Select Add SSO Integration under SSO Integrations. A new drawer opens.
  • Select SSO Provider from dropdown.
  • Select Status from dropdown.
  • Complete one of the following:
    1. Drag and drop metadata file in drop area. Paylocity attempts to parse Issuer, Post Redirect and Binding URLs and Security Certificate(s). The file requires at least one of the fields.
    2. Enter information manually into the available fields.
  • If Non-Employee user accounts should have the ability to log in via SSO, then toggle Allow Non-Employee Accounts to Yes.
  • Select Save, confirming changes. The integration should display under SSO Integrations.
  1. Complete Integration in Identity Provider.
  • Test the integration once all required fields enter in both the Identity Provider and Paylocity SSO Configuration.
    1. Paylocity supports both IdP and SP Initiated flows.
    2. If an error occurs, copy the provided identity number in the error message.
    • Review SSO error message to locate the Troubleshooting logs.
    • Review SSO configuration errors for specific troubleshooting steps based on the error.

:bulb: ADDITIONAL INFORMATION: If users are not currently separated into different buckets in the SSO Provider, Paylocity recommends creating a dynamic custom variable to populate the required PaylocityEntity (Company ID) value, like email address.

  • Companies can then use the same Metadata file for each individual Company ID SSO Integration.
  • For additional guidance, view Single Sign-On SAML setup and Single Sign-On user permissions.

Single Sign On (SSO) uses Security Assertion Markup Language (SAML) for configuration.

  • In the supported SSO Provider, the Paylocity application requires three custom attributes to be included in order to successfully complete the SSO integration:
    • PartnerID: The SSO Provider selected in the SSO Integration; The value in the parenthesis next to the Provider name in the dropdown menu.
      Example: Microsoft Azure (P8000010)/Microsoft Entra (P7111111), Okta (P800002), OneLogin (P800001), and PingIdentity (P800007), JumpCloud (P800041).
    • PaylocityEntity: The CompanyID.
    • PaylocityUser: Can be either the email address or the Employee ID, use a dynamic variable to change per each employee.
  • Multiple active SSO Integrations are acceptable for a single company. Each SSO Integration requires its own unique Issuer.
  • Paylocity supports up to three security certificates to be stored with each SSO Integration to allow users the ability to easily switch for any reason. Use the Default toggle to select which one is active.
  • If the SSO Provider is not one specifically listed by name in the dropdown menu:
    • It is not on the list of supported vendors.
    • Paylocity supports most SAML 2.0 integrations.
    • Contact a [Paylocity Representative] for assistance in submitting a request.
  • If the SAML setup in the vendor is correct, but still receiving error messages of The SAML response isn’t signed or The SAML assertion isn’t signed.
    • Paylocity recommends to change to a different configuration such as Sign Response Only.
    • Then, save and switch back to Sign Assertion and Response and re-save.