Skip to main content

Sign-In Admin

Shirley Bousfield
  • Updated

HR

Step-by-step guide

 

This guide will show you how to manage user sign-in accounts and overall configuration in the Sign-In Admin area.

A Sign-In Global/Group Admin licence is required to access this area.

 

Contents

 

Introduction

You can view your own sign-in account in the profile page in the updated HR experience (formerly Account Settings in the old interface) and users with a Global/Group Admin licence in Sign-in will also see the Ciphr Sign in Admin page.

 

 

The configuration in the Admin area is managed across four tabs:

 

Users

The Users tab is where you can:

  • View all users centrally and use the multi-select feature to update in bulk
  • Search, filter and multi-select plus Subset (funnel button) for more advanced options
  • Manage admin users, reset user passwords, adjust 2FA settings, and enable/disable accounts
  • Download a list of users into Excel
  • Click on the three dots under actions to see details or modify each user’s profile

 

 

User Fields

To be able sign in to HR, a user must be included in the list and important information is detailed in the columns which can help troubleshoot if a user is experiencing sign-in issues:

  • Username: must be a unique email address from contact/work email address field from Personal Details in HR

  • First/Last name: linked to Personal Details in HR

  • Status: whether the account is Active or Blocked

  • User role: there are three types of role:
    • Global Admin has access to all users and features and functionality in Sign-In Admin
    • Group Admin has access to the Users tab only and not the three configuration tabs, and can only see users within Record Groups they have access to in HR
    • Employee (default) doesn’t have access to CSI Admin. They can only access their Profile page

  • Group: shows which groups the person is in.  Everyone is in the CSI.General group by default as this is Ciphr Sign-In. Then it will show the Record Group that the person is in from HR, and groups linked to any other applications the person has access to

  • Enabled from: when an account becomes active. Ie a future starter will be blocked until the date is reached

  • Enabled to: when an account expires and will be populated by the date left when someone is made a leaver

  • Locked until: this relates to blocked accounts and will show an end date if an account has been manually locked with a specified end date
  • Actions: click ... to view the options:
    • View details: where you can also Edit information (note personal details should be edited in HR and then synced)
    • Change role: to change the Sign-in user role
    • Force basic auth: this can be applied to force basic authentication (login with email and password) for users who can't use SSO that you've configured
    • Reset password: for non-SSO users.  Users logging in with a password can also request a reset themselves from the login screen as long as their email is recognised in Sign-In Admin
    • 2FA disabled/Reset 2FA: once a user has set up their two factor authentication (mandatory for non-SSO users), you can reset it here
    • Block/unblock: Users can be manually blocked without amending the enabled dates.  The unblock will only apply to manually blocked accounts, so check the enabled dates to unblock an account if this option is greyed out
    • Delete: to remove the account from Sign-in

Note: If an account synced from HR is deleted, the user details will display in the Not Assigned tab in HR > Data Management > Login Account Status, and can be synced again if the person needs access again.

Deleted accounts that were created via Sign-in Admin will be removed completely.

 

  • Bulk Actions: there is a multi-select option on the left to tick several employees or Select all on page which then enables the bulk actions button at the top of the right hand column, which has some additional options you can apply the same action to several records at once:

 

Note: If a user is not listed or their account has been blocked, they will see this message when trying to login:

 

 

Adding a new user in Sign-In Admin

Typically employees should be added from the HR system (see the Managing starter and leaver Sign-in accounts in HR guide for more details) so should only be added here if they will not be added to your HR system (such as an external IT company user who supports your SSO) then follow these steps:

  • Select Add new user, complete the required information, and click Create user

  • Within a few minutes, the user will receive an account activation email (subject to email notifications being enabled in Settings tab) with a link to set their password and access the system

 

  • Once the user is created, you’ll need to change their sign-in user role:
    1. Select Actions > Change User Role
    2. Change the role from Employee to Global Admin if they should have full access to all users
    3. Change the role from Employee to Group Admin if they should only have access to the Users tab and then select which Record Groups in HR they should see, from the dropdown
  • They will now have admin access to the sign-in admin panel

 

Settings

  • You can amend settings as needed by selecting the Edit button to the right of each section.


  • On this screen, you can configure:

    • Password policy strength

    • Password expiration period

    • 2FA settings – select which 2FA method(s) you want your users to be able to use (mandatory for non-SSO users).  Options are authentication app (recommended), SMS or email

    • Whether to send an account activation email to email and password login users (not applicable to SSO users) when they are set up.  This has replaced the 'send welcome email?' slider in System Settings in HR)

    • System timeout period – default recommended setting is 20 minutes but can be changed to a maximum of 480 minutes (8 hours)

 

Single sign-on

You can set up your SSO by following the steps related to your configuration type.  This is essential if you use SSO, so your users can access your HR system.

 

Once you’ve configured your Single sign-on (SSO) settings, you're ready to test:

  • Sign out by clicking your profile in the bottom left and selecting Log out

 

  • Sign back in using SSO. The system will identify that you are signing in with a domain requiring SSO and will prompt you to follow your organisation’s authentication process

Note: Depending on your Azure setup, an Azure system administrator may need to sign in and approve before you can sign in with SSO.

 

 

 

Once you have successfully signed in using SSO, your set up is complete.

 

Branding configuration

You can configure the look and feel of your HR system in the Branding configuration tab.

Follow the steps listed on the left-hand side of the page to:

  • Assign a name to your system that will appear in the new interface navigation
  • Upload your company logo
  • Upload a favicon (the small icon that represents your system in the browser tab)
  • Select a colour scheme that aligns with your company branding
  • Choose a font
  • Add a sign-in screen image

There are a number of tooltips on the page to give you extra guidance as needed.

You can play around with the settings, and preview how it will look, which won’t update until you click Save at the bottom to confirm.  Branding will then be applied to your HR system.

 

Note: Branding configuration will apply to the latest navigation only. If you are using the pre-2025 interface (new experience slider is not enabled) then the branding style configured by Ciphr will apply.

 

Multi entity branding

If you have Multi entity configuration and wish to apply different branding per entity, this can be completed in the HR system via System Configuration > Branding configuration.

Please see the Multi entity branding guide for more details.

 

Footer

Related articles

Comments

0 comments

Article is closed for comments.