Integrate Paylocity with Conditional Access

In this topic, you will find general instructions on how to integrate Paylocity with Portnox™ Conditional Access for Applications.

Note: Your Paylocity account may have no access to SAML integration by default. If so you must request Paylocity support to enable SAML 2.0 for your account. Then, continue this task after SAML support is activated. This may take a few days.

Open your Paylocity SSO integrations page

In this section, you will access your Paylocity administrative interface and find the SSO integrations page.

  1. In another tab of your browser, open your Paylocity web interface by accessing the following URL: https://app.paylocity.com/ and logging in with your administrative credentials.

    From now on, we will call this tab the Paylocity tab.

  2. In the top menu, click on the User Access menu and then click on the SSO Configuration option.

  3. In the Single Sign On Configuration pane, click on the SSO Integrations option on the left-hand side, and then click on the Add SSO Integration button.

  4. Note down the values of Company ID and Provider. You will need them later.
    Note: If your configuration screen does not let you select a Provider, note down P8000010 as its value.

Modify your identity provider configuration to support Paylocity

Paylocity SAML integration requires your identity provider to send additional values that identify your Paylocity account. You must change your existing identity provider configuration or create a copy of the identity provider configuration especially for Paylocity.

Note: You can have use the same identity provider configuration for multiple applications. However, be aware that in such case, other applications will also receive your Paylocity identifier values. This will not cause any technical issues but you must consider whether you want this information to be shared.
  • If you use Entra ID, open your Conditional Access application configuration and do the following steps.
    1. Open the Attributes & Claims pane (Single Sign-on > Attributes & Claims > Edit) and click on the Add new claim button.

    2. In the Name field, type PartnerID, and in the Source attribute field, type the Provider identifier that you noted down earlier. Then, click on the Save button.

    3. Click on the Add new claim button again to create another claim. In the Name field, type PaylocityEntity, and in the Source attribute field, type the Company ID identifier that you noted down earlier. Then, click on the Save button.

    4. Click on the Add new claim button again to create another claim. In the Name field, type PaylocityUser, and in the Source attribute field, select user.mail from the list. Then, click on the Save button.

    5. Double-check if your claims include all of the above and that the Unique User Identifier (Name ID) claim has the default value user.userprincipalname.

      Note: You may have additional attribute mappings in this configuration. They will not influence the integration with Paylocity.
  • If you use Google Workplace, open your configuration and do the following steps.
    Note: Google Workspace does not support static attributes. To send the same values for every user, you have to add a custom field to your user directory and set the same value for every user.
    1. In Google Admin Console, go to Directory > Users. Then, click on the More options button, and select the Manage custom attributes option.

    2. Click on the ADD CUSTOM ATTRIBUTE link.

    3. In the Add custom fields pane, enter a Category (for example, Paylocity) and add two attributes: PartnerID and PaylocityEntity. In both cases, select Info type as Text, Visibility as Visible to user and admin, and No. of values to Single Value. Then, click on the ADD button.

    4. Go back to the list of users. Then, open a user that needs access to Paylocity, click on the ADD ALTERNATE EMAILS option, and scroll down to the category you added in the previous step. Then, click on the  ✎  icon to edit the values.

    5. In the PaylocityEntity field, enter the value of Company ID noted down earlier, and in the PartnerID field, enter the value of Provider noted down earlier. Then, click on the Save button.

    6. Repeat the above two steps manually for every user that requires access to Paylocity.
    7. Open the SAML attribute mapping pane (Apps > Web and mobile apps > your Conditional Access application > Configure SAML attribute mapping.

    8. Click on the ADD MAPPING button four times and add the following mappings: Paylocity > PaylocityEntity to PaylocityEntity, Paylocity > PartnerID to PartnerID, Primary email to PaylocityUser, and Primary email to NameID. Then, click on the Save button.

      Note: You may have additional claims in this configuration. They will not influence the integration with Paylocity.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with Paylocity.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Applications option.

  3. On the Applications screen, click on the Add application button, and select the Add new SAML application option.

  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this application section.
  5. In the Application details section, enter an Application name and optionally a Description.

    In this example, we used the name Paylocity for the new application configuration but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Export metadata from the Portnox tab and upload it in the Paylocity tab

In this section, you will export the metadata from Portnox Cloud into a file and upload that file in the Paylocity SAML configuration section.

  1. In the Portnox tab, in the SAML metadata section, click on the Download metadata XML file link to download the XML file and save it to your local drive.

  2. In the Paylocity tab, click on the Select File to Upload button in the Upload Metadata section, and then upload the XML file downloaded from Portnox Cloud.

Enter configuration values in the Portnox tab

In this section, you will enter configuration values in the relevant fields in Portnox Cloud.

  1. In the Application properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and enter the following value: https://auth.paylocity.com.

  2. In the Application properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and enter the following value: https://access.paylocity.com/SAML/AssertionConsumerService.

  3. Click on the OPTIONAL SETTINGS link to open optional settings. Click on the empty field under the Application Login URI (Optional) heading and enter the following value: https://access.paylocity.com/.

  4. Click on the empty field under the Allowed Logout URIs (Optional) heading and enter the following value: https://access.paylocity.com/.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and Paylocity.

  1. Finalize the configuration in the Portnox tab.
    1. In the OPTIONAL SETTINGS section, in the Certificate signing option field, select the Sign SAML assertion and response option.

    2. Optional: In the POLICY ASSIGNMENTS section, change the setting to Application-based and then select an access control policy and a risk assessment policy if you want to control access to this application without using groups.
    3. Scroll all the way down to the end of the page, and then click on the Save button.

  2. Finalize the SAML configuration in the Paylocity tab.
    1. Click on the Save button.

Result: You have configured Paylocity to be accessible using Portnox Conditional Access for Applications.

Important: Paylocity login will fail if your Paylocity user names do not match the user names in your identity provider’s directory.

If the user ID in Paylocity is the same as the user name in the identity provider directory, but your users still cannot log in, add the user’s company email in their Paylocity profile as Work Email or, if not possible, as Personal Email.