What happens when user logins to MyPay with SSO
a) if user does not exist in MyPay new user record will be created (email, first and last name will be taken from SSO)
b) new MyPay session is created. The session behaves the same way as if user logins directly to MyPay without SSO
c) note that Employee record must exists before loginIs MyPay user signed-out of MyPay when the SSO user is signed-out of SSO?
No. In that sense SSO is not full SSO for MyPay. MyPay only uses SSO to authenticate the user.Can user coming from SSO also login to MyPay using the standard MyPay login form?
...
Only if the user has already an existing password. The pasword is created after an invitation to MyPay is sent to the user and the user clicks the link in the invitation email.
But the invitation can not be sent after the user has already logged in using SSO.Can one company have more than one authentication providers?
Yes
...
, one company can have more then one authentication provider. But it is not recommended,
because email notification links to MyPay may redirect user to a wrong authentication provider.Currently MyPay supports Okta, Azure and OneLogin. Can we add more 3rd party authentication providers?
Yes. The implementation is based on OpenID protocol, so any identity provider supporting this protocol should be configurable as MyPay authentication provider. Well, it need to be tested, for now it's just a theory.What about Salesforce as authentication provider?
Currently Salesforce authentication is in experimental mode.Which URL link should I use in MyPay email notification templates for users authenticated by SSO?
Use the "Login URL" of the External Authentication Provider.
Note that this URL will redirect users to their MyPay home page (no deep links supported now)