SOW for GE PDI and SSO
Cornerstone OnDemand Growth Edition Subscription Agreement Order
DEFINITION OF SERVICES: SINGLE SIGN ON ("SSO")
GE is fully compliant with SAML 2.0 Post Profile only, to exchange authentication and authorization data between security domains. All SSO Implementations are based on ldP initiated SSO requests. The Client is expected to provide the details of the third party identity management provider ("Service Provider") to be used for SSO. The Service Provider has to be compliant in SAML 2.0.
To implement SSO, GE must liaise with the Client's Service Provider as follows:
1. Client's identity management provider will give GE:
1.1 The URL to which the authentication request should be sent. Some vendors may create a SAML request object and posts so it may not always be a simple redirect; and
1.2 The certificate used to authenticate the request.
2. GE will provide the client's identity management provider with:
The URL at which the SAML assertion should be received.
Note: Some clients may use this in their SAML request/response to validate that the intended service provider URL matches what they have on record. Some may use this in a SAML request to know where to redirect the SAML response once the user authenticates.
A trust relationship is established between the ldP and the Service Provider. Essentially, the Service Provider has a certificate that the ldP has generated and any communication from the ldP to the Service Provider has to be 'signed' with this certificate.
- A user signs into the ldP with their credentials.
- The user selects the Cornerstone OnDemand SaaS application.
- The ldP returns a SAML response (that is digitally signed by the ldP with its certificate).
- The browser takes this SAML response and posts it to the Service Provider. The Service Provider confirms that the SAML response is properly signed, and if so, gives the user access to the resource -- typically the welcome page of the SaaS application.
People Data Integration (PDI) Services
Through People Data Integration (PDI) Cornerstone automatically updates the Client's people data in GE by interfacing with the Client's HRIS, payroll (or other 3rd party staff administration) system, hereafter referred to as the Third Party System. PDI imports updated basic employee profile information for the Client on an agreed time schedule.
GE offers two distinct methods of providing PDI: Flat Feed and API.
A. PDI through Flat File Feed
The Flat File Feed option imports bulk people data via a flat file feed from the Third Party System into GE. A flat file feed is a singular scheduled export file from the Third Party System that will contain updated people data that needs to be imported by GE.
In order for a Flat File Feed to be successful the Third Party System must be able to:
- Provide the information, to be routinely extracted, in the format and file type prescribed by Cornerstone.
- Accommodate client definable fields.
- Place the extracted information in the format required, to a SFTP server of Cornerstone.
Outcome of PDI through Flat File Feed
- Export and import are scheduled on a daily or weekly basis. Schedule determined by the Client.
- The export file is sent to Cornerstone's SFTP-server.
- If the file does not conform to the correct standard Cornerstone prescribes, or the data sent is not recognized by GE, the whole importation will fail for that scheduled occurrence.
- Allows for regular global changes to be made to people data in GE. These changes are retrieved from the changes made in the Third Party System such as adding new employees, terminating employees, reassigning managers, updating role categories and role types, updating custom created filters (tags) (i.e. location, department, pay scale, etc.), updating names and positions, updating start dates with company and in role.
Cornerstone OnDemand, Inc. is committed to having the PDI through Flat File Feed fully completed within two weeks after completion of the implementation project of the Client's GE system. However this will also depend on the availability of the Third Party System provider and the Client's internal resources assigned to assist Cornerstone in completing the Flat File Feed Integration.
B. PDI through API
Cornerstone provides to the Client a public API to synchronize the Client's People data from the Third Party System to the GE system. The Client is able to build the connection to the API as a self-service. Cornerstone provides a written documentation on how to connect to the API.
In order for an API connection to be successful the Third Party System must also be able to connect to an API. Cornerstone does not assist with creating/building the connection between the Third Party System, the API and GE, other than the before mentioned written documentation.
Outcome of PDI through API
Your people data will be synchronized between the Third Party System and GE on a real time basis, for every individual person's record that is updated in the Third Party System.
This is a self service in that the Client is fully in charge of the timeframe and has the onus to deliver.