We occasionally are asked by customers whether we support Single Sign On (SSO) using a company or organisational login with PeopleSense Online, our booking system. This article explains why we do not.
What is PeopleSense Online?
PeopleSense Online is our booking and client care system. Your employees, or members, and their family have access to it for confidential booking of psychology appointments, management of personal profile data, and help to understand your program offerings, entitlements, and available services.
Clients are free to register with their choice of contact details. Many choose to use personal contact details so that, for example, appointment reminders for their confidential psychology appointments are not sent to a work address.
What is Single Sign On, or SSO?
Many companies have a facility whereby a user's company login (username and password) can be used to not only access company resources but also those from other systems. This is called Single Sign On, or SSO.
Examples include accessing payroll and leave management systems (ADP, Workday, SAP, etc), internal company software (PowerBI, or custom applications), and other third party applications.
With SSO, the IT system controls who can access an application, and there is detailed logging in place to manage and record access.
The reasons for using SSO in a corporate context are often to:
- Control or limit system access to eligible users so only active employees can access a system, or only approved users can access a specialised system,
- To make login easier for users by maintaining only a single set of credentials.
New customers periodically ask us whether we can implement their SSO for PeopleSense Online as it is perceived as ensuring legitimate access to a company-funded program. This article explains why we do not support SSO.
Confidentiality
PeopleSense EAP is a confidential psychology health service. There are many controls in place to ensure that EAP clients remain anonymous to their employer including: de-identifying clients on invoices via anonymous IDs, protection of smaller groups of clients in reporting such as masking groups smaller than 10, and restrictions on reporting user groups for organisational divisions with fewer than 20 members.
SSO would break the clinical confidentiality of service access and would:
- Identify clients of the EAP service to the IT team, and potentially elsewhere, through SSO logs,
- Inhibit access to care as users would immediately be aware that their EAP access was being recorded and monitored. Many would decline to access care, or the perception of monitoring could exacerbate symptoms.
This is the first reason why we do not support SSO connections to our EAP service.
Allowing Access to Family and More
Another characteristic for SSO is that is requires a client to have an active work-issued login to access the service, and many eligible program participants do not have this facility. These often include family members and those in non-corporate roles such as volunteers and contractors.
But it can also include employees who have been terminated or made redundant and whose company login access is necessarily shut off. In many cases organisations want to ensure these clients can still receive EAP care at what can be a very difficult time, and often they are referred to the EAP service. If we were to implement SSO, these clients would not have access to make and mange their EAP appointments.
Potentially a secondary login system could be created for these users, but inevitably this would bypass SSO, removing any perceived benefits SSO might offer to the organisation. We can also not allow, for example adult family members' access to be controlled by an eligible employee as this may inhibit legitimate and approved access to care. Notably adults may not make EAP bookings for other adults, so it is reasonable to see that adult family members should not need employee permission to access EAP where eligible.
The redundancy of SSO given our many ways to access care
We have a large and highly trained team working with clients every day to find the right psychologist for them and support their care journey. They can be reached via phone, email, and now online chat via our website.
SSO limits or restricts only online access - a channel many clients find to be of great convenience, as well as one used by those who find talking to a team member on the phone to cause stress or anxiety. As all eligible users can access our team to make bookings, SSO is therefore easily circumvented by those not wishing to use it, further amplifying why it does not have a purpose in the context of an EAP program.
How can service access be secured if we can't use SSO?
We take program access security very seriously and have in place a number of controls to ensure that only eligible clients access care. We’ve written an article that outlines the mechanisms that we have in place to ensure program security given that SSO is not supported. You can read more here.
Furthermore, you can be assured that our online system is inherently secure and is tested for vulnerabilities. As an ISO 27001 Certified Organisation, information security is at our core.
In Summary
SSO is intentionally not supported to leave the confidential psychology service available to a) employee users who choose to register with a non-work address and receive e.g, SMS and email appointment confirmations at personal destinations, and b) family members and others who do not use the SSO platform but have legitimate access to the Employee Assistance Program.
We believe that use of SSO would hinder legitimate access to the service by giving the real impression that service use was being monitored by the organisation in such a way as to identify EAP clients. We strive to protect client confidentiality with a range of measures, and our restriction on the use of SSO is part of this.