UKG is rolling out a mandatory upgrade to UKG Authentication across UKG Pro and UKG Pro WFM environments. This is a required platform migration that introduces a unified authentication service with enhanced security and improved user experience. No immediate action is required until you receive access to the upgrade tool, but preparation will be necessary once enabled.
Quick Overview
Timeline: Provided via direct UKG communication
Who’s affected: All UKG Pro and UKG Pro WFM customers (SSO and Direct Login)
Action required: Yes – HRIS (with IT support for SSO) must complete upgrade
Rollback: Available for 7 days post-upgrade
If regional applicability is unclear, the documentation does not specify regional exclusions. Unless advised otherwise in your UKG communication, ANZ customers should assume this applies.
What's Changing
This upgrade moves all customers to a single, unified authentication platform that will power the full UKG Pro suite going forward. It introduces security improvements, modern session handling, and self-service enhancements.
Security & Access
The new authentication framework strengthens security controls while reducing login friction for trusted users.
- Mandatory password rotation removed
- Adaptive Multi-Factor Authentication (MFA) enabled for direct login environments
- Six failed login attempts trigger account block on the seventh
- Enhanced session management across the UKG suite
- IDP Single Logout (SLO) support for SAML configurations
User Experience
The upgrade simplifies navigation and reduces login interruptions.
- Unified login experience across UKG products
- Deep linking to specific features (e.g. time-off, add-on modules)
- Frictionless cross-product navigation without re-authentication
- Self-service password reset and forgot-username functionality
API & Integration Controls
There are expanded capabilities for administrators managing integrations and security.
- Self-service API client management interface
- Support for webhooks to receive real-time notifications
- Continued SAML support (OIDC planned)
Key Impacts for ANZ Customers
While this is primarily a security and authentication upgrade, it has operational implications for HRIS and IT teams.
Direct Login Environments
Direct login users will see a new login interface but will retain existing credentials and MFA settings.
- Password policies remain unchanged
- Adaptive MFA applies automatically where MFA is enabled
- No MFA prompts added if MFA is not currently configured
Responsibility: HRIS
SSO Environments
SSO configurations must be re-established to create two-way trust with the new authentication platform.
- Metadata file download and upload to IDP
- Firewall/IP exceptions if required
- Connectivity testing in Test and Production environments
- Repeat testing immediately before executing upgrad
Prerequisites & Preparation
Preparation is critical to avoid user disruption.
Pre-Upgrade Checklist
The upgrade tool includes required validation steps that should be completed in advance.
- Review duplicate or invalid email addresses
- Validate phone numbers
- Confirm username compliance (restricted character set)
- Ensure Sign-On Email field accuracy
Email addresses are not mandatory but strongly recommended for self-service capabilities.
Mobile App Transition
Legacy mobile apps are no longer supported under UKG Authentication.
- All users must download the new UKG Pro mobile app
- Administrators should communicate this change ahead of upgrade
Environment Strategy
If you have multiple environments, sequencing matters.
- Upgrade all Test environments first
- Allow several days for validation testing
- Minimise time between Test and Production upgrades
- Avoid logging into upgraded and non-upgraded environments in the same browser session
If no Test environment exists, upgrade can be executed directly in Production with rollback available.
During the Upgrade
The technical cutover is short but should be managed through internal change control.
- Upgrade tool execution completes in under 30 minutes
- Users receive in-product save notifications
- All users are logged out at completion
- Time clocks and punch data continue processing
Access to UKG Pro remains available during the upgrade.
After the Upgrade
The technical cutover is short but should be managed through internal change control.
Validation Testing
Administrators should test core workflows before announcing completion.
- Direct login and SSO login scenarios
- Cross-product navigation
- API integrations and payroll exports
- Multiple user role testing
Administrator Changes
Some configuration areas shift location or behaviour.
- Password expiration removed (compromised password alerts only)
- Updated MFA configuration behaviour
- Modified security audit reporting
- API management interface changes
User Experience
Most users will see minimal disruption, with some exceptions.
- MFA authenticator app users must re-enrol
- Direct login passwords remain the same
- Blocked accounts can be self-unblocked via email
- New UKG Pro mobile app required
Rollback is available for up to 7 days if required.
Action Required
Now
- Review upgrade communications from UKG
- Validate email and username data quality
- Confirm mobile app communication plan
- Coordinate HRIS and IT ownership
When Upgrade Tool Is Enabled
Administrators should test core workflows before announcing completion.
- Complete pre-upgrade checklist
- Configure and test SSO connectivity (if applicable)
- Execute upgrade in Test
- Validate integrations and workflows
- Execute upgrade in Production
- Communicate completion to users
Responsibility: HRIS leads upgrade execution; IT supports SSO configuration.
Original Source: UKG Authentication Questions and Answers
