1. Hirebridge
  2. Hirebridge Administration
  3. System Utilities

Single Sign-On Setup & Administration

Identity Provider Configuration

ACS (Assertion Consumer Service) URL (sign-on/redirect URL):
https://recruit.hirebridge.com/v3/SAML/Login.aspx

Target (a.k.a. audience):
https://recruit.hirebridge.com/SAML2

NameID

Should match the user's Hirebridge login id (e-mail address). This is, as a default, typically the email address used to log into the identity provider’s site, but it is usually configurable.

If for some reason the email address in the identity provider is not the same as the email address in Hirebridge for the user, there is an SSO ID field in the Hirebridge user details that can contain the value being sent in the NameID. We will still assume, on first try, that the identifier sent is the email address (user login ID), but if login fails we will attempt to validate using the SSO ID.

Notes:

  1. Once we’re in an identity provider’s marketplace (app store) the above information should be unnecessary. It is only required if you are configuring a custom application with an identity provider.
  2. In the settings for the signing certificate, select SHA-256 as the signing algorithm, if possible. If not, we also support SHA-1, but it is less secure.
  3. DOWNLOAD THE CERTIFICATE PROVIDED BY THE IDENTITY PROVIDER (BASE 64 ENCODED). This is ALWAYS required whether we’re in the app store or not.

To make setup easier, we also provide our metadata for download on our SSO configuration page. Most SSO identity providers allow you to upload a metadata file when configuring a new service provider.


Hirebridge Configuration

In SSO Settings:

  1. Set the certificate issuer (if known, see notes below)
  2. Paste the Base64-encoded certificate downloaded from the identity provider 

Certificate Issuers

It is not necessary to configure the certificate issuer in Hirebridge, but it adds an additional level of request validation to ensure that the request came from who we expected it to come from.

For Hirebridge Configuration. Examples only. Different for each customer. You can find out the identity provider by adding SAML_LOG setting (specifies file name) will log the SAML information received and will identify the certificate issuer at the top of each request.

Alternatively, you can use a Chrome extension such as SAML DevTools extension to watch the SAML interaction in Chrome developer tools. You will need to open a new tab, display developer tools, and paste the identity provider’s sign-on URL into the address bar.

OneLogin: https://app.onelogin.com/saml/metadata/703661 
Okta: http://www.okta.com/exk2eyttwaqpeRQXo2p6 
Azure AD: https://sts.windows.net/44fbc026-e8da-487f-aaa4-5f1bb38bc66a/ 
Ping: https://pingone.com/idp/hirebridge 

Note: Adding SAML_LOG setting to AppSettings of web.config in IIS (specify filename for the value) will log the SAML information received and will identify the certificate issuer at the top of each request

 

Employee Referral Portal SSO

You will need to create a custom connector (app) in your identity provider’s administration portal. Most, if not all, should allow this.

The URL (login URL, sometimes referred to as Consumer URL) for the SAML assertion is:
https://recruit.hirebridge.com/v3/CareerCenter/EmployeePortal/Login.aspx?cid=###

where #### is your company ID. Note that this URL is different than for accessing our recruiter pages and is the same URL used for interactive logins.

When creating the custom application, please use the same certificate as the one assigned to the Hirebridge ATS app as we only have a single certificate certificate for both. Pay attention to the certificate issuer ID. If different than the one assigned to the Hirebridge ATS you will need to be sure the SSO certificate configuration in Hirebridge does not specify the issuer.

Some identity providers may request an ACS Consumer URL Validator. If so, please enter:
https:\/\/recruit\.hirebridge\.com

Additionally, if there is a place to enter an audience, enter:
https://recruit.hirebridge.com/SAML2

If the provider provides a place to enter a recipient, enter the login URL from above.

 NOTES:

  1. OneLogin allows for a custom application by way of adding a new application called “SAML Test Connector (iDP)” which you will find in their catalog of applications. Once you add this application you can custom-configure the SAML information above.

SSO Login Error Messages

Unable to log you in! Invalid request from your identity provider.
Missing email address in request from identity provider

Unable to log you in! Your e-mail address does not seem to have a Hirebridge account.
Email address provided by the identity provider was not found as a user in our system

Unable to log you in! Please have your system administration upload your SSO signing certificate to Hirebridge.
SSO public certificate not entered into our SSO settings page

Unable to log you in! The request issuer does not match your SSO settings.
The request issuer in our SSO settings page does not match the ones in the SSO request from the identity provider

Unable to log you in! Have your computer administrator verify your identity provider's settings.
We were unable to validate the request using the public certificate in our SSO settings. This usually means the certificate is incorrect, but it could also mean that the server time is skewed and the request has fallen outside the time window allowed by the IDP's request

Was this article helpful?
0 out of 0 found this helpful