SAML-based Single Sign-on (SSO) allows Talent Scouts to access Employee Referrals through an Identity Provider (IdP) of your choice.
You can activate SSO for your company account even if some users have already registered. In case the email address is not identical, a new user account will be created.
Those are the steps for a correct configuration:
- Set up your Identity Provider
- Set up your Employee Referrals account (Service Provider configuration)
- Activate SSO
Please note: the SSO feature needs to be activated by Radancy's team. If active, you can configure it by clicking on your Name > Account Preferences > Authentication > Single Sign-on. If the page is not available, reach out to your point of contact at Radancy.
Step 1: Setup your Identity Provider (IdP)
First, create a connection for Employee Referrals within your IdP. Below you will find several provider-created "how to" articles for activating SAML for your Employee Referrals account:
Manual Identity Provider (IdP) configuration
For an easy setup, you will find all the important information for the configuration of your IdP directly in your Employee Referrals company account under Account Preferences > Authentication > Single-Sign-on.
- Post-Backup-URL for SSO-Login (SSO)
- Address of Metadata.xml
(If automatic configuration is possible)
Please note! Employee Referrals supports HTTP POST-binding. You can configure the HTTP POST-binding in your IDP Metadata.
Settings for the configuration of your Identity Provider
- NameID (mandatory field)
Please note! The "NameID" has to be explicit to meet the SAML specifications.
Your unique identifier
- Email attribute (mandatory field)
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
xmlns:xsi=" " xsi:type="xs:string">email@example.com
- Session duration attribute (optional)
The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Employee Referrals via mobile app before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used. When none of these two attributes is available, the sign-on information will apply for a period of 30 days.
xmlns:xsi=" " xsi:type="xs:string">86400
Finalize the configuration in Employee Referrals (click on your Name > Account Preferences > Authentication > Single-Sign-On) with the following three important items from your IdP:
This is the unique identifier for the connection to Employee Referrals and will be provided by your IdP.
- SSO Service URL
This is the address of your IdP. Employee Referrals will send all authentication requests to this URL.
- Signing Certificate
Employee Referrals requires that SAML assertions are signed and that a valid X.509.pem certificate is stored in Employee Referrals to verify your identity.
All settings described above can be found in the Metadata XML of your IdP.
Employee Referrals offers three options to make the configuration as easy as possible:
- Configuration via IdP Metadata.XML upload:
You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.
- Configuration via IdP Metadata URL:
You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.
- Manual configuration
If none of the above options are suitable for you, the configuration can be done manually as well.
Please note! In case your IdP configuration provides different certificates for "signing" and "encryption", please make sure you add only the "signing" certificate under "Signing certificate".
Click the button "Save Configuration" to save your settings.
Step 3: Activate SSO
As soon as you have saved the SSO settings, you will be able to activate SSO for your Employee Referrals company account.
After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to log in via SSO.