Configuration of sign-on with SAML SSO
SAML-based single sign-on (SSO) allows users access to Employee Referrals through an identity provider (IdP) of your choice.
Please note!
The option SSO should be part of your order.
Provisioning
Employee Referrals supports identity provider (IdP) initiated flow, service provider (SP) initiated flow and just-in-time provisioning.
For SP login, please go to https://YOURDOMAIN.1brd.com/login.
Your IdP should ensure that a user is authenticated and authorized before sending a request. If a user is not authorized, the request shouldn't be sent.
Step 1: Setup your Identity Provider (IdP)
First, create a connection for Employee Referrals within your IdP. Below you will find several provider-created "how to" articles for activating SAML for your Employee Referrals account:
Manual Identity Provider (IdP) configuration
For an easy setup, you will find all important information for the configuration of your IdP directly in your Employee Referrals company account under "Account Preferences" - "Authentication" - Single Sign-on" (only visible when SSO was activated by Employee Referrals).
The important information at a glance:
- Entity-ID
https://YOURDOMAIN.auth.1brd.com/saml/sp - Post-Backup-URL for SSO-Login (SSO)
https://YOURDOMAIN.auth.1brd.com/saml/callback - Address of Metadata.xml
https://YOURDOMAIN.auth.1brd.com/saml/sp/metadata
(If automatic configuration is possible)
Please note!
Employee Referrals supports HTTP POST-binding. You can configure the HTTP POST-binding in your IDP Metadata.
Settings for the configuration of your Identity Provider
- NameID (mandatory field)
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
Your unique identifier
</saml:NameID>
</saml:Subject>
Please note!
The "NameID" has to be explicit to meet the SAML specifications.
- Email attribute (mandatory field)
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">your.user@yourdomain.com
</saml:AttributeValue>
</saml:Attribute>
- Session duration attribute (optional)
The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Employee Referrals via mobile app before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used. When none of these two attributes is available, the sign-on information will apply for a period of 30 days.
<saml:Attribute Name="https://auth.1brd.com/saml/attributes/sessionduration">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">86400
</saml:AttributeValue>
</saml:Attribute>
Step 2: Set up your Employee Referrals account (SP configuration)
Finalize the configuration in Employee Referrals with the following three important items from your IdP:
- Entity-ID
This is the unique identification for the connection to Employee Referrals and will be provided by your IdP. - SSO Service URL
This is the address of your IdP. Employee Referrals will send all authentication requests to this URL. - Signing Certificate
Employee Referrals requires that SAML assertions are signed and that a valid X.509 .pem certificate is stored in Employee Referrals to verify your identity.
All settings described above can be found in the Metadata XML of your IdP.
Employee Referrals offers three options to make the configuration as easy as possible:
1. Configuration via IdP Metadata.XML upload
2. Configuration via IdP Metadata URL
3. Manual configuration
1. Configuration via IdP Metadata.XML upload
You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.
2. Configuration via IdP Metadata URL
You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.
3. Manual configuration
If none of the above options are suitable for you, the configuration can be done manually as well.
Please note!
In case your IdP configuration provides different certificates for "signing" and "encryption", please make sure you add only the "signing" certificate under "Signing certificate".
Click the button "Save Configuration" to save your settings.
Step 3: Activate SSO
As soon as you have saved the SSO settings, you will be able to activate SSO for your Employee Referrals company account.
After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to log in via SSO.
Please note!
When SSO is active, please DO NOT invite users manually.
In the case that you are having trouble with SSO, please contact our support.
SSO for exisiting user
You can activate SSO for your company account even if some users have already registered through your Employee Referrals company account. This will be done through an automatic link. The email address of the existing Employee Referrals user will be sent from your IdP via assertion attribute to Employee Referrals and there must be an existing user email address in the Employee Referrals account.
If the email address is not identical, a new user account will be created.
Authentication via Single Sign-On (SSO) only
In addition to logging in with SSO and a password, there is also the option to allow login via SSO only. This is only available if single sign-on has been enabled for your Employee Referrals company account and is in use.
Recommended steps before enforcing Single Sign-On (SSO) only
Before enforcing SSO only for your Employee Referrals company account we highly recommend creating a backup administrator user with an email address that is not part of SSO, such as application@domain.com.
If SSO is not working contact our support and request to disable SSO only authentication. Then use your backup account to gain access to your company account.
Before enforcing SSO for your Employee Referrals company account, make sure, together with your IT, that SSO is configured properly (see article "Configuration of Sign-on with SAML SSO"). When done, go to your "Account Preferences", "Authentication" and next to "Single Sign-On".
Activate authentication via Single Sign-On (SSO) only
To enable authentication via SSO only, click on the toggle next to "Authentication via Single Sign-On only".
When activated, the user will see the following login screen:
Please note!
As soon as authentication via SSO only has been activated, the following features are inactive:
- Invite users via Firstbird
- Registration page
- Multi-Factor Authentication
- Password Policy
Your IdP Certificate Has Been Updated
In the case that your IdP's certificate has been updated, please change the certificate in your Employee Referrals company account as well. Otherwise, your users will not able to log in via SSO anymore.
As a precautionary measure, we recommend creating a backup administrator user with an email address that is not part of SSO, such as application@domain.com.
If your IdP certificate has changed, you'll be able to log in with this backup administrator login, together with your IT department, to update the certificate under your "Account Preferences".
To update the certificate, go to "Account Preferences", under the "Single Sign-On" heading and click the button "Expand" to show "Single Sign-On Configuration".
Depending on your current settings, please
- Upload a new "Metadata file",
- Add a new "Metadata URL" or
Click on the button "Save configuration" to save your changes.
Please update the certificate together with your IT department to make sure all changes are correct.
Please note!
Your IT department will not be able to make these changes in your Firstbird company account if they have no backup admin user account.
Just-In-Time provisioning for SAML SSO
Providing attributes with JIT provisioning allows Talent Scouts to skip corresponding registration steps.
Recruiters will receive all information needed for reward management and can identify Talent Scouts more easily, for example, if employee ID is provisioned.
Company administrators no longer need to assign roles to users manually after registration. The appropriate role can be assigned automatically when a user registers with Employee Referrals.
All changes of user data in your system will be automatically adopted and applied to users the next time they log into Employee Referrals. This assures your user data is always up-to-date. Profile information provided with JIT provisioning cannot be changed by the user.
- First name attribute (optional)
<saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max
</saml:AttributeValue>
</saml:Attribute>
- Last name attribute (optional)
<saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml:AttributeValue>
</saml:Attribute>
- Employee-ID-attribute (optional)
<saml:Attribute Name=“employee_id” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>DE123456789
</saml:AttributeValue>
</saml:Attribute>
- Department-ID-attribute (optional)
<saml:Attribute Name=“department” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Sales
</saml:AttributeValue>
</saml:Attribute>
- Location-ID-attribute (optional)
<saml:Attribute Name=“location” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>Vienna
</saml:AttributeValue>
</saml:Attribute>
- User-Role-attribute (optional)
Please note! This attribute is predefined and its value must be one of the following to assign the corresponding role:
-
- Talent Scout: ROLE_TALENT_SCOUT
- Recruiter: ROLE_RECRUITER
- Company-Administrator: ROLE_COMPANY_ADMIN
<saml:Attribute Name=“role” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:string”>ROLE_TALENT_SCOUT
</saml:AttributeValue>
</saml:Attribute>
FAQ
What happens if the role is not available or cannot be recognized?
The attributed role will not be provisioned and the default role as Talent Scout will be assigned.
What happens when location and/or department is not available?
The location/department will not be provisioned and the user must select their location/department during registration.
What happens when locations/departments with the same name exist?
When two or more of the same locations/departments exist, the location/department set in the account settings will be assigned.
Can the profile information provided be updated?
Yes, the changed profile information of a user is automatically updated at the subsequent login.