Single Sign-on (SSO)

Configuration of sign-on with SAML SSO

SAML-based single sign-on (SSO) allows users access to Employee Referrals through an identity provider (IdP) of your choice.


Please note!

The option SSO should be part of your order. 


Employee Referrals supports identity provider (IdP) initiated flow, service provider (SP) initiated flow and just-in-time provisioning.

For SP login, please go to

Your IdP should ensure that a user is authenticated and authorized before sending a request. If a user is not authorized, the request shouldn't be sent.


Step 1: Setup your Identity Provider (IdP)

First, create a connection for Employee Referrals within your IdP. Below you will find several provider-created "how to" articles for activating SAML for your Employee Referrals account:

Manual Identity Provider (IdP) configuration

For an easy setup, you will find all important information for the configuration of your IdP directly in your Employee Referrals company account under "Account Preferences" - "Authentication" - Single Sign-on" (only visible when SSO was activated by Employee Referrals).

The important information at a glance:

  • Entity-ID

  • Post-Backup-URL for SSO-Login (SSO)

  • Address of Metadata.xml
    (If automatic configuration is possible)

Please note!

Employee Referrals supports HTTP POST-binding. You can configure the HTTP POST-binding in your IDP Metadata. 


Settings for the configuration of your Identity Provider

  • NameID (mandatory field)


    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">

Your unique identifier




Please note!

The "NameID" has to be explicit to meet the SAML specifications. 


  • Email attribute (mandatory field)


<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">


     xmlns:xsi="" xsi:type="xs:string">




  • Session duration attribute (optional)


The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Employee Referrals via mobile app before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used. When none of these two attributes is available, the sign-on information will apply for a period of 30 days.


<saml:Attribute Name="">


        xmlns:xsi="" xsi:type="xs:string">86400




Step 2: Set up your Employee Referrals account (SP configuration)

Finalize the configuration in Employee Referrals with the following three important items from your IdP:

  1. Entity-ID 
    This is the unique identification for the connection to Employee Referrals and will be provided by your IdP.

  2. SSO Service URL
    This is the address of your IdP. Employee Referrals will send all authentication requests to this URL.

  3. Signing Certificate
    Employee Referrals requires that SAML assertions are signed and that a valid X.509 .pem certificate is stored in Employee Referrals to verify your identity.


All settings described above can be found in the Metadata XML of your IdP.

Employee Referrals offers three options to make the configuration as easy as possible:

1. Configuration via IdP Metadata.XML upload
2. Configuration via IdP Metadata URL
3. Manual configuration


1. Configuration via IdP Metadata.XML upload

You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.


2. Configuration via IdP Metadata URL

You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.


3. Manual configuration

If none of the above options are suitable for you, the configuration can be done manually as well.


Please note!

In case your IdP configuration provides different certificates for "signing" and "encryption", please make sure you add only the "signing" certificate under "Signing certificate". 



Click the button "Save Configuration" to save your settings.


Step 3: Activate SSO

As soon as you have saved the SSO settings, you will be able to activate SSO for your Employee Referrals company account.

After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to log in via SSO.


Please note!

When SSO is active, please DO NOT invite users manually. 



In the case that you are having trouble with SSO, please contact our support.


SSO for exisiting user

You can activate SSO for your company account even if some users have already registered through your Employee Referrals company account. This will be done through an automatic link. The email address of the existing Employee Referrals user will be sent from your IdP via assertion attribute to Employee Referrals and there must be an existing user email address in the Employee Referrals account.

If the email address is not identical, a new user account will be created.



Authentication via Single Sign-On (SSO) only

In addition to logging in with SSO and a password, there is also the option to allow login via SSO only. This is only available if single sign-on has been enabled for your Employee Referrals company account and is in use.


Recommended steps before enforcing Single Sign-On (SSO) only

Before enforcing SSO only for your Employee Referrals company account we highly recommend creating a backup administrator user with an email address that is not part of SSO, such as

If SSO is not working contact our support and request to disable SSO only authentication. Then use your backup account to gain access to your company account. 


Before enforcing SSO for your Employee Referrals company account, make sure, together with your IT, that SSO is configured properly (see article "Configuration of Sign-on with SAML SSO"). When done, go to your "Account Preferences", "Authentication" and next to "Single Sign-On".


Activate authentication via Single Sign-On (SSO) only

To enable authentication via SSO only, click on the toggle next to "Authentication via Single Sign-On only".


When activated, the user will see the following login screen:




Please note!

As soon as authentication via SSO only has been activated, the following features are inactive:

  • Invite users via Firstbird
  • Registration page
  • Multi-Factor Authentication
  • Password Policy




Your IdP Certificate Has Been Updated

In the case that your IdP's certificate has been updated, please change the certificate in your Employee Referrals company account as well. Otherwise, your users will not able to log in via SSO anymore.

As a precautionary measure, we recommend creating a backup administrator user with an email address that is not part of SSO, such as

If your IdP certificate has changed, you'll be able to log in with this backup administrator login, together with your IT department, to update the certificate under your "Account Preferences". 

To update the certificate, go to "Account Preferences", under the "Single Sign-On" heading and click the button "Expand" to show "Single Sign-On Configuration".

Depending on your current settings, please

  1. Upload a new "Metadata file",

  2. Add a new "Metadata URL" or

  3. Simply update the "Signing certificate" to "Manual settings".

Please note!

In case your IdP configuration provides different certificates for "signing" and "encryption", please make sure you add only the "signing" certificate under "Signing certificate".




Click on the button "Save configuration" to save your changes.

Please update the certificate together with your IT department to make sure all changes are correct.


Please note!

Your IT department will not be able to make these changes in your Firstbird company account if they have no backup admin user account. 



Just-In-Time provisioning for SAML SSO

Providing attributes with JIT provisioning allows Talent Scouts to skip corresponding registration steps.

Recruiters will receive all information needed for reward management and can identify Talent Scouts more easily, for example, if employee ID is provisioned. 

Company administrators no longer need to assign roles to users manually after registration. The appropriate role can be assigned automatically when a user registers with Employee Referrals.

All changes of user data in your system will be automatically adopted and applied to users the next time they log into Employee Referrals. This assures your user data is always up-to-date. Profile information provided with JIT provisioning cannot be changed by the user.


  • First name attribute (optional)


<saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">


        xmlns:xsi="" xsi:type="xs:string">Max




  • Last name attribute (optional)


<saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xmlns:xsi="" xsi:type="xs:string">Mustermann</saml:AttributeValue>



  • Employee-ID-attribute (optional)


<saml:Attribute Name=“employee_id” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>DE123456789




  • Department-ID-attribute (optional)


<saml:Attribute Name=“department” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>Sales




  • Location-ID-attribute (optional)


<saml:Attribute Name=“location” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>Vienna




  • User-Role-attribute (optional)


Please note! This attribute is predefined and its value must be one of the following to assign the corresponding role:

    • Talent Scout: ROLE_TALENT_SCOUT
    • Recruiter: ROLE_RECRUITER
    • Company-Administrator: ROLE_COMPANY_ADMIN


<saml:Attribute Name=“role” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>ROLE_TALENT_SCOUT




What happens if the role is not available or cannot be recognized?

The attributed role will not be provisioned and the default role as Talent Scout will be assigned.


What happens when location and/or department is not available?

The location/department will not be provisioned and the user must select their location/department during registration.


What happens when locations/departments with the same name exist?

When two or more of the same locations/departments exist, the location/department set in the account settings will be assigned.


Can the profile information provided be updated?

Yes, the changed profile information of a user is automatically updated at the subsequent login.

Was this article helpful?
0 out of 0 found this helpful