You must have an Advanced or Expert subscription tier to configure SAML. For more information, see https://support.greenhouse.io/hc/en-us/articles/210259723-Single-Sign-On-overview.
Note:

This is a tested integration.

  1. Sign on to your Greenhouse portal and select the Gear icon in the upper right hand corner:
    Screen capture of Gear icon in Greenhouse portal highlighted in red.
  2. In the left navigation pane, go to Dev Center > Single Sign-On to begin configuring SSO.
    Note:

    If you don't see Single Sign-On, you'll need to contact Greenhouse customer support to update your permissions.Screen capture of Greenhouse Configure section with Dev Center and Single Sign-On highlighted in red.

  3. On the following page, click Begin Configuration.

    The configuration page opens.

  4. In the Add Greenhouse to your Single Sign-on provider section, note the SSO Assertion Consumer URL. You’ll need this to complete Step 11:
    Screen capture of Greenhouse SSO Assertion Consumer URL.
  5. In a new tab, sign on to your PingOne SSO admin account.

    You’ll use the settings from Step 4 to start configuring Greenhouse in PingOne.

  6. Go to Connections > Applications and click the + icon.
    Screen capture of PingOne Applications section with the plus icon highlighted in red.
  7. On the New Application page, click Advanced Configuration, and on the SAML line, click Configure.
    Screen capture of PingOne New Application section with Advanced Configuration and Configure highlighted in red.
  8. On the Create App Profile page, enter:
    • Application Name (Required)
    • Description (Optional)
    • Icon (Optional)Screen capture of PingOne Create App Profile with Greenhouse information populated.
  9. Click Save and Continue.
  10. On the Configure SAML Connection page, in the Provide App Metadata section, click Manually Enter.
    Screen capture of PingOne App Metadata section with the Manually Enter radio button selected.
  11. Input the service provider (SP) data:
    1. In the ACS URLS field, paste in the SSO Assertion Consumer URL that you copied from Greenhouse in Step 4.
      Screen capture of PingOne Application Metadata section with the ACS URLS field highlighted in red.
    2. In the Entity ID field, enter greenhouse.io.
      Screen capture of PingOne entity ID field with greenhouse.io input and highlighted in red.
    3. In the Assertion Validity Duration (In Seconds), enter a value, for example, 3600.
      Screen capture of PingOne Assertion Validity Duration field with 3600 input and highlighted in red.
  12. Click Save and Continue.
  13. On the Attribute Mapping page, add the following attributes, selecting the Required check box for each attribute.
    • saml_subject = Email Address
      Note:

      This is automatically assigned to User ID, but will need to be updated.

    • User.FirstName = Given Name
    • User.LastName = Family NameScreen capture of PingOne SAML Attribute Mappings.
  14. Click Save and Close.
  15. On the Applications page, enable the connection by toggling the slider:
    Screen capture of Greenhouse application in PingOne with the toggled slider highlighted in red.
  16. Click on the newly created application to open it.
  17. On the Configuration tab, in the Connection Details section, click Download to download the IdP metadata.

    You’ll need this to complete the next step.

    Screen capture of PingOne application section with Greenhouse metadata and the Configuration tab and Download button highlighted in red.
  18. Return to Greenhouse and, in the Upload your Single Sign-On Provider section, click Choose File and upload the IdP metadata that you downloaded in the previous step.
    Screen capture of Greenhouse SSO metadata XML file section with Choose File highlighted in red.

    All required fields will auto populate except for the Name Identifier Format.

  19. Update the Name Identifier Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and click Save.
    Screen capture of Greenhouse SSO Metadata section with the Name Identifier Format list and Save button highlighted in red.
  20. Test the integration. Before testing the integration, you must create and assign identities in PingOne. If you’ve already assigned identities and groups in PingOne, start at step 21.
    1. In PingOne, go to Identities Groups and click the + icon next to Groups.
    2. On the Create New Group page, enter values for the following:
      1. Group Name (Required)
      2. Description (Optional)
      3. Population (Optional)
    3. Click Finish & Save.
      Screen capture of PingOne Groups section.
    4. To add identities to the group, on the Identities tab, go to Users > + Add User.