Page created: 15 Nov 2021
|
Page updated: 15 Dec 2021
| 6 min read
Learn how to configure SAML single sign-on (SSO) with Greenhouse and PingOne.
You must have an Advanced or Expert subscription tier to configure SAML. For more
information, see https://support.greenhouse.io/hc/en-us/articles/210259723-Single-Sign-On-overview.
Note:
This is a tested integration.
-
Sign on to your Greenhouse portal and select the Gear
icon in the upper right hand corner:
-
In the left navigation pane, go to Dev Center > Single Sign-On to begin configuring SSO.
Note:
If you don't see Single Sign-On, you'll need to contact Greenhouse customer support to update your permissions.
-
On the following page, click Begin Configuration.
The configuration page opens.
-
In the Add Greenhouse to your Single Sign-on provider
section, note the SSO Assertion Consumer URL. You’ll need
this to complete Step 11:
-
In a new tab, sign on to your PingOne SSO admin account.
You’ll use the settings from Step 4 to start configuring Greenhouse in PingOne.
-
Go to Connections > Applications and click the + icon.
-
On the New Application page, click Advanced
Configuration, and on the SAML line,
click Configure.
-
On the Create App Profile page, enter:
- Application Name (Required)
- Description (Optional)
- Icon (Optional)
- Click Save and Continue.
-
On the Configure SAML Connection page, in the
Provide App Metadata section, click
Manually Enter.
-
Input the service provider (SP) data:
-
In the ACS URLS field, paste in the
SSO Assertion Consumer URL that you copied
from Greenhouse in Step 4.
-
In the Entity ID field, enter
greenhouse.io.
-
In the Assertion Validity Duration (In Seconds),
enter a value, for example, 3600.
-
In the ACS URLS field, paste in the
SSO Assertion Consumer URL that you copied
from Greenhouse in Step 4.
- Click Save and Continue.
-
On the Attribute Mapping page, add the following
attributes, selecting the Required check box for each
attribute.
- saml_subject = Email
AddressNote:
This is automatically assigned to User ID, but will need to be updated.
- User.FirstName = Given Name
- User.LastName = Family
Name
- saml_subject = Email
Address
- Click Save and Close.
-
On the Applications page, enable the connection by
toggling the slider:
- Click on the newly created application to open it.
-
On the Configuration tab, in the Connection
Details section, click Download to
download the IdP metadata.
You’ll need this to complete the next step.
-
Return to Greenhouse and, in the Upload your Single Sign-On
Provider section, click Choose File and
upload the IdP metadata that you downloaded in the previous step.
All required fields will auto populate except for the Name Identifier Format.
-
Update the Name Identifier Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
and click Save.
-
Test the integration. Before testing the integration, you must create and
assign identities in PingOne. If you’ve already assigned identities and groups in
PingOne, start at step
21.
- In PingOne, go to Identities Groups and click the + icon next to Groups.
-
On the Create New Group page, enter values for
the following:
- Group Name (Required)
- Description (Optional)
- Population (Optional)
-
Click Finish & Save.
-
To add identities to the group, on the
Identities tab, go to Users > + Add User.