| Warning |
|---|
NB: This page is now deprecated and should not be used for setting up new SSO integrations. SSO is no longer configured directly in TR and TM, but is now done in Talentech ID |
| Table of Contents |
|---|
...
| Info | ||
|---|---|---|
| ||
Foreword
HRMTS offers an option to configure Single Sign-On (SSO) in the System. The SSO implementation is based on SAML 2.0, and is compatible with ADFS.
...
HRMTS can be setup with 2 flows. The Service Provider Initiated (so called SP) implementation of SSO. It means that the end-users first navigate to the Service Provider (HRMTS) that initiates the authentication process by redirecting the user to the Identity Provider (Customer). The Identity provider initiated flow means that the users identify first with at their company's AD, and then click a link where they are redirected to HR Manager systems including the SAML token that is providing the login credentials.
Technical Flow
As described above, using the SP implementation, the users first navigate to the login page of the System. From here, the users are redirected to Customer's identity manager, with a signed SAML request, for authentication. Once on the Customer's side, the users are authenticated on Customer's network, and redirected back to the System with a signed SAML response. HRMTS decodes the SAML response, validates its contents, and finally grants the user access to the System.
...
| Mockup | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Requirements
- The Customer must have the necessary infrastructure to support SSO.
- The users must also be configured in the System on before hand.
- Single Sign-On must be enabled for the Customer in System's configuration.
- Metadata must be exchange between System and Customer in order to configure SSO on both sides. The System metadata is not valid before the SSO setup with login/logout url is added, so first take Customer metadata and then add the System metadata at customers ADFS.
Required by HRMTS
The following information (metadata) is required to be configured in the System, and must be provided by the Customer.
- Customer's X509 certificate (Public Key) for signing the SAML request when redirecting users to Customer.
- Must be at least 256-bit encryption. (SHA-1 not accepted)
- The .cer file must be added to the file archive and referenced in the SSO setup.
- Customer's URL to redirect the users to for authentication.
- Customer's URL to redirect the users to when they log out of the System.
Required by Customer
| Tip | ||
|---|---|---|
| ||
If you are using AzureAD please set it up according to this description: [Deprecated] Azure AD (SAML) Setup for HRM SSO |
...
- HRMTS' X509 certificate (Public Key) for signing the SAML response when redirecting users to back to System.
- System's URL to redirect the users to after authentication.
- Information about the claims to include in the SAML response.
- This information can be retrieved from the SAML metadata URL: https://recruiter.hr-manager.net/saml.aspx?customer=<ALIAS>, where <Alias> must be replaced with Customer's alias configured in the System.
Claims supported by us
To only do authentication the "mail" attribute is the only one that is required. This attribute must contain the email address that is used as username in HR Managers systems.
...
| Tip | ||
|---|---|---|
| ||
Active Directory Federation Services (ADFS) can pretty much configure itself automatically by supplying the above SAML metadata URL. |
FAQ
Is the Identity Provider Initiated (IdP) option also available?
...