How to configure Single Sign-on (SSO)?

SAML-based Single Sign-on (SSO) allows Talent Scouts to access Employee Referrals through an Identity Provider (IdP) of your choice. 

Please Note

Before enabling Single Sign-On (SSO), please contact your Radancy representative to align on the process and prerequisites. These functionalities are subject to individual agreement and may require a change request for existing customers

You can activate SSO for your company account even if some users have already registered. In case the email address is not identical, a new user account will be created.

Follow the steps below to correctly configure SSO for your Employee Referrals account.

  1. Set up your Identity Provider (IdP)
    Prepare your IdP configuration according to your organization’s requirements.

  2. Configure your Employee Referrals account (Service Provider settings)
    Add the required details from your IdP to complete the Service Provider setup.

  3. Activate SSO
    Enable SSO within your Identity Provider.

  4. Notify your Radancy representative
    Once SSO is activated in your IdP, let your Radancy representative know. They will enable SSO in your domain settings.

  5. Finalize your configuration
    In your Referral Program, go to your Profile Picture → Account Preferences → Authentication → Single Sign-On to complete the setup. If this page isn’t visible, please contact your Radancy representative for assistance.

 

Step 1: Setup your Identity Provider (IdP)

First, create a connection for Employee Referrals within your IdP. Below you will find several provider-created "how to" articles for activating SAML for your Employee Referrals account:

 

Manual Identity Provider (IdP) configuration

For an easy setup, you will find all the important information for the configuration of your IdP directly in your Employee Referrals company account under Account Preferences > Authentication > Single-Sign-on. 

  1. Entity-ID
    https://YOURDOMAIN.auth.1brd.com/saml/sp
     

  2. Post-Backup-URL for SSO-Login (SSO)
    https://YOURDOMAIN.auth.1brd.com/saml/callback
     

  3. Address of Metadata.xml 
    https://YOURDOMAIN.auth.1brd.com/saml/sp/metadata
    (If automatic configuration is possible)
     

Please note! Employee Referrals supports HTTP POST-binding. You can configure the HTTP POST-binding in your IDP Metadata. 

 

Settings for the configuration of your Identity Provider

  • NameID (mandatory field)
    Please note! The "NameID" has to be explicit to meet the SAML specifications.
<saml:Subject>
   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Yourunique identifier</saml:NameID>
</saml:Subject>
  • Email attribute (mandatory field)
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">your.user@yourdomain.com</saml:AttributeValue>
</saml:Attribute>
  • Session duration attribute (optional)

The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Employee Referrals via mobile app before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used. When none of these two attributes is available, the sign-on information will apply for a period of 30 days.

<saml:Attribute Name="https://auth.1brd.com/saml/attributes/sessionduration">
   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">86400
   </saml:AttributeValue>
</saml:Attribute>

 

Step 2: Set up your Employee Referrals account (SP configuration)

Finalize the configuration in Employee Referrals (click on your Name > Account Preferences > Authentication > Single-Sign-On) with the following three important items from your IdP:

  1. Entity-ID 
    This is the unique identifier for the connection to Employee Referrals and will be provided by your IdP.
     

  2. SSO Service URL
    This is the address of your IdP. Employee Referrals will send all authentication requests to this URL.
     

  3. Signing Certificate
    Employee Referrals requires that SAML assertions are signed and that a valid X.509.pem certificate is stored in Employee Referrals to verify your identity.

All settings described above can be found in the Metadata XML of your IdP.

Employee Referrals offers three options to make the configuration as easy as possible:

  1. Configuration via IdP Metadata.XML upload:

    You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.

  2. Configuration via IdP Metadata URL:

    You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.

  3. Manual configuration
     

    If none of the above options are suitable for you, the configuration can be done manually as well.

Please note! In case your IdP configuration provides different certificates for "signing" and "encryption", please make sure you add only the "signing" certificate under "Signing certificate". 

 

screenshot-1.png

Click the button "Save Configuration" to save your settings.

 

Step 3: Activate SSO

As soon as you have saved the SSO settings, you will be able to activate SSO for your Employee Referrals company account.

After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to log in via SSO.

Was this article helpful?
0 out of 0 found this helpful