How can I use SSO with Greenhouse?

* Please note that SSO is not available for organizations in Greenhouse on our basic subscription tier.

Greenhouse provides your users with the ability to sign in via Single Sign On, or SSO. With SSO enabled, your users will all be able to access your organization’s Greenhouse account through your identity provider of choice!

Which SSO providers are compatible with Greenhouse?

Some IdPs, such as Okta, Onelogin, Google, and Azure offer preconfigured integration options with Greenhouse.

We’re also able to integrate with any other SAML2.0-compliant IdP. We integrate often with other IdPs, such as ADFS and PingIdentity.

What will the process look like?

Initially, we'll soft-enable SSO. This will put your account in a hybrid state in which users can log in through both SSO and the normal login page. This enables you to test SSO without disturbing the workflow of your users.

Once you're satisfied that SSO is behaving as expected, we’ll flip the switch to hard-enable SSO. At that point, SSO will become your only means of logging into Greenhouse.

What do you need to do to get started?

Preconfigured IdP:

  1. You can find customized instructions on integrating with Okta, Onelogin in Greenhouse’s Help Center.
  2. Google and Azure provide their own instructions on integrating with Greenhouse.
  3. Once you’ve configured Greenhouse for your IdP, please email your Metadata file to <tech-support@greenhouse.io>.

Other IdPs:

*Instructions on setting up ADFS with Greenhouse can be found here.

  1. Please configure the following in your IdP:
    - ACS URL: https://yourdomain.greenhouse.io/users/saml/consume 
    - Entity ID: yourdomain.greenhouse.io
  2. We’ll also expect the following attributes in your SAML Response:
    - User.FirstName (must be the user’s first name)
    - User.LastName (must be the user’s last name)
    - nameID (must be the user's email address) 
  3. Once you’ve configured those, please email the following information to <tech-support@greenhouse.io>:
    - Your Single Sign On URL
    - Your IdP Certificate Fingerprint

Important things to note

There are a few things to be aware of before we configure SSO for your account:

  1.  Provisioning Users: When a user who doesn’t already exist in your account logs in for the first time via SSO, we will create a new user for them, and we’ll give them Basic Permissions. You’ll be able to update those permissions afterwards within Greenhouse.

  2. Duplicate Users: Users who have existing Greenhouse accounts need to log in via SSO using their existing Greenhouse email address. If a user logs in with an email address that we don’t recognize, we will create a new account for them, which could potentially lead to users having multiple Greenhouse accounts.
    To prevent that issue, if your users’ SSO email addresses do not match their Greenhouse email addresses, please be sure to
    add and verify their SSO email addresses before they log in via SSO.

  3. URL Change: Once SSO is hard-enabled, your Greenhouse URLs will change to include your domain name.

    For example, if your domain is example.com, your Greenhouse URLs will change from the standard URL format <app.greenhouse.io/...> to <example.greenhouse.io/...> once SSO is hard-enabled.

  4. Passwords Deleted: Once SSO is hard-enabled for your account, we will delete your users' Greenhouse passwords, so that they can only log in via SSO. This means that after SSO is hard-enabled, we won't able to revert your account back to soft-enabled SSO or non-SSO logins without all of your users needing to reset their passwords.

  5. Google+: Users will not be able to log in via Google+ once SSO is enabled in either the  soft-enabled or hard-enabled state.

Please reach out to <tech-support@greenhouse.io> with any questions!

 

Have more questions? Submit a request

Comments

Powered by Zendesk