BambooHR

BambooHR offers both IdP-initiated SAML SSO (for SSO access through the user portal or Idaptive mobile applications) and SP-initiated SAML SSO (for SSO access directly through the BambooHR web application). You can configure BambooHR for either or both types of SSO.

Requirements

Configuring BambooHR for SSO requires a signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the Idaptive Identity Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure BambooHR for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Optional configuration settings.

It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

Add the BambooHR application in the Admin Portal.
1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.
  
  The Add Web Apps screen appears.
2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.
3. Next to the application, click Add.
4. In the Add Web App screen, click Yes to confirm.
5. Click Close to exit the Application Catalog.
  
  The application that you just added opens to the Settings page.

On the Settings page in the Admin Portal, specify the following settings:

Option	Description
Application ID	Configure this field if you are deploying a mobile application that uses the Idaptive mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Idaptive Identity Service uses the Application ID to provide single sign-on to mobile applications. Note the following: The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field. There can only be one SAML application deployed with the name used by the mobile application. The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.
Show in User app list	Select Show in User app list to display this web application in the user portal. (This option is selected by default.) If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.
On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)	Refer to CyberArk-issued derived credentials for more information.

In another tab in your web browser, go to https://<customdomain>.bamboohr.com and log in with your administrator account, where <customdomain> is your company instance name with BambooHR.

In the BambooHR tab, click Manage > Single Sign-On, then configure the settings as described in the following table and save your settings when you are finished.

The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the Idaptive Identity Service Admin Portal and paste it into the corresponding field on the Absorb LMS website.

Admin Portal	Copy/Paste Direction	BambooHR web application	What you do
Download Signing Certificate		x.509 Certificate	In the Identity Provider Configuration > Metadata section of the Trust page, expand the Security Certificate section and click Downloadto download the certificate. Open the downloaded certificate in a text editor and copy the contents with the --BEGIN-- and --END-- delimiters. Go to the BambooHR tab and click Manage > Single Sign-on, then paste the contents of the certificate into the x.509 certificate field.
Identity Provider SSO Login URL		SSO Login URL	Copy the Identity Provider SSO Login URL from the Identity Provider Configuration > Manual Configuration area of the Trust page in Admin Portal and paste it in the SSO Login URL field in the BambooHR web application.
N/A	N/A	Enabled	Select this option.
N/A	N/A	Method	After you select Enabled, the Method list displays. Select SAML.

Deploy the application by setting permissions on the application.

On the Permissions page, click Add.

The Select User, Group, or Role window appears.
Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

Select the desired permissions, then click Save.

Default permissions will automatically deploy the application to the User Portal. Change the permissions if you want to add additional control or you prefer not to automatically deploy the application.

Refer to the following table for more information about applications-specific permissions.

Permission	Description
Manage	Provides Read, Write, and Delete permission to applications and sets of applications. Additionally, a user in a role with the Application Management administrative right can enable this permission to allow other users or roles (without the Application Management right) to administer the application. Any users or roles that are given the Manage permission must have the Admin Portal Login administrative right to manage an application.
Run	Allows users to launch the application from the User Portal.
Automatically Deploy	Automatically deploys the application to the User Portal. If Automatically Deploy is not selected, users can find the application in the Recommended tab when adding applications to the User Portal.

Permission

Description

Manage

Provides Read, Write, and Delete permission to applications and sets of applications.

Additionally, a user in a role with the Application Management administrative right can enable this permission to allow other users or roles (without the Application Management right) to administer the application. Any users or roles that are given the Manage permission must have the Admin Portal Login administrative right to manage an application.

Run

Allows users to launch the application from the User Portal.

Automatically Deploy

Automatically deploys the application to the User Portal. If Automatically Deploy is not selected, users can find the application in the Recommended tab when adding applications to the User Portal.

On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.
Available options vary depending on your application type.
- Directory Service Field: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Idaptive Directory.
- All users share one name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.
- Prompt for user name: Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The Idaptive Directory stores the user name and password so that the next time the user launches the application, the Idaptive Directory logs in the user automatically.
- Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script:
```
LoginUser.Username = LoginUser.Get('mail')+'.ad';
```
  The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.
Click Save.

BambooHR provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Provision accounts with SCIM.

BambooHR inbound provisioning

You can provision user data from specified external systems (for example, a web-based Human Capital Management system) to supported directory services using inbound provisioning. The external system is considered the data source, while a directory source known to Idaptive Identity Service is the target. The following table indicates support for data sources and targets.

Source	Target
BambooHR	AD

You can define synchronization schedules to synchronize user data from those systems. It's also possible to edit certain user attributes in AD and write those values back to the external systems.

Refer to Inbound Provisioning from BambooHR for more information about inbound provisioning from BambooHR.

Configure BambooHR mobile applications for SSO

BambooHR provides mobile applications for both iOS and Android devices.

You log in to the mobile application using your email address, password, and subdomain, even after you’ve configured BambooHR for SSO.

https://itunes.apple.com/us/app/bamboohr/id587244049

https://play.google.com/store/apps/details?id=com.mokinetworks.bamboohr

What you need to know about BambooHR

Each SAML application is different. Here are the BambooHR features and functionality that you need to know when configuring the application for SSO.

Feature	Description
Available versions and clients	web application, iOS, Android
SP-initiated SSO works?	yes
IdP-initiated SSO works?	yes
Is there a separate login for administrators after SSO is enabled?	When SSO is enabled, users can log in only through SSO. No user name and password logins are allowed.
Lockout possibility and how to recover after lockout	After you’ve enabled SSO, all users must login through SSO. There are no logins allowed with the BambooHR user name and password.
User provisioning	You create user accounts in BambooHR directly.
Group-based access control	BambooHR uses group-based access control. You assign users to groups, and you apply permissions to groups.
Can users reset their own passwords? Can administrators reset a user’s password?	Users can reset their own passwords. Administrators can also reset users’ passwords.