BambooHR

BambooHR offers both IdP-initiated SAML SSO (for SSO access through the user portal or Idaptive mobile applications) and SP-initiated SAML SSO (for SSO access directly through the BambooHR web application). You can configure BambooHR for either or both types of SSO.

Requirements

Configuring BambooHR for SSO requires a signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the Idaptive Identity Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure BambooHR for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Optional configuration settings.

It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.
  1. On the Settings page in the Admin Portal, specify the following settings:

    Option

    Description

    Application ID

    Configure this field if you are deploying a mobile application that uses the Idaptive mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Idaptive Identity Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the user portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

    On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)

    Refer to CyberArk-issued derived credentials for more information.

  2. In another tab in your web browser, go to https://<customdomain>.bamboohr.com and log in with your administrator account, where <customdomain> is your company instance name with BambooHR.

  3. In the BambooHR tab, click Manage > Single Sign-On, then configure the settings as described in the following table and save your settings when you are finished.

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the Idaptive Identity Service Admin Portal and paste it into the corresponding field on the Absorb LMS website.

    Admin Portal

    Copy/Paste

    Direction

    BambooHR web application

    What you do

    Download Signing Certificate

    x.509 Certificate

    1. In the Identity Provider Configuration > Metadata section of the Trust page, expand the Security Certificate section and click Downloadto download the certificate.

    2. Open the downloaded certificate in a text editor and copy the contents with the --BEGIN-- and --END-- delimiters.

    3. Go to the BambooHR tab and click Manage > Single Sign-on, then paste the contents of the certificate into the x.509 certificate field.

    Identity Provider SSO Login URL

    SSO Login URL

    Copy the Identity Provider SSO Login URL from the Identity Provider Configuration > Manual Configuration area of the Trust page in Admin Portal and paste it in the SSO Login URL field in the BambooHR web application.

    N/A

    N/A

    Enabled

    Select this option.

    N/A

    N/A

    Method

    After you select Enabled, the Method list displays. Select SAML.

  4. Click Save.

BambooHR provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Provision accounts with SCIM.

BambooHR inbound provisioning

You can provision user data from specified external systems (for example, a web-based Human Capital Management system) to supported directory services using inbound provisioning. The external system is considered the data source, while a directory source known to Idaptive Identity Service is the target. The following table indicates support for data sources and targets.

Source Target
BambooHR AD

You can define synchronization schedules to synchronize user data from those systems. It's also possible to edit certain user attributes in AD and write those values back to the external systems.

Refer to Inbound Provisioning from BambooHR for more information about inbound provisioning from BambooHR.

Configure BambooHR mobile applications for SSO

BambooHR provides mobile applications for both iOS and Android devices.

You log in to the mobile application using your email address, password, and subdomain, even after you’ve configured BambooHR for SSO.

https://itunes.apple.com/us/app/bamboohr/id587244049

https://play.google.com/store/apps/details?id=com.mokinetworks.bamboohr

What you need to know about BambooHR

Each SAML application is different. Here are the BambooHR features and functionality that you need to know when configuring the application for SSO.

Feature

Description

Available versions and clients

web application, iOS, Android

SP-initiated SSO works?

yes

IdP-initiated SSO works?

yes

Is there a separate login for administrators after SSO is enabled?

When SSO is enabled, users can log in only through SSO. No user name and password logins are allowed.

Lockout possibility and how to recover after lockout

After you’ve enabled SSO, all users must login through SSO. There are no logins allowed with the BambooHR user name and password.

User provisioning

You create user accounts in BambooHR directly.

Group-based access control

BambooHR uses group-based access control. You assign users to groups, and you apply permissions to groups.

Can users reset their own passwords? Can administrators reset a user’s password?

Users can reset their own passwords. Administrators can also reset users’ passwords.