BambooHR SAML Single Sign-On (SSO)
BambooHR offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the BambooHR web application). You can configure BambooHR for either or both types of SSO.
Requirements
Configuring BambooHR for SSO requires a signed certificate. You can either download one from the Admin Portal or use your organization’s trusted certificate.
Set up the certificates for SSO
To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.
If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.
Configure BambooHR for SSO
The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Configure optional application settings.
-
Add the BambooHR application in the Admin Portal.
-
In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.
The Add Web Apps screen appears.
-
On the Search tab, enter BambooHR in the Search field and click the search icon.
-
Next to BambooHR, click Add.
-
In the Add Web App screen, click Yes to confirm.
-
Click Close to exit the Application Catalog.
The BambooHR application opens to the Settings page.
-
-
On the Settings page in the Admin Portal, specify the following settings:
Option
Description
Application ID
Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:
The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.
There can only be one SAML application deployed with the name used by the mobile application.
The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.
Show in User app list
Select Show in User app list to display this web application in the user portal. (This option is selected by default.)
If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.
On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)
Refer to CyberArk-issued derived credentials for more information.
-
In another tab in your web browser, go to
https://
<customdomain>.bamboohr.com
and log in with your administrator account, where <customdomain> is your company instance name with BambooHR. -
In the BambooHR tab, click Manage > Single Sign-On, then configure the settings as described in the following table and save your settings when you are finished.
The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the CyberArk Identity the Admin Portal and paste it into the corresponding field on the Absorb LMS website.
Admin Portal
Copy/Paste
Direction
BambooHR web application
What you do
Download Signing Certificate
x.509 Certificate
-
In the Identity Provider Configuration > Metadata section of the Trust page, expand the Security Certificate section and click Downloadto download the certificate.
-
Open the downloaded certificate in a text editor and copy the contents with the --BEGIN-- and --END-- delimiters.
-
Go to the BambooHR tab and click Manage > Single Sign-on, then paste the contents of the certificate into the x.509 certificate field.
Identity Provider SSO Login URL
SSO Login URL
Copy the Identity Provider SSO Login URL from the Identity Provider Configuration > Manual Configuration area of the Trust page in the Admin Portal and paste it in the SSO Login URL field in the BambooHR web application.
N/A
N/A
Enabled
Select this option.
N/A
N/A
Method
After you select Enabled, the Method list displays. Select SAML.
-
-
Deploy the application by setting permissions on the application.
-
On the Permissions page, click Add.
The Select User, Group, or Role window appears.
-
Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.
The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
-
Select the desired permissions, then click Save.
Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Change the permissions if you want to add additional control or you prefer not to automatically deploy the application.
Refer to the following table for more information about applications-specific permissions.
Permission
Description
Manage Users can modify application settings and application sets. Selecting this option also selects the View permission.
Additionally, a user in a role with the Application Management administrative right can enable this permission to allow other users or roles (without the Application Management right) to administer the application. See Delegate application management for more information.
Note that you cannot delete applications from the Admin Portal > Web Apps and Mobile Apps pages with just this permission. Add the Delete permission if you want a delegated application administrator to have the ability to delete applications.
Delete
Users with this permission can delete applications from the Admin Portal > Web Apps and Mobile Apps pages. Selecting this option also selects the View permission.
Run Allows users to launch the application from the User Portal.
Automatically Deploy
Automatically deploys the application to the User Portal. If Automatically Deploy is not selected, users can find the application in the Recommended tab when adding applications to the User Portal.
The Show in user app list option takes priority over the Automatically Deploy permission. For example, if Show in user app list is not selected, applications do not appear in the User Portal or in the Recommended tab even if you select the Automatically Deploy permission.
The following video contains more information about deploying apps as Recommended.
Watch the video!
-
-
On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.
Available options vary depending on your application type.
Option
Description
Directory Service Field
Use this option if the user accounts are based on user attributes.
For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from theCyberArk Cloud Directory.Also see Authentication security options for information on the option to use the password supplied by Active Directory users.
All users share one name
Use this option if you want to share access to an account (for example, some people share an application developer account).
Check Allow users to view credentials to allow users to view User Identity (User Name and Password) information for an application in theUser Portal > Application Settings (select the gear icon in the application tile). Users must have the View permission enabled. This can be helpful to users who may need offline access to the application.
The ability to view the User Identity information in the application is only applicable for application passwords stored in CyberArk Identity and does not apply to applications where the passwords are stored in the PAM Vault.If this option is not checked (default configuration), User Identity information for an application is not shared in the User Portal > Application Settings.
Contact CyberArk Support to disable the Allow users to view credentials check box option.Prompt for user name
Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The CyberArk Cloud Directory stores the user name and password so that the next time the user launches the application, the CyberArk Cloud Directory logs in the user automatically.
Account Mapping Script
You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script:
LoginUser.Username = LoginUser.Get('mail')+'.ad';
The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.
Also see Authentication security options for information on the option to use the password supplied by Active Directory users.
- Click Save.
BambooHR inbound provisioning
You can provision users from your enterprise source directories (CyberArk Cloud Directory or any source Active Directory instances connected to CyberArk Identity) to one or more target Active Directory instances and assign the right set of access based on roles.
Source | Target |
---|---|
BambooHR | AD |
CyberArk Cloud Directory |
AD |
Users created in CyberArk Cloud Directory.
Users created in AD directory which are configured to CyberArk Identity.
You can define synchronization schedules to synchronize user data from source directory to target Active Directories.
Refer to Inbound Provisioning from BambooHR for more information about inbound provisioning from BambooHR.
Configure BambooHR mobile applications for SSO
BambooHR provides mobile applications for both iOS and Android devices.
You log in to the mobile application using your email address, password, and subdomain, even after you’ve configured BambooHR for SSO.
https://itunes.apple.com/us/app/bamboohr/id587244049
https://play.google.com/store/apps/details?id=com.mokinetworks.bamboohr
What you need to know about BambooHR
Each SAML application is different. Here are the BambooHR features and functionality that you need to know when configuring the application for SSO.
Feature |
Description |
Available versions and clients |
web application, iOS, Android |
SP-initiated SSO works? |
yes |
IdP-initiated SSO works? |
yes |
Is there a separate login for administrators after SSO is enabled? |
When SSO is enabled, users can log in only through SSO. No user name and password logins are allowed. |
Lockout possibility and how to recover after lockout |
After you’ve enabled SSO, all users must login through SSO. There are no logins allowed with the BambooHR user name and password. |
User provisioning |
You create user accounts in BambooHR directly. |
Group-based access control |
BambooHR uses group-based access control. You assign users to groups, and you apply permissions to groups. |
Can users reset their own passwords? Can administrators reset a user’s password? |
Users can reset their own passwords. Administrators can also reset users’ passwords. |