BambooHR SAML Single Sign-On (SSO)

BambooHR offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the BambooHR web application). You can configure BambooHR for either or both types of SSO.

Requirements

Configuring BambooHR for SSO requires a signed certificate. You can either download one from the Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure BambooHR for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Configure optional application settings.

It can be useful to open the web application and the Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

    1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

      The Add Web Apps screen appears.

    2. On the Search tab, enter BambooHR in the Search field and click the search icon.

    3. Next to BambooHR, click Add.

    4. In the Add Web App screen, click Yes to confirm.

    5. Click Close to exit the Application Catalog.

      The BambooHR application opens to the Settings page.

  2. On the Settings page in the Admin Portal, specify the following settings:

    Option

    Description

    Application ID

    Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the user portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

    On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)

    Refer to CyberArk-issued derived credentials for more information.

  3. In another tab in your web browser, go to https://<customdomain>.bamboohr.com and log in with your administrator account, where <customdomain> is your company instance name with BambooHR.

  4. In the BambooHR tab, click Manage > Single Sign-On, then configure the settings as described in the following table and save your settings when you are finished.

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the CyberArk Identity the Admin Portal and paste it into the corresponding field on the Absorb LMS website.

    Admin Portal

    Copy/Paste

    Direction

    BambooHR web application

    What you do

    Download Signing Certificate

    x.509 Certificate

    1. In the Identity Provider Configuration > Metadata section of the Trust page, expand the Security Certificate section and click Downloadto download the certificate.

    2. Open the downloaded certificate in a text editor and copy the contents with the --BEGIN-- and --END-- delimiters.

    3. Go to the BambooHR tab and click Manage > Single Sign-on, then paste the contents of the certificate into the x.509 certificate field.

    Identity Provider SSO Login URL

    SSO Login URL

    Copy the Identity Provider SSO Login URL from the Identity Provider Configuration > Manual Configuration area of the Trust page in the Admin Portal and paste it in the SSO Login URL field in the BambooHR web application.

    N/A

    N/A

    Enabled

    Select this option.

    N/A

    N/A

    Method

    After you select Enabled, the Method list displays. Select SAML.

    1. On the Permissions page, click Add.

      The Select User, Group, or Role window appears.

    2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

      The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

    3. Select the desired permissions, then click Save.

      Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Change the permissions if you want to add additional control or you prefer not to automatically deploy the application.

      Refer to the following table for more information about applications-specific permissions.

      Permission

      Description
      Manage

      Users can modify application settings and application sets. Selecting this option also selects the View permission.

      Additionally, a user in a role with the Application Management administrative right can enable this permission to allow other users or roles (without the Application Management right) to administer the application. See Delegate application management for more information.

      Note that you cannot delete applications from the Admin Portal > Web Apps and Mobile Apps pages with just this permission. Add the Delete permission if you want a delegated application administrator to have the ability to delete applications.

      Delete

      Users with this permission can delete applications from the Admin Portal > Web Apps and Mobile Apps pages. Selecting this option also selects the View permission.
      Run

      Allows users to launch the application from the User Portal.

      Automatically Deploy

      Automatically deploys the application to the User Portal. If Automatically Deploy is not selected, users can find the application in the Recommended tab when adding applications to the User Portal.

      The Show in user app list option takes priority over the Automatically Deploy permission. For example, if Show in user app list is not selected, applications do not appear in the User Portal or in the Recommended tab even if you select the Automatically Deploy permission.

  6. Available options vary depending on your application type.

    Option

    Description

    Directory Service Field

     

    Use this option if the user accounts are based on user attributes.
    For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from theCyberArk Cloud Directory.

    Also see Authentication security options for information on the option to use the password supplied by Active Directory users.

     

    All users share one name

    Use this option if you want to share access to an account (for example, some people share an application developer account).

    Check Allow users to view credentials to allow users to view User Identity (User Name and Password) information for an application in theUser Portal > Application Settings (select the gear icon in the application tile). Users must have the View permission enabled. This can be helpful to users who may need offline access to the application.

    The ability to view the User Identity information in the application is only applicable for application passwords stored in CyberArk Identity and does not apply to applications where the passwords are stored in the PAM Vault.

    If this option is not checked (default configuration), User Identity information for an application is not shared in the User Portal > Application Settings.

    Contact CyberArk Support to disable the Allow users to view credentials check box option.

    Prompt for user name

    Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The CyberArk Cloud Directory stores the user name and password so that the next time the user launches the application, the CyberArk Cloud Directory logs in the user automatically.

     

    Account Mapping Script

    You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script:

    LoginUser.Username = LoginUser.Get('mail')+'.ad';

    The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

    Also see Authentication security options for information on the option to use the password supplied by Active Directory users.

     

  7. Click Save.

BambooHR inbound provisioning

You can provision user data from specified external systems (for example, a web-based Human Capital Management system) to supported directory services using inbound provisioning. The external system is considered the data source, while a directory source known to CyberArk Identity is the target. The following table indicates support for data sources and targets.

Source Target
BambooHR AD

You can define synchronization schedules to synchronize user data from those systems. It's also possible to edit certain user attributes in AD and write those values back to the external systems.

Refer to Inbound Provisioning from BambooHR for more information about inbound provisioning from BambooHR.

Configure BambooHR mobile applications for SSO

BambooHR provides mobile applications for both iOS and Android devices.

You log in to the mobile application using your email address, password, and subdomain, even after you’ve configured BambooHR for SSO.

https://itunes.apple.com/us/app/bamboohr/id587244049

https://play.google.com/store/apps/details?id=com.mokinetworks.bamboohr

What you need to know about BambooHR

Each SAML application is different. Here are the BambooHR features and functionality that you need to know when configuring the application for SSO.

Feature

Description

Available versions and clients

web application, iOS, Android

SP-initiated SSO works?

yes

IdP-initiated SSO works?

yes

Is there a separate login for administrators after SSO is enabled?

When SSO is enabled, users can log in only through SSO. No user name and password logins are allowed.

Lockout possibility and how to recover after lockout

After you’ve enabled SSO, all users must login through SSO. There are no logins allowed with the BambooHR user name and password.

User provisioning

You create user accounts in BambooHR directly.

Group-based access control

BambooHR uses group-based access control. You assign users to groups, and you apply permissions to groups.

Can users reset their own passwords? Can administrators reset a user’s password?

Users can reset their own passwords. Administrators can also reset users’ passwords.