BambooHR SAML Single Sign-On (SSO)

BambooHR offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the BambooHR web application). You can configure BambooHR for either or both types of SSO.


Configuring BambooHR for SSO requires a signed certificate. You can either download one from the Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure BambooHR for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Configure optional application settings.

It can be useful to open the web application and the Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.
  1. On the Settings page in the Admin Portal, specify the following settings:



    Application ID

    Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the user portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

    On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login)

    Refer to CyberArk-issued derived credentials for more information.

  2. In another tab in your web browser, go to https://<customdomain> and log in with your administrator account, where <customdomain> is your company instance name with BambooHR.

  3. In the BambooHR tab, click Manage > Single Sign-On, then configure the settings as described in the following table and save your settings when you are finished.

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the CyberArk Identity the Admin Portal and paste it into the corresponding field on the Absorb LMS website.

    Admin Portal



    BambooHR web application

    What you do

    Download Signing Certificate

    x.509 Certificate

    1. In the Identity Provider Configuration > Metadata section of the Trust page, expand the Security Certificate section and click Downloadto download the certificate.

    2. Open the downloaded certificate in a text editor and copy the contents with the --BEGIN-- and --END-- delimiters.

    3. Go to the BambooHR tab and click Manage > Single Sign-on, then paste the contents of the certificate into the x.509 certificate field.

    Identity Provider SSO Login URL

    SSO Login URL

    Copy the Identity Provider SSO Login URL from the Identity Provider Configuration > Manual Configuration area of the Trust page in the Admin Portal and paste it in the SSO Login URL field in the BambooHR web application.




    Select this option.




    After you select Enabled, the Method list displays. Select SAML.

  4. Click Save.

BambooHR inbound provisioning

You can provision users from your enterprise source directories (CyberArk Cloud Directory or any source Active Directory instances connected to CyberArk Identity) to one or more target Active Directory instances and assign the right set of access based on roles.

Source Target
BambooHR AD

CyberArk Cloud Directory


The following users are considered for provisioning:
Users created in CyberArk Cloud Directory.
Users created in AD directory which are configured to CyberArk Identity.

You can define synchronization schedules to synchronize user data from source directory to target Active Directories.

Refer to Inbound Provisioning from BambooHR for more information about inbound provisioning from BambooHR.

Configure BambooHR mobile applications for SSO

BambooHR provides mobile applications for both iOS and Android devices.

You log in to the mobile application using your email address, password, and subdomain, even after you’ve configured BambooHR for SSO.

What you need to know about BambooHR

Each SAML application is different. Here are the BambooHR features and functionality that you need to know when configuring the application for SSO.



Available versions and clients

web application, iOS, Android

SP-initiated SSO works?


IdP-initiated SSO works?


Is there a separate login for administrators after SSO is enabled?

When SSO is enabled, users can log in only through SSO. No user name and password logins are allowed.

Lockout possibility and how to recover after lockout

After you’ve enabled SSO, all users must login through SSO. There are no logins allowed with the BambooHR user name and password.

User provisioning

You create user accounts in BambooHR directly.

Group-based access control

BambooHR uses group-based access control. You assign users to groups, and you apply permissions to groups.

Can users reset their own passwords? Can administrators reset a user’s password?

Users can reset their own passwords. Administrators can also reset users’ passwords.