SAML-based Single sign-on (SSO) gives members access to Recruitee through an identity provider (IDP) of your choice.
Recruitee integrates with SSO providers that support SAML2 (Security Assertion Markup Language). We support integrating with the following SSO providers:
Okta
Microsoft Azure Active Directory
Google Apps
Auth0
Note: Integrating with other SSO providers supporting SAML2 is possible but has to be configured on the customer’s end entirely. Customers have been successful in setting up SSO with Duo SSO, Shibboleth, OneLogin, Keycloak, and JumpCloud.
You can start the SSO process for your Recruitee account by sending a request via Settings or contact us. You will need to configure a new application within your SSO provider for Recruitee before SSO can be enabled for your account.
Check the following SSO provider-specific documentation with your IT team on how to setup an application for Recruitee in your SSO provider.
What does integrating SSO mean for your company?
Setting up SSO for your Recruitee account results in the following changes:
Team member will need to be invited and sign in to Recruitee via your SSO provider. Users can also use the company specific sign in link to sign in. Make sure to share the company specific link with your team members. Learn more about the sign in process under Managing users.
Former login credentials and a password reset will no longer work in Recruitee. Resetting password will need to be done via the SSO provider.
For Private API integrations the auth_token will no longer work, so remember to switch to new Personal API Tokens.
SSO login will only give you access to the company account that has SSO enabled (or multiple companies accounts sharing the same certificate).
If you work in multiple company accounts with and without SSO enabled, if you are logged in with SSO switching between company accounts that don't have SSO enabled is not possible. The same the other way around, while using your login credentials it is not possible to switch to company accounts that have SSO enabled. However, you will see a total number of companies that you have access to in your profile.
How to integrate SSO in your Recruitee account
In short, an administrator has to request SSO in their Recruitee Settings and upload the metadata XML file from the SSO provider.
Requesting SSO
1. In your SSO provider add an application for Recruitee and generate a metadata XML file. Follow the instructions for your specific tool:
You can also upload the file later and click Request SSO to already send notification to Support that you initiated the process.
2. Go to Settings > Company Settings > SSO
3. Choose a default role for new users in Recruitee which you register via your SSO provider and upload the XML file under Upload file and SSO request button.
Note: It is possible to change a user's role within Recruitee after they signed up. If you select a role that has restricted access to jobs/talent pools, like reviewer, you will have to assign jobs/talent pools to new users manually within Recruitee.
4. Confirm your identity by providing a password or verification code.
5. Recruitee Support will contact you to coordinate on when to enable your single sign-on integration.
Managing Users
When you have SSO enabled in your account, you give and revoke access of team members in Recruitee via your SSO provider. If a coworker has access to Recruitee in your SSO tool, they'll be able to join your account.
Adding users
If you add a new user in your SSO provider for Recruitee it will have the default role that you selected while requesting SSO.
Based on this role this new team member will have access to the Recruitee account. To change their role or the jobs/talent pools they have access to, login to Recruitee and go to Settings > Company > Team members. Here you can update their access to the account.
If you add users via Recruitee you can individually select roles and assign jobs they should have access to. Make sure to grant them access to the Recruitee application in your SSO provider. If you invite a person to Recruitee but hasn't been granted access in the SSO provider this person will not be able to sign up to your Recruitee account.
Signing in
Option 1:
1. Go to https://auth.recruitee.com/ and select SSO.
2. Fill in your email address.
Note: This is the email address you sign into your SSO provider with.
3. If you are already logged in to your SSO provider, you will be redirected to Recruitee instantly.
If you aren't logged in to your SSO provider yet you will first be directed to do so. If the login is successful you will be redirected to Recruitee.
Option 2: If you have your company’s direct Sign-in URL you can skip step 1 and 2 above and sign into your SSO provider directly. A Sign-in URL looks like this: auth.recruitee.com/sso/sign-in/[companyname]
Option 3: Depending on your SSO provider, you can also navigate to the dashboard of your SSO provider and click on the Recruitee application to be redirected to Recruitee.
Removing users
If you want to remove a user from Recruitee, you need to revoke their access rights in your SSO provider and delete them from Recruitee.
If you don't revoke access to Recruitee in your SSO provider, then the user may still be able to re-join the account and access jobs.