Permissions: --

Product tier: Available for Greenhouse Welcome and Greenhouse Onboarding subscription tiers

Note: These instructions were created using Windows Server 2012 R2 and ADFS 3.0.

Before you begin configuring ADFS, please send the following information to Greenhouse:

  • Your Single Sign On URL
  • Your Single Log Out URL (Optional)
  • Your IdP Certificate Fingerprint

Once Greenhouse receives the information, you will receive your Greenhouse Metadata file to use during part one of the setup.

Part 1: Add Greenhouse as a Relying Party Trust

To begin, Navigate to your AD FS Management tool, then open the Trust Relationships folder in the left sidebar.

Within the Trust Relationships folder, open the Relying Party Trusts subfolder.

Click Add Relying Party Trusts under the Actions bar on the right side of the screen. This will open the Add Relying Party Trust Wizard.


 On the Welcome page, click Start

Once on the Select Data Source page, select Import data about the relying party from a file

Upload the Metadata file from Greenhouse.


Enter Greenhouse Onboarding as the Display Name, and add any additional notes that you’d like.

You’re given the option to set up multi-factor authentication. This isn't necessary for your Greenhouse configuration, but can be enabled if you choose.

Select the radio button, Permit all users to access this relying party.

The next page will be an overview of your configuration.

Please confirm that the following attributes were set correctly before moving on:

The Identifiers tab contains your Display name and Greenhouse’s Relying party identifier. The Relying party identifier will use your subdomain and will be in the format, app.parklet.co

 

The Endpoints tab contains your SAML Assertion Consumer Endpoint. For Greenhouse, that URL is https://onboarding.greenhouse.io/saml/{uid}/consume

 

On the next page, ensure the box is checked next to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.

Part 2: Create claim rules for Greenhouse

Closing the Add Relying Party Trust Wizard automatically opens the Edit Claim Rules Wizard for Greenhouse. Here, you'll configure the attributes that ADFS will send to Greenhouse.

To begin, click Add Rule

Select Send LDAP Attributes as Claims from the drop-down menu.

Name the claim rule LDAP Email and select the Active Directory from the Attribute store dropdown.

Next, add the following rules:

  • Select E-Mail-Addresses in the LDAP Attribute column
  • Select E-Mail Address in the Outgoing Claim Type column

You will now see the new rule in your list of claim rules for Greenhouse.

Click Add Rule to add the next rule.

Select Transform an Incoming Claim from the drop-down menu.

Configure the following on the next page:

  • Name the Claim rule Email Transform
  • Set the Incoming claim type to E-Mail Address
  • Set the Outgoing claim type to Name ID
  • Set the Outgoing name ID format to Email
  • Select the radio button, Pass through all claim values

You'll now see both of your new rules in the list of claim rules for Greenhouse. Click Apply, then OK to close the Wizard.

Part 3: Edit the Trust settings

The next step is to edit the trust settings for Greenhouse.

On the Relying Party Trusts page of the ADFS Management Tool, select Greenhouse Onboarding from the list of Relying Party Trusts. Then, click Properties under the Actions bar on the right side of the page. 

In the Greenhouse Properties window, navigate to the Advanced tab.

The Secure Hash Algorithm dropdown is automatically set to SHA-256. Change the Secure Hash Algorithm to SHA-1.

Part 4: Set the NotBeforeSkew parameter

When a user logs in through ADFS, the SAML Response to Greenhouse will contain NotBefore and NotOnOrAfter attributes that designate the timeframe the SAML Response is valid. However, the ADFS server clock and the Greenhouse server clock may become out of sync. In this case, the SAML Response will not be valid which will prevent you from being able to log in. 

To ensure that your users aren’t affected by server synchronization issues, please set a skew of at least two minutes on the NotBefore attribute by following the instructions below:

To begin, open your Powershell in ADFS.

Next, check the current NotBeforeSkew by running the following command in the Powershell: Get-ADFSRelyingPartyTrust –identifier “app.parklet.co

In the Powershell response, scroll to the attribute NotBeforeSkew. The number next to the NotBeforeSkew is the current time of that attribute in minutes.

Set the NotBeforeSkew to 2 minutes by running the following command in the Powershell: Set-ADFSRelyingPartyTrust –TargetIdentifier “app.parklet.co" –NotBeforeSkew 2

Check the new NotBeforeSkew by running the following command again: Get-ADFSRelyingPartyTrust –identifier “app.parklet.co

The NotBeforeSkew should now be set to 2.

Part 5: Configure a single logout URL (optional)

The final step is to configure a Single Logout URL. This is optional.

To begin, open the Greenhouse Onboarding Properties dialog box by clicking the Properties button in the Actions sidebar.

Navigate to the Endpoints tab. You'll see the ACS URL from Greenhouse's Metadata file in the list of Endpoints.

To add a Single Logout URL, click Add SAML.

Configure the following in the Add an Endpoint window:

  • Set the Endpoint type to SAML Logout
  • Set Binding to POST
  • In the Trusted URL textbox, enter your Single Logout URL

You'll now see both the ACS URL from Greenhouse and your Single Logout URL on your list of Endpoints for Greenhouse.

Click Apply, then click OK.