Note: If you have questions regarding enabling Single Sign-On through ADFS, please click here to contact the Greenhouse Customer Support team.
Part One: Add Greenhouse as a Relying Party Trust
Note: These instructions were created using Windows Server 2012 R2 and ADFS 3.0.
1. Navigate to your AD FS Management tool, then open the Trust Relationships folder in the left sidebar.
2. Within the Trust Relationships folder, open the Relying Party Trusts folder.
3. Click Add Relying Party Trusts under the Actions bar on the right side of the screen. This will open the Add Relying Party Trust Wizard.
4. On the Welcome page, click Start
5. On the Select Data Source page, select Enter data about the relying party manually. Manually provide the appropriate details from Greenhouse Recruiting, which includes the following:
ACS URL: To obtain your ACS URL, follow the steps provided here
Entity ID: greenhouse.io (note this does not include https://)
6. Enter Greenhouse in the Display Name field, and add any additional notes that you would like.
7. On the Choose Profile page, select AD FS profile.
8. Click Next to skip the Configure Certificate page without making any selections.
9. On the Configure URL page, check the box for Enable support for the SAML 2.0 WebSSO protocol. Enter your Greenhouse Recruiting ACS URL. Click here to learn how to retrieve your ACS URL from your Greenhouse Recruiting account.
10. On the Configure Identifiers page, enter the following in the Relying party trust identifier field:
Click Add when finished.
11. You will be given the option to set up Multi-factor authentication. This is not necessary for your Greenhouse configuration, but feel free to add it if you wish.
12. Select Permit all users to access this relying party.
13. On the Ready to Add Trust page, click Next without making any changes.
14. On the next page, make sure the box is checked next to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. Click Close when finished.
Part 2: Create Claim Rules for Greenhouse
Closing the Add Relying Party Trust Wizard will automatically open the Edit Claim Rules Wizard for Greenhouse. Here, you will configure the attributes that AD FS will send to Greenhouse.
1. Click Add Rule.
2. Select Send LDAP Attributes as Claims from the dropdown menu.
3. Name the claim rule LDAP Email and Full Name and select the Active Directory attribute store. Then, add the following rules:
- Select E-Mail-Addresses in the LDAP Attribute column. Select E-Mail Address in the Outgoing Claim Type column.
- Select Given-Name in the LDAP Attribute column. Type User.FirstName into the Outgoing Claim Type column.
- Select Surname in the LDAP Attribute column. Type User.LastName into the Outgoing Claim Type column.
4. You will now see the new rule in your list of claim rules for Greenhouse. Click Add Rule to add the next rule.
5. Select Transform an Incoming Claim from the dropdown menu.
6. Configure the following on the next page:
- Name the claim rule Email Transform
- Set the Incoming claim type to E-Mail Address
- Set the Outgoing claim type to Name ID
- Set the Outgoing name ID format to Email
- Select Pass through all claim values
7. You will now see both of your new rules in the list of claim rules for Greenhouse. Click Apply and OK to close the Wizard.
Part 3: Edit Trust Settings
The final step will be to edit the trust settings for Greenhouse.
1. On the Relying Party Trusts page of the AD FS Management Tool, select Greenhouse from the list of Relying Party Trusts. Then, click Properties under the Actions bar on the right side of the page.
2. The Identifiers tab should contain your Display name and Greenhouse’s Relying party identifier (in this case, greenhouse.io).
Part 4 - Set the NotBeforeSkew Parameter
When a user logs in through ADFS, the SAML Response to Greenhouse will contain "NotBefore" and "NotOnOrAfter" attributes that designate the timeframe during which the SAML Response is valid. However, the ADFS server clock and the Greenhouse server clock may become out of sync so that the timestamp of the SAML Response sets to a time earlier than the one established in the "NotBefore" attribute. In this case, the SAML Response will not be valid and the user will not be able to log in.
To ensure that your users are not affected by server synchronization issues, please set a skew of at least two minutes on the "NotBefore" attribute by following the instructions below:
1. Open your Powershell in ADFS.
2. Check the current NotBeforeSkew by running the following command in the Powershell:
Get-ADFSRelyingPartyTrust –identifier "greenhouse.io”
3. In the Powershell response, scroll to the attribute "NotBeforeSkew." The number next to the "NotBeforeSkew" will be the current time skew of that attribute in minutes.
4. Next, set the "NotBeforeSkew" to be 2 minutes by running the following command in the Powershell:
Set-ADFSRelyingPartyTrust –TargetIdentifier “greenhouse.io" –NotBeforeSkew 2
5. Check the new "NotBeforeSkew" by running the following command again:
Get-ADFSRelyingPartyTrust –identifier “greenhouse.io”
* The NotBeforeSkew should now be set to 2.
Part 5 - Configure a Single Logout URL (Optional)
The final step is to configure a Single Logout URL. This is optional.
1. Open the Greenhouse Properties dialog box by clicking the Properties button in the Actions sidebar.
2. Navigate to the Endpoints tab. You'll see the ACS URL from Greenhouse's Metadata file in the list of Endpoints. To add a Single Logout URL, click Add SAML.
3. Configure the following in the Add an Endpoint window:
- Set the Endpoint type to SAML Logout
- Set Binding to POST
- In the Trusted URL textbox, enter you
- r Single Logout URL.
4. You'll now see both the ACS URL from Greenhouse and your Single Logout URL on your list of Endpoints for Greenhouse. Click Apply, then click OK.
You're now ready to test your ADFS configuration. Please follow the steps here to soft-enable SSO in Greenhouse Recruiting so your team can test the configuration internally.