Note: SSO is not available for organizations with Core Greenhouse subscription tiers.
Greenhouse provides your users with the ability to sign in via Single Sign On, or SSO. With SSO enabled, your users will all be able to access your organization’s Greenhouse account through your identity provider of choice!
Which SSO providers are compatible with Greenhouse?
We’re also able to integrate with any other SAML2.0-compliant IdP. We integrate often with other IdPs, such as ADFS and PingIdentity.
What will the process look like?
Initially, we'll soft-enable SSO. This will put your account in a hybrid state in which users can log in through both SSO and the normal login page. This enables you to test SSO without disturbing the workflow of your users.
Once you're satisfied that SSO is behaving as expected, we’ll flip the switch to hard-enable SSO. At that point, SSO will become your only means of logging into Greenhouse.
What do you need to do to get started?
- You can find customized instructions on integrating with Okta, Onelogin, and Azure in Greenhouse’s Help Center.
- Google provides their own instructions on integrating with Greenhouse.
- Once you’ve configured Greenhouse for your IdP, please email your Metadata file to <firstname.lastname@example.org>.
*Instructions on setting up ADFS with Greenhouse can be found here.
- Please configure the following in your IdP:
- ACS URL: https://yourdomain.greenhouse.io/users/saml/consume
- Entity ID: yourdomain.greenhouse.io
- We’ll also expect the following attributes in your SAML Response:
- User.FirstName (must be the user’s first name)
- User.LastName (must be the user’s last name)
- nameID (must be the user's email address)
- Once you’ve configured those, please email the following information to <email@example.com>:
- Your Single Sign On URL
- Your IdP Certificate Fingerprint
Important things to note
There are a few things to be aware of before we configure SSO for your account:
- Provisioning Users: When a user who doesn’t already exist in your account logs in for the first time via SSO, we will create a new user for them, and we’ll give them Basic Permissions. You’ll be able to update those permissions afterwards within Greenhouse.
- Duplicate Users: Users who have existing Greenhouse accounts need to log in via SSO using their existing Greenhouse email address. If a user logs in with an email address that we don’t recognize, we will create a new account for them, which could potentially lead to users having multiple Greenhouse accounts.
To prevent that issue, if your users’ SSO email addresses do not match their Greenhouse email addresses, please be sure to add and verify their SSO email addresses before they log in via SSO.
- URL Change: Once SSO is hard-enabled, your Greenhouse URLs will change to include your domain name.
For example, if your domain is example.com, your Greenhouse URLs will change from the standard URL format <app.greenhouse.io/...> to <example.greenhouse.io/...> once SSO is hard-enabled.
- Passwords Deleted: Once SSO is hard-enabled for your account, we will delete your users' Greenhouse passwords, so that they can only log in via SSO. This means that after SSO is hard-enabled, we won't able to revert your account back to soft-enabled SSO or non-SSO logins without all of your users needing to reset their passwords.
- Google+: Users will not be able to log in via Google+ once SSO is enabled in either the soft-enabled or hard-enabled state.
No further configuration is necessary for Greenhouse Mobile once SSO is hard-enabled. Users can access the app from unsupervised devices and we will provision a Greenhouse session for any user/device that can log into the IdP and provide a valid SAMLResponse.
Once SSO has been hard-enabled, users can log into the Greenhouse Mobile app using SSO by entering their email address on the login screen. After they have submitted their email address, we will identify them as a user from your company and redirect them to your SSO login page.
Please reach out to <firstname.lastname@example.org> with any questions!