Note: Single Sign-On (SSO) is not available for organizations with an Essential subscription tier.
Greenhouse Recruiting provides your users with the ability to sign in via Single Sign-On, or SSO. With SSO enabled, your users will all be able to access your organization’s Greenhouse Recruiting account through your Identity Provider (IdP) of choice.
Which SSO providers are compatible with Greenhouse?
We are also able to integrate with any other SAML2.0-compliant IdP. We integrate often with other IdPs, such as ADFS and PingIdentity.
What will the process look like?
Initially, we will soft-enable SSO. This will put your account in a hybrid state in which users can log in through both SSO and the regular Greenhouse Recruiting login page. This enables you to test SSO without disturbing the workflow of your users.
Once you are satisfied SSO is behaving as expected, we will flip the switch to hard-enable SSO. At that point, SSO will become your only means of logging into Greenhouse Recruiting.
What do you need to do to get started?
- You can find customized instructions on integrating with Okta, Onelogin, and Azure in Greenhouse’s Help Center.
- Google provides their own instructions on integrating with Greenhouse Recruiting.
- Once you have configured Greenhouse Recruiting for your IdP, please email your Metadata file to <www.greenhouse.io/asksupport>.
- Please configure the following in your IdP:
- ACS URL: https://yourdomain.greenhouse.io/users/saml/consume
- Entity ID: yourdomain.greenhouse.io
- We’ll also expect the following attributes in your SAML Response:
- User.FirstName (must be the user’s first name)
- User.LastName (must be the user’s last name)
- nameID (must be the user's email address)
Note: If your organization uses the Employee ID log-in method, the SAML Response from your IdP must also include a User.EmployeeID value. The Employee ID log-in method requires an Expert subscription.
- Once you’ve configured those, please email the following information to <firstname.lastname@example.org>:
- Your Single Sign-On URL
- Your IdP Certificate Fingerprint
Important things to note
There are a few things to be aware of before we configure SSO for your account:
- Provisioning Users: When a user who does not already exist in your Greenhouse Recruiting account logs in for the first time via SSO, we will create a new user for them, and we will give them Basic permissions. You can update those permissions later within Greenhouse Recruiting if needed.
- Duplicate Users: Users who have existing Greenhouse Recruiting accounts need to log in via SSO using their existing Greenhouse Recruiting email address. If a user logs in with an email address that we do not recognize, we will create a new account for them, which could potentially lead to users having multiple Greenhouse Recruiting accounts.
To prevent that issue, if your users’ SSO email addresses do not match their Greenhouse Recruiting email addresses, please be sure to add and verify their SSO email addresses to Greenhouse Recruiting before they attempt to log in via SSO.
If any members of your team inadvertently create duplicate Greenhouse Recruiting user accounts, please open a ticket with our Customer Support team for assistance resolving the issue.
- URL Change: Once SSO is hard-enabled, your Greenhouse Recruiting URLs will change to include your domain name.
For example, if your domain is example.com, your Greenhouse Recruiting URLs will change from the standard URL format <app.greenhouse.io/...> to <example.greenhouse.io/...>.
- Passwords Deleted: Once SSO is hard-enabled for your account, we will delete your users' Greenhouse Recruiting passwords, so that they can only log in via SSO. This means after SSO is hard-enabled, we are unable to revert your account back to soft-enabled SSO or non-SSO logins without all of your users needing to reset their passwords.
- Google+: Users will not be able to log in via Google+ once SSO is enabled in either the soft-enabled or hard-enabled state.
- Deactivating Users: Deactivating a user in your IdP does not deactivate their user account in Greenhouse Recruiting. We will require a user to log back in only when their Greenhouse Recruiting session ends, and a session can last for up to 30 days. This means even if a user account is deactivated in your IdP, the user potentially could remain logged into Greenhouse Recruiting and still have access to your organization's recruiting data.
To prevent users from logging into Greenhouse Recruiting after they leave your company, we recommend deactivating the user account in Greenhouse Recruiting every time you deactivate a user in your IdP. Greenhouse Recruiting user accounts also can be deactivated using the PATCH: Disable User endpoint in our Harvest API.
No further configuration is necessary for Greenhouse Mobile once SSO is hard-enabled. Users can access the app from unsupervised devices and we will provision a Greenhouse Recruiting session for any user/device that can log into the IdP and provide a valid SAMLResponse.
Once SSO has been hard-enabled, users can log into the Greenhouse Mobile app using SSO by entering their email address on the login screen. After they have submitted their email address, we will identify them as a user from your company and redirect them to your SSO login page.
Please reach out to <email@example.com> with any questions!