Note: Single Sign-On (SSO) is not available for organizations on the Essential subscription tier.
Greenhouse Recruiting provides your users with the ability to sign in via Single Sign-On (SSO). With SSO enabled, your users will be able to access your organization’s Greenhouse Recruiting account through your Identity Provider (IdP) of choice.
Tip: Check out Troubleshoot single sign-on (SSO) for help with common errors.
Which SSO providers are compatible with Greenhouse?
Some IdPs, such as Okta, Onelogin, Google, and Azure offer preconfigured integration options with Greenhouse.
We are also able to integrate with any other SAML2.0-compliant IdP. We integrate often with other IdPs, such as ADFS and PingIdentity.
What will the process look like?
A user with the developer permission Can manage and configure SSO will enable Single Sign-On directly in your Greenhouse Recruiting account. To see a step-by-step guide of this process, please click here.
Initially, your organization will soft-enable SSO. This will put your Greenhouse Recruiting account in a hybrid state in which users can log in either using SSO or through the regular Greenhouse Recruiting login page using an email address and password. This allows your organization to test SSO without disturbing the workflow of your users.
Once your organization has confirmed SSO is behaving as expected, you can flip the switch to hard-enable SSO. At that point, your users will only be able to log in using SSO and can't use Greenhouse Recruiting username and password. If someone selects another SSO option, they'll be redirected to the correct login page.
What information do I need to get started?
Preconfigured IdP:
Our support site includes customized instructions for integrating with several IdPs, including:
Once you have configured Greenhouse Recruiting within your IdP, click here to continue the process of enabling SSO within Greenhouse Recruiting.
Other IdPs:
Follow the steps provided here to generate your ACS URL in Greenhouse Recruiting. Once you have obtained the ACS URL, you will add the Greenhouse Recruiting application to your IdP.
- Assertion Consumer URL: https://app.greenhouse.io/*/users/saml/consume
- Entity ID: greenhouse.io
Greenhouse Recruiting will expect the following attributes in your SAML Response:
- User.FirstName (must be the user’s first name)
- User.LastName (must be the user’s last name)
- nameID (must be the user's email address)
Note: If your organization uses the Employee ID log-in method, the SAML Response from your IdP must also include a User.EmployeeID value. The Employee ID log-in method requires an Expert subscription.
Once you have configured your IdP, follow the steps provided here to complete enabling SSO within Greenhouse Recruiting. This process will require you to provide the following information from your IdP:
- Single Sign-On URL
- Single Log-Out URL
- IdP Certificate Fingerprint
Important things to note
There are a few things to be aware of before configuring SSO for your account.
Provisioning Users
When a user who does not already exist in your Greenhouse Recruiting account logs in for the first time via SSO, we will create a new user for them, and we will give them Basic permissions. You can update those permissions later within Greenhouse Recruiting if needed.
Duplicate Users
Users who have existing Greenhouse Recruiting accounts need to log in via SSO using their existing Greenhouse Recruiting email address. If a user logs in with an email address that we do not recognize, we will create a new account for them, which could lead to users having multiple Greenhouse Recruiting accounts.
To prevent that issue, if your users’ SSO email addresses do not match their Greenhouse Recruiting email addresses, be sure to add and verify their SSO email addresses to Greenhouse Recruiting before they attempt to log in via SSO.
If any members of your team inadvertently create duplicate Greenhouse Recruiting user accounts, please open a ticket with our Technical Support team for assistance in resolving the issue.
Passwords Deleted
Once SSO is hard-enabled for your organization's Greenhouse Recruiting account, we will delete your users' Greenhouse Recruiting passwords, so that they can only log in via SSO. This means once SSO is hard-enabled, we are unable to revert your account back to soft-enabled SSO or non-SSO logins without all of your users needing to reset their passwords.
Google+
Users will not be able to log in via Google+ once SSO is enabled in either the soft-enabled or hard-enabled state.
Deactivating Users
Deactivating a user in your IdP does not deactivate their user account in Greenhouse Recruiting. We will require a user to log back in only when their Greenhouse Recruiting session ends, and a session can last for up to 30 days. This means even if a user account is deactivated in your IdP, the user potentially could remain logged into Greenhouse Recruiting and still have access to your organization's recruiting data.
To prevent users from logging into Greenhouse Recruiting after they leave your company, we recommend deactivating the user account in Greenhouse Recruiting every time you deactivate a user in your IdP. Greenhouse Recruiting user accounts also can be deactivated using the PATCH: Disable User endpoint in our Harvest API.
Greenhouse Mobile
No further configuration is necessary for Greenhouse Mobile once SSO is hard-enabled. Users can access the app from unsupervised devices and we will provide a Greenhouse Recruiting session for any user/device that can log into the IdP and provide a valid SAML Response.
Once SSO has been hard-enabled, users can log into the Greenhouse Mobile app using SSO by entering their email address on the login screen. After they have submitted their email address, we will identify them as a user from your company and redirect them to your SSO login page.