1. Greenhouse Support
  2. All Recruiting topics
  3. Integrations
  4. Single sign-on (SSO)

PingOne integration

Permissions: Basic users or above, who can manage and configure SSO

Product tier: Available for Advanced and Expert subscription tiers

PingOne is a best-in-class Identity-as-a-Service (IDaaS) offering for organizations that prefer a more hands-free approach to identity and access management (IAM) for their customers and workforce.

Greenhouse Recruiting's integration with PingOne allows your organization to use PingOne to enable Single Sign-On (SSO) in your Greenhouse Recruiting account. 

In this article

Add and Configure Greenhouse Recruiting to PingOne Account with ACS URL

Navigate to your PingOne dashboard and click the My Applications tab. From the My Applications page, click Add Application Search Application Catalog

1_search_for_App.png

From the Application Catalog page, search for Greenhouse. From the Greenhouse Software panel, click Setup

2_search_for_GHR.png

On the subsequent page, fill out your SSO information. In the following fields, replace ${acs_token} with your company-specific details

  • ACS URL
  • Entity ID

Note: You can find your ACS URL in Greenhouse Recruiting under Configure > Dev Center > Single Sign-On.

You do not need to upload any metadata or certificates. You also do not need to fill in any fields that are not pre-populated. 

3_connection_configuration.png

On the next page, the values under the Identity Bridge Attribute or Literal Value must match exactly what is in the screenshot below. If the fields pre-populate with values such as SCIM.something.FirstName, this information is incorrect and must be replaced with EmailFirst Name, and Last Name as shown below. 

4_attribute_mapping.png

Click Save & Publish to complete the configuration for PingOne. 

5_finalize.png

Enable SSO in Greenhouse Recruiting

For organizations enabling PingOne with an ACS URL, once you have added Greenhouse Recruiting to PingOne and gathered the necessary information, follow the steps outlined here to finish enabling Single Sign-On in Greenhouse Recruiting.

Note: If you opt to upload your PingOne XML metadata file, the following values must be set manually in Greenhouse Recruiting: 
  • Entity ID / Issuer: Set this to the same value configured in PingOne (this will default to recruiting/greenhouse.io) 
  • Name Identifier Format: Set this to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

See additional notes below:

  • All users MUST log in through PingOne once SSO is enabled. Users will not be able to log in via the standard Greenhouse Recruiting login screen anymore, even if they already have passwords.
  • Your users will access Greenhouse Recruiting via the custom URL, which will use the company subdomain that you entered (i.e. https://my-company.greenhouse.io), if applicable.
  • If a new user has a PingOne account but not a Greenhouse Recruiting account, Greenhouse Recruiting will create a Greenhouse Recruiting user account for them automatically the first time they log in via PingOne. The user account will be created with Basic permissions. Administrators can still invite users and change permissions in Greenhouse Recruiting using our existing process.
  • Data will be unaffected. Your users will still have access to all of their existing jobs, scorecards, interviews, etc. PingOne only changes the way users log in.