How can we help you?

Employee ID Login Method for SSO

all_tiers.png

Greenhouse Recruiting provides your team with the ability to log in via Single Sign-On (SSO). With SSO enabled, your users can access your organization’s Greenhouse Recruiting account through your Identity Provider (IdP) of choice. To learn more about enabling Single Sign-On, please click here.

Greenhouse Recruiting uses Email Address as the default login method, but organizations with an Expert subscription can opt to use Employee ID as the login method instead.

In this article, we will cover:

 

Employee ID Login Method Requirements

The following requirements apply to organizations using Employee ID for the login method: 

  • Your SSO must be configured to provide an Employee ID. 
  • The SAML response from your IdP must include an Employee ID.

Before hard-enabling your SSO configuration, be sure to confirm the following:

  • All users in your IdP directory have an Employee ID value.
  • Your SAML response for the Greenhouse Recruiting application contains the attribute User.EmployeeID. 

 

Employee ID Login Method Rules

  • If there is not a User.EmployeeID attribute in the SAML response, or if there is no email address in the SAML response, the login attempt will fail. 
  • If there is a User.EmployeeID attribute in the SAML response and the value in that attribute matches a user in Greenhouse Recruiting: 
    • If the email address in the SAML response exists in Greenhouse Recruiting on a user with an Employee ID that matches the Employee ID in the SAML response, the user will be logged into their existing account.
    • If the email address in the SAMLResponse does not exist in Greenhouse Recruiting, the user will be logged into their existing account with a matching Employee ID, and the new email address will be added to the user.
    • If the email address in the SAML response matches a user in Greenhouse Recruiting that has a different Employee ID than the Employee ID in the SAML response, the login attempt will fail with the following error message: Invalid SAML Response: Employee ID does not match e-mail address.

  • If there is a User.EmployeeID attribute in the SAML response and the value in that attribute does not match a user in Greenhouse Recruiting:
    • If the email address in the SAML response also does not exist in Greenhouse Recruiting, a new user will be created with the Employee ID and email address from the SAML response.
    • If the email address in the SAML response already exists in Greenhouse Recruiting:
      • If the email address is on a Greenhouse Recruiting user with no Employee ID, the user will be logged into their existing account with a matching email address, and the Employee ID will be added to the user
      • If the email address in the SAML response matches a user in Greenhouse Recruiting that has a different Employee ID than the Employee ID in the SAML response, the login will fail with the error message: Invalid SAML Response: Employee ID does not match e-mail address.

Employee_ID_login_method.png

 

Use Cases for Employee ID Login Method

Organizations with a large number of Greenhouse Recruiting users sometimes prefer this method as a way to simplify user account management when email address changes occur. 

Example: A user at your organization might change their first or last name and update their email address to reflect the change.

If your organization uses the Email login method, when the user attempts to sign into Greenhouse Recruiting with the new email address, your IdP's SAML response will confirm the email address, but we will not see that email address associated with an existing Greenhouse Recruiting user account. As a result, we will create a new (duplicate) user account for that individual.

If your organization uses the Employee ID login method, we will check for the user's Employee ID in the SAML response. If we receive an Employee ID that is associated with an existing Greenhouse Recruiting user account, we will log the user into that account, as well as associate the updated email address with the existing user account.