Azure AD SSO Setup

Updated by Amy Thomas

Parameters Needed 

Criteria Provided Parameters 

  1. Entity ID (Audience URI)    
    1. urn:amazon:cognito:sp:us-east-1_tkdHRnjPD 
  2. Assertion Consumer Service URL 
    1. https://hireselect.auth.us-east-1.amazoncognito.com/saml2/idpresponse 
  3. First-Time Sign-On URL/BookMark: 
    1. Once Soft-Enabled, Criteria CSM to provide customer with following link to include their unique company account ID. Customer must login via this link and not through their service provider):  
    2. https://hireselect.criteriacorp.com/?companyAccountId=<companyAccountId> 
  4. Our Required SAML Attributes 
    1. First Name 
    2. Last Name 
    3. Email Address 
  5. Optional SAML Attributes 
    1. Job Title 
    2. Idp Immutable Global Unique Identifier (Varies by Idp)  
    3. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/isDevelopOnly
      1. This will dictate whether the user only has access to your Develop account when they sign in for the first time via SSO, provided they don't already have access to your Criteria recruitment account.
      2. The values for this attribute are either 0 or 1. If the user will only have access to your Develop account and not your Criteria recruitment platform account, select 1. If the user is to have access to both your Develop account and your Criteria recruitment account, select 0.

What we need from you

  1. Federation Metadata Document endpoint URL (Can also be an XML Document but URL preferred) 

 

Step-By-Step Guide

Create an Azure SAML Application 
  1. Visit the Azure Active Directory Page on your Azure Portal 

  

  1. In Active Directory Menu Blade click on Enterprise Applications 
  2. Select New Application at the top left 
  1. Select Non-gallery application and type in HireSelect as the application name 
  1. Edit the SSO Configuration 
  2. On the App Overview screen select Set up single sign on
  1. Select SAML 
  1. Click to Edit the Basic SAML Configuration 
  1. For the Identifier (Entity ID) field enter  urn:amazon:cognito:sp:us-east-1_tkdHRnjPD 
  2. For the Reply URL (Assertion Consumer Service URL) field enter https://hireselect.auth.us-east-1.amazoncognito.com/saml2/idpresponse 
  3. For the Sign on URL enter https://hireselect.criteriacorp.com/SSO?companyAccountId=<companyAccountId
  4. Click Save 
  1. Click to Edit the User Attributes & Claims 

  1. Change the name identifier format to Persistent and the Source Attribute to user.objectid 
  2. Click Save 
  3. Edit the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim value to user.userprincipalname 

 

  1. Add another claim with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/identifier And set the value to user.objectid 

Download the SAML Metadata URL 
  1. On the Single Sign-On Screen copy the App Federation Metadata URL and send this to our Support Team.

Next Steps

Our team will update your Criteria account and advise once we are ready to begin testing the integration. For next steps, please continue to our SSO How-to Guide.

PLEASE NOTE: The terminology for the attributes for your company may not be an identical match to the attribute names in the SSO setup page. In that case, you can input the most closely related attribute on your end. For example, If the attribute on the SSO setup page lists “givenname” you can input the user’s first name.  


How did we do?