Third-Party SAML | Marketplace Partner
How can I use a third-party SAML with BambooHR?
Purpose: To help you understand what you can use SAML for and how you can integrate a third-party SAML with BambooHR.
Table of Contents
Third-Party SAML
An overview from BambooHR® Marketplace:
Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Installing this app in your BambooHR account will enable you to configure single sign-on between your identity provider and BambooHR (as the service provider) using SAML 2.0.
You can learn more about SAML in BambooHR® Marketplace.
By installing this app in your BambooHR account, you enable BambooHR as a service provider for SAML, web-based single sign-on (SSO). After installing, you can save the SAML endpoint URL and SAML certificate information given to you by your SAML identity provider (OneLogin, Okta, etc.). Upon successful configuration, you will enjoy seamless web-based single sign-on to BambooHR from your single sign-on portal or company intranet.
To add a third-party SAML in BambooHR, navigate to Settings and select Apps. Find SAML and click Install.
Please note you must be a Full Admin user to set up this integration.
To install your third-party SAML, enter the SSO Login URL and x.509 Certificate from your SAML provider. Click Install.
Once saved, the user can log in to BambooHR by using their SAML account.
Please note that using a third-party SAML extends to the BambooHR mobile app so that users can log in to the app when using single sign-on through the third-party SAML.
You will also see the option to "allow optional email & password login." This will give employees the option to log in through [OneLogin/Microsoft/SAML/etc] or type in their email and password. Please note that while this is an option, we recommend leaving this unchecked as installing a single sign-on option will disable the 2-Step Login in BambooHR.
The option of making SSO an optional authentication choice while still allowing username/password authentication gives our customers who are primarily looking to simplify login experience more flexibility in how they configure and use the SSO integration. For customers whose requirements focus on enhanced security, it is recommended that they use the SSO-only option for maximum security. Authentication security will always only be as strong as the weakest option permitted.
If your SAML provider configures with a metadata url, you will use this: https://<tenant>.bamboohr.com/saml/sp_metadata.php
If your SAML provider asks for additional information, you will likely need this information below:
- Entity ID: BambooHR-SAML
- Reply URL: https://<tenant>.bamboohr.com/saml/consume.php
- Name ID: A work email address or home email address in BambooHR
BambooHR supports the SAML connection within BambooHR only. This does not extend to your SAML provider. If you are experiencing trouble with your SAML connection, please reach out to your SAML provider.
If you are setting up Microsoft Azure SSO, check out this resource for more detailed instructions.