Configuring SAML 2.0 for Internal Candidates in Recruitment Marketing

Recruitment Marketing Public

Recruitment Marketing uses SAML 2.0 to implement Single Sign-On (SSO) for internal candidates/employees. The benefits of single sign-on include:

  • Candidates are always known, even without filling out a CTA.
  • You can lock content to internal candidates only.

Internal candidate SSO is achieved by way of an IdP initiated SSO flow. This means the site login is initiated from within your organisation's Identity Provider (IdP) service. To facilitate this, the careers site is usually configured to display a link to the IdP initiated login page when an unauthenticated user visits the site. For more information refer to Preparing the site below.

For details required to configure this functionality on your careers site, you will need to consult your IT team responsible for your Identity Provider (IdP) service.

Preparing the site

When an unauthenticated visitor attempts to access a careers site that has been configured to require SAML 2.0 single sign-on, they will be presented with the "(403) Forbidden Page" for that site.

Forbidden Page

To prepare your site:

  1. Update the content and styling of this page as appropriate. Typically, this will involve applying the standard template and layout which has been applied to the content on that site and adding a "Welcome" message to the visitor.
  2. Add a link/button on the page that directs the visitor to the IdP initiated login page on your Identity Provider service.

An example of a styled "(403) Forbidden Page" is shown below:403 Example page

Note: If an external applicant is provided with a direct apply link to a job ad by an internal applicant (who has access to the internal careers site), there is no mechanism to prevent this as this pertains to the career site's security rather than the direct apply link.

Configuring Single Sign-On using SAML 2.0 for internal candidates

  1. Log into the Recruitment Marketing module.
  2. From the side menu, under Company click Settings.
  3. Under SAML click SAML 2.0 - Candidates.
  4. Either enter the iDP Metadata URL, and click Save, which will automatically parse the relevant information from the metadata file, or complete the following:
    1. SP Entity ID - This should be set to the full domain name of your new website (i.e. careers.company.com), with no protocols.
    2. iDP SSO Target URL - Consult your IT team.
    3. iDP Entity ID - Consult your IT team.
    4. iDP Certificate - This is the public certificate from your enterprise identity provider, consult your IT team.
  5. Complete the following:
    1. Suggested Clock drift - Recruitment Marketing and iDP systems do not share the same NTP server.
    2. Mark as internal Candidates / Employees - select this checkbox
    3. Allow application support access to protected content - check with your Implementation team before confirming.
  6. Click the Save button to keep the settings.

If you are using the IdP Metadata URL to configure the setting, the hosting domain of the metadata URL needs to be whitelisted within the Recruitment Marketing platform. Many common services such as Okta and Entra ID (formerly Azure AD) are already whitelisted, however, if you receive an error when clicking the "Save" button, then contact your PageUp/Clinch representative to have them arrange for your domain to be whitelisted.

In addition to the above setting within your Recruitment Marketing system, the IT team who are responsible for your organisation's Identity Provider (IdP) service, will need to configure a Relying Party Trust with the following information:

  • Assertion Consumer Service URL.
  • SP Entity ID - Should be set to the full domain name of your new website (i.e. careers.company.com), with no protocols
  • The outgoing claim should include:
    • email
    • first_name
    • last_name

Restricting content to internal candidates only

  1. From the side menu, under Content click Web Pages.
  2. Click the name of the relevant web campaign.
  3. From the top right, click the Edit (pen) icon.
  4. Select the Restrict to SAML2 authenticated internal candidates checkbox.
  5. Click the Save button to keep the changes.

Managing cookie consent

Using both SAML authentication and tracking cookies on the internal careers site can cause issues. To avoid this, it is recommended to set the Data Protection Rules for cookie consent to "No cookie consent required". 

  1. From the side menu, under Company, click Settings.
  2. Under Web, click Data protection rules.
  3. Edit the relevant rule.
  4. Set the Cookie consent type to No cookie consent required.
  5. Scroll down and click Save to keep the changes.

 

Comments

0 comments

Article is closed for comments.