Introduction
This is a guide to setting up the SSO integration. The Emply platform is built so you as an Emply customer can set up SSO using the SAML method, without having to contact Emply Support.
Requirements for the setup
- Federation metadata URL
- Right and access to change your AD FS configuration
- Knowledge of how to set claims of your AD
Preparation for setup
Make sure your IT staff has access to Settings > Integrations.
Create an 'IT' role in Emply under Settings > Account > Roles > select 'New role' > enter title and select 'IT' under 'Import settings'.
Usually, the HR department or the platform administrator(s) can set up rights and roles.
Emply Support is also available to provide guidance on this.
Setup in Emply
Log into your Emply solution > go to Settings > Integrations > find the 'Single Sign-On' integration and click on Activate.
A new window will open, as shown below.
Copy the 'Emply SAML 2.0 federation metadata URL'. This will be used when setting up Emply as 'Relying Party Trust' on your ADFS server / Provisioning tool (read below 'Manual setup').
The 'Default user role' should be the role with the least rights, which is usually 'Recruitment team'. Or if you have Onboarding or Talent Management this should be 'Employee'.
If 'Require single sign-on' is enabled, you can only log in from your own domain/IP or via VPN.
'Show claims from SAML server' - turn on test mode while setting up/troubleshooting if you encounter problems after setting up. Must be turned off again afterwards.
AD FS setup
Open AD FS > go to Server Manager> click on Tools> choose AD FS Management.
Under Actions click on Add Relying Party Trust.
In the Welcome tab, choose Claims aware > then click Start.
In the Select Data Source tab > insert the Emply SAML 2.0 federation metadata URL > then click on Next.
In the next tab called Specify Display Name, enter a name in the field Display Name. Under Notes, you can enter a description of your Relying Party Trust. Then click on Next.
Under Choose Access Control Policy choose who should have access.
Under Ready to Add Trustyou will have the opportunity to review the settings. Here, your Emply federation metadata URL should appear.
To add the 'Relying Party Trust' click Next.
You will then see the Finish tab where you can click on Close.
Emply is now added as a Relying Party Trust, it can be found in the 'Relying Party Trust' folder.
See below:
Setting up Claim rule
In the 'Relying Party Trust' folder, click on 'Edit Claim Issuance Policy for 'Emply'.
Here you click 'Add rule'. Continue by clicking 'Ok'.
The Choose Rule Type tab will open
Claim rule template:
Choose 'Send LDAP Attributes as Claims'
Click on Next.
Then, you will see the Configure Claim Rule tab, where you can choose E-mail-Adresses for both LDAP Attribute and Outgoing Claim Type).
Next, click Finish.
Finally, you will be redirected to 'Edit Claim Issuance Policy for Emply', where you click on Apply and OK.
You can now test your login on your [customer].emply.com solution.
Be aware that the AD user should also be a user in Emply.
Trouble shooting
Test your login on your [customer].emply.com solution.
Make sure that:
- AD user must also be a user in Emply
- Set up Claims in the SSO application
Then log in with the user.
In case of an error, a message similar to the one below will appear. Fix the issue and remember to disable Claims in Emply on SSO.