Introduction To SSO And Sign-On (SSO) Recruiter Single
Recruiter SingleSign-On (SSO)Introduction to SSO andimplementation guide for:
Account CenterAdministratorsWho this guide is forIT / House SecurityProfessionals
1Introduction to Single Sign-On (SSO)2Activating SSO with AAD3AppendixTable of contents
Introduction toSingle Sign-On(SSO)
SSO Identity Providers (IdPs) include:What is SSO?SSO is a way of sharing security credentialsand login information between differentsystems. It trusts one system (e.g. Okta) toauthenticate a user’s identity for anothersystem (e.g. Recruiter).SSO does not transfer user data to or fromLinkedIn. and many moreNote: LinkedIn is SAML 2.0 certified and alsosupports Sign-In with Google. We currentlydon't support OAuth2.0 or OpenID.
Why use SSO for Recruiter?Increased securitySSO offers the most secure way to log in toRecruiter by requiring employees to use yourcompany’s established authentication protocols.Centralized access controlSSO simplifies the process of blocking access toan employee’s corporate Recruiter License ifthey leave your company (learn more).No need for 2FASSO eliminates LinkedIn’s requirement for twofactor authentication.
What does log-in look like?With SSO set up, this is the user journey when logging in to Recruiter.
Why do users still need to enterLinkedIn login credentials?Users must log in to their LinkedIn MemberIdentity once a day for security purposes.Many Recruiter product features dependupon a user's personal LinkedIn account, usingshared connections, degree of connection,and candidate feedback.To enable this, recruiters and hiring managersmust ‘bind’ (connect) their personal LinkedInaccount with Recruiter. Once a day, you mustlog in to both your Corporate Identity usingSSO and your LinkedIn Member Identity usingstandard login.Corporate IdentityMember IdentityControlled centrally byyour employerControlled by youInformation about youand your positionInformation about yourentire career
SSO does not solve for everythingIt doesn’t speed up log-inUsers still need to log in to their LinkedIn Profile once a day forsecurity purposes.SSO adds slightly more friction, as users also need to periodicallyre-enter their SSO/IdP credentials (depending on the IdP sessionlength set by the company).It doesn’t automate user managementAdmins will still need to log in to Account Center to makechanges such as: Granting Project Creator or Hiring Collaborator licenses tousers Updating a user's permissions, roles, or access to AccountCenter Reassigning licenses/projects from one user to another Revoking a user's license/permissions Updating a user's email, name, license/permissions settingsLearn more about managing licenses
Changing the SSO session lengthSSO session length (or timeout) refers to how longLinkedIn waits before re-pinging a user's IdP/SSO providerto re-authenticate the user. The default session length(or timeout) for LinkedIn Talent Solutions SSO is 8 hours.To change the session length, please file a support ticket.Things to note: Every time LinkedIn re-authenticates a user throughSSO, the user does not necessarily need to re-entertheir IdP/SSO credentials. This depends on what thecompany sets up for their IdP session length. LinkedIn SSO session timeout does not impact auser’s IdP or Recruiter session timeouts. Neither you nor LinkedIn can check your current SSOsession length. For certainty, you can request anadjustment to the session length, based on yourpreference.
Changingsession lengths
Is a short or long SSO session length best?Short session timeoutLong session timeoutA short session timeout optimizesfor security.A long session timeout optimizes forusability.If an employee leaves thecompany, you can block accessto their Recruiter license byremoving or deactivating them inyour IdP platform.Users won’t have to re-enter theirSSO credentials as often.However, users will be asked tore-enter their SSO credentials morefrequently.However, if you want to stop aterminated employee from usingRecruiter by removing ordeactivating them in your IdPplatform, a long session timeout isless effective. For example, if thesession timeout is 30 days, and theuser is removed from the IdP onday 1, they will still have access toRecruiter for another 29 days.
Deactivating users
What happens when a user leavesmy organization?If an employee leaves, the first thing your IT teamshould do is remove or deactivate the employeein your IdP platform.Then, if the employee tries to access Recruiterand their SSO session has expired, login will fail asthe IdP will no longer authenticate them. Note: IfSSO session length is one week, the employeeretains access for the full week, even if they aredeactivated at the start of the week.The Recruiter license will remain assigned to theemployee until your Account Center adminparks, reassigns, or revokes it. This part is not doneautomatically.
ActivatingSSO with AADFor help with other IdPs,see this guide
Pre-work checklist for a successful SSO implementationIMPORTANT: Admin(s) to confirm that all users have work emails in Account Center. If users don’t have a workemail, they will be locked out after SSO is activated. Work emails need to match the users’ IdP-specific emails.Refer to the Admin guide on updating user emails in Account Center. Confirm that your organization uses a SAML 2.0 compliant IdP (e.g. Okta, Azure Active Directory) or Sign-In with Google. Confirm which Recruiter dashboards will have SSO activated. Some organizations have more than one. Identify Account Center admin for each dashboard and any relevant internal IT point of contact. If you’re not sure who your admins are,submit a ticket to LinkedIn customer support via the Recruiter Help Center. To configure SSO, admins will need both IdP and Recruiterdashboard access: IdP access: To arrange this, contact your IT or Security department (whoever has IdP admin/manager access), or your IdP serviceprovider. Note that this may add extra time to your implementation. Recruiter dashboard admin access: The admin will need a “Product Settings and Account Center Admin” license for each dashboardyou want to enable SSO on. This can be done by either: Giving your IdP Admin or Manager the license on your dashboard(s), OR Transferring the relevant information from your IdP admin to a Dashboard admin to enter in Account Center Admin to make teams aware of upcoming changes to their Recruiter log-in. Refer to sample email.Please note: Your organization will need to activate SSO directly—enablement requires access to settings / permissionswithin your IdP that LinkedIn’s support team cannot access.
Planning your SSO implementationPhase 1Phase 2Phase 3Phase 4Assemble teamReviewPre-work and testing*Activation Assemble your SSO team,including your AccountCenter admin and ITpoint of contact for IdPconfiguration SSO team attends a 45minute educationaladvisory call with CSM IMPORTANT: Updateemail addresses inAccount Center(refer to Help Doc) Fully activate SSO Review the Recruiter SSOdocumentation Share questions with yourCSM and schedule aneducational advisory call Schedule time to performpre-work and testing Activate SSO in TESTMode (IdP Only) andverify Send communication toend users about theupcoming changes tothe Recruiter login steps(refer to sample email)*The time required to complete pre-work and testing will depend on the number of users and the number of dashboards.You need to set up SSO for each individual dashboard. For issues, consult the FAQ
5 steps to enabling SSOComplete these steps for each Recruiter dashboard requiring SSOConnecting your Identity ProviderSetting up SSOActivate SSOStep 1Step 2Step 3Step 4Step 5 Log in to AccountCenter, downloadLinkedIn’s metadata,and upload it intoyour IdP Log in to your IdP,download itsmetadata andupload it intoAccount Center In Account Center,complete thesettings to set up SSO Grant access to LTSproducts for yourusers in your IdP Activate SSO inAccount CenterFor a step-by-step guide to setting up SSO, refer to the slides below.For more information, see our SSO FAQ.You may also want to refer to our Privacy and Security policies. Use Test Mode tolimit usage of SSO toensure it’s workingcorrectly
Step 1Upload LinkedIn metadatafrom Account Center intoyour IdP2Part 1 of 4 – Download Account CentermetadataDownload settings in XML from AccountCenter and upload them into Azure AD1Log in to LinkedIn Account Center2Go to the Settings tab3Expand the Single Sign-On (SSO) panel4In the box labelled “Configure yourIdentity provider SSO settings”, click the“Download” button to download thesettings you’ll need in Azure AD in XMLformat5Save the resulting XML4
Step 1Upload LinkedIn’s Metadatafrom Account Center intoyour IdPPart 2 of 4 – Create a new Azure ADApplication6Navigate to the Azure AD dashboard7Click on Enterprise Applications8Click on “New Application” to createa new Azure AD application for TalentSolutions9Search for “LinkedIn” in the Azure ADGallery and choose “LinkedIn TalentSolutions” from the search results10[Optional] Rename your application ifneeded11Click Create to create the new AzureAD Application and be taken to yournew application’s Overview page tobegin configuration9
Step 1Upload LinkedIn’s Metadatafrom Account Center intoyour IdPPart 3 of 4 – Upload the Account CenterMetadata XML14Once you create your application,click on the “set up single sign-on” tileand choose the “SAML” option15Configure SAML-based single sign-onby uploading the XML downloadedfrom Account Center. Click on“upload metadata file” on the top left16Locate your XML file and select“Add”.17The system will read your XML andopen a panel with the Basic SAMLConfiguration in it18Check the information is correct andselect “Save” to apply it19Continue to configure your SAMLsettings15NOTE:If you are unable to use the XML uploadfunction in Azure AD, follow the steps onthis page to edit the Basic SAMLConfiguration by selecting the Edit iconand copy the following fields in AccountCenter to their Azure AD Counterparts asfollows:Azure ADAccount CenterReply URL(AssertionConsumer ServiceURL)AssertionConsumer Service(ACS) URLIdentifier (Entity ID)Entity ID
Step 1Upload LinkedIn’s Metadatafrom Account Center intoyour IdPPart 4 of 4 – Configure Azure AD SAMLSettingsBy default Azure AD usesuser.userprincipalname to as the UniqueUser Identifier. This needs to be updatedto user.mail to match what LinkedIn isexpecting from its users20Click “Edit” next to User Attributes &Claims21Under the top section, RequiredClaim, click the Unique User Identifierclaim to edit it22On the following Manage Claimpage, update the source attribute touser.mail. Hit save to apply thechange.23[Optional] You may also add anyother attributes here that you wish tosend to Account Center, such asdepartment, manager, etc 20
Step 2Upload your IdP metadatainto LinkedIn Account CenterPart 2 of 3 – Download Azure AD’sMetadataWe recommend the use of dynamic SSOconfiguration, letting the systems exportXML and talk to each other. To do this:1Log into Azure AD, navigate to yourEnterprise Applications, and selectLinkedIn Talent Solutions3From the left-have navigation panelselect Single sign-on4On the Set up Single Sign-On with SAMLpage there is a link to generate theXML that Account Center will needcalled “Federation Metadata XML”5Note the location of the XMLdocument once downloaded and loginto Account Center25
Step 2Upload your IdP metadatainto LinkedIn Account CenterPart 2 of 3 – Upload Azure AD’s Metadatainto Account Center6Log into LinkedIn Account Center andnavigate to the Settings tab7Expand the Single Sign-On (SSO) paneland click on “Upload XML File”8Upload your saved XML9This will populate a new panel withfields read from the XML including theEntity ID, IdP redirect endpoint andX.509 certificate10Click “Save SSO configuration” toapply your changes7
Step 2Upload your IdP metadatainto LinkedIn Account Center[Optional] Part 3 of 3 – Manually ConfigureSSO settings in Account Center6Under “Upload XML File” click the link“Want to input the informationmanually? Click here”7Populate the fields in Account Centerwith values from Azure AD as follows:Azure ADAccount CenterLogon URLIdP redirect endpoint8Azure AD IdentifierIssuer String or Entity ID8Download the Certificate (Base64)certificate by opening the downloadin a text editor. Paste the text withoutthe -----BEGIN CERTIFICATE----- and-----END CERTIFICATE----- into the X.509Public Certificate field9Click Save SSO configuration
Step 3Complete SSO settings inAccount CenterOnce configuration of your Azure ADApplication and Account Center iscomplete, you can adjust settings withinAccount Center.NOTE:Fields to map AttributeStatements to in AccountCenter include:Defaults are set for the most commonscenarios. Consult with your in-house ITSecurity team about making anychanges.1If you added User Attributes & Claimsto your Enterprise Application (Step 1Part 4) you can configure them inAccount Center here1 Building CodeDepartmentDesk LocationJob FunctionJob LevelManagerMobile Phone NumberPrimary Email AddressFirst NameLast NameWorker StatusWorker TypeWork TitleWork Phone Number
Step 4Manage employee accesswithin your IdP1Follow the instructions of your ITSecurity team to ensure the rightPeople or Groups have access to yourEnterprise Application.This can be done in your applicationunder “Users and groups” within yourEnterprise Application in Azure AD.Note: SSO uses work email addressesThe user’s email address in AccountCenter must match the employee emailaddress in Azure AD.If the emails don’t match, the user will belocked out of Recruiter once SSO isswitched ON.Learn more about updating user emailsin Account Center.1
Step 5Activate SSO in LinkedInAccount CenterThe final step is to switch on SSO withinLinkedIn Account Center:1Go to the Settings tab at the top of thescreen2Expand the Single Sign-On (SSO) panel3Select either:TEST Mode (IDP ONLY) to enable SSO forIdP-initiated login flows only, and stillallow normal login to Recruiter viaLinkedIn.com (learn more)OR:ON to enable and require SSO for allusers and login flows accessing LinkedInRecruiter3
Thank you
Appendix
Step 1 (alt):Configuring LinkedIn metadatain your IdP (manually)If you can’t upload XML into your IdP, youcan configure LinkedIn Account Centermanually.1Log in to LinkedIn Account Center2Go to Settings3Expand the Single Sign-On (SSO) panel4In the Configure your Identity ProviderSSO settings, select Click here to loadand copy individual fields from the form5Log in to your IdP6Configure a new Application7On the Application Configuration, copythe values loaded in Account Center tothe appropriate field in your IdP46
Step 2 (alt):Configuring IdP metadata inAccount Center (manually)If you can’t download a metadata XML filefrom your IdP, you can configure therequired fields in Account Center manually.41Log in to LinkedIn Account Center2Go to Settings3Expand the Single Sign-On (SSO) panel4Underneath the Upload XML file button,click on “Click here”5Copy the values for each field from yourIdP6Click Save SSO Configuration6
How often do users need to log in?ProductCurrent session lengthDefinitionCan customers configure? NotesLinkedIn.com365 days (fixed)How often users must re-enter their email andpassword to access LinkedIn.com (flagship)NoHow often Recruiter requires a user to re-entertheir flagship credentialsNoTalent Solutions Recruiter 30 days (fixed)If you’ve logged in to LinkedIn.com in the last 15minutes, we won't ask you to re-enter yourcredentials to access Recruiter.If it's been more than 15 minutes, you will need tore-enter your LinkedIn credentials to accessRecruiter.Single Sign-On8 hours (changeable)How often Recruiter will re-ping a user’s identityprovider to re-authenticateYesTo adjust the SSO session timeout, please raise asupport ticket with LinkedIn.(Note: how often you have to re-enter your IdPemail/password depends on the IdP sessionlength, see below)Identity Provider(e.g., OneLogin, Okta,etc )Differs per providerHow often the IdP requires a user to re-entertheir credentialsThe default SSO session length is 8 hours.For accounts with multiple LOBs using SSO (e.g.different departments use Recruiter, Learning, orSalesNav), a user's SSO session length will depend onthe last application the user accessed.YesNote: If your users experience different session lengths, ask them to check their browser cookie settings—if cookies aredisabled, they will be prompted to log in every time. Also check if they are seat sharing and/or using a differentbrowser, as these can also affect session lengths. If the issue is still not resolved, please raise a support ticket.You should be able to configure this through yourIdP. LinkedIn cannot adjust this session length.
Hi [NAME],I hope this email finds you well. [COMPANY NAME] will beramping a new security feature for LinkedIn Recruiter calledSingle Sign-On (SSO). SSO will help us boost security by actingas an extra layer of protection against unauthorized Recruiterusers.Sample email to sendto your employeesComms before launching SSO set expectations for user experiencewhen logging in.What does this mean for you?As a Recruiter user, you’ll be asked to enter in your [IdP name]credentials before logging in to Recruiter. This extra step helpsus ensure the security of our data. After you log in, you can useRecruiter as normal.If you experience any issues logging in to Recruiter, pleasecontact your Recruiter admin or log a ticket with LinkedInsupport.Thanks for your support, YOUR NAME
Set up Single Sign-on for Recruiter (Help Center article)SSO FAQ (English)LinkedIn privacy policyLinkedIn security emailsecurity@linkedin.comAdditional ResourcesUseremailupdatesUseremailupdatesTo update the email address of a small number of usersUpdating a user to work email in Account Center (admin guide)To update the email address of multiple users in bulk1.2.Assign unique user IDs to bulk manage users in AccountCenterEdit user attributes in bulk via CSV in Recruiter
Changing the SSO session length SSO session length (or timeout) refers to how long LinkedIn waits before re-pinging a user's IdP/SSO provider to re-authenticate the user. The default session length (or timeout) for LinkedIn Talent Solutions SSO is 8 hours. To change the session length, please file a support ticket. Things to note:
AWS Single Sign-On User Guide AWS SSO features What is AWS Single Sign-On? AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. Specifically, it helps you manage SSO
Vyom Labs SSO-Edge delivers secure Single Sign-On (SSO) for BMC Remedy by . CA SiteMinder, Novell Access Manager, CA SiteMinder, IIS, OpenID, IBM Tivoli, RSA Access Manager . (ClearTrust), OpenSSO, etc. The architecture of Vyom SSO-Edge solution used to enable SSO for BMC Remedy with your corporate
Single Sign On. Idle Session Timeout. Session Maximum Time-to-Live. 01. 03. 06. Web Access 02. Management . SSO/Rest Solution Architecture Browser. SSO/Rest Plugin. SSO/Rest Gateway. CA SSO (SiteMinder) Policy Server. Legend. Browser HTTP traffic. SSO
5 TAM E-SSO provides: Enterprise SSO Two-Factor Authentication Access and Security Workflow Automation Fast user switching User Access Tracking & Audit Centralized Identity & Policy Management with no change to the infrastructure TAM E-SSO v8 Solution Overview TAM E-SSO enables visibility into user activity, control over access to business
P l a n n i n g Y o u r P o d c a s t L e sso n : Ch o o si n g a t o p i c (p . 4 ) L e sso n : P l a n n i n g t h e st o ry (p . 6 ) L e sso n : B ra i n st o rmi n g so u n d s (p . 8 ) P o d c a s t P r o d u c ti o n L e sso n : Re co rd i n g p ra ct i ce (p . 1 0 ) L e sso n : I n t e rvi e w p ra ct i ce (p . 1 2 )
SSO Plugin with Microsoft Active Directory (AD) Our most common deployment explained J System Solutions — SSO Plugin Many organisations use Active Directory (AD) as the authentication repository for their users. So when the decision is made to implement single sign on (SSO), the AD is the natural choice of identity provider.
Enrolling in iBenefits Through Single Sign-On (SSO): Using . i. Benefits and Single Sign-On (SSO) Note: The following information is intended for new international graduate student . employees, who should follow these as closely as possible. While the instructions are the same for US citizens and legal permanent residents, more options exist .
50 80 100 150 200 250 300 350 400 450 500 550 600 . (API 624/ ISO 15848), cryogenic valves (-196 C) and valves in exotic metallurgies. Valves in other sizes and ASME classes available on demand. 4 Compliance Standards Parameter Standard Design Gate Valves API 603, ASME B16.34 Globe Valves ASME B16.34 Check Valves ASME B16.34 Ends Face-to-face/ End-to-end Dimensions ASME B16.10 End Flange .
