SSO Setup for Microsoft AD FS

SAML Single Sign-On (SSO) enables users to use one set of login credentials to access multiple applications, such as Bullhorn and Email. This article will outline the steps for configuring SSO for Microsoft AD FS. If you're looking to configure a different SSO provider, see the SSO Setup Instructions page.

Steps

This information is applicable to both AD FS 2.0 (Windows Server 2008) and AD FS 3.0 (Windows Server 2012 & Windows Server 2012 R2) and assumes all Bullhorn CRM users are specified by a group in Active Directory.

Deliverables to Bullhorn

Information you will provide to Bullhorn:

  • Identity-provider-initiated login URL, for example: https://adfs.company.com/adfs/ls/idpinitiatedsignon.aspx
  • SAML 2.0/WS-Federation endpoint URL, for example: https://adfs.company.com/adfs/ls/
  • Username and password of an Active Directory test user
  • AD FS token signing certificate

Disable Windows Authentication Extended Protection

  1. Launch IIS Manager on server running AD FS.
  2. On left side tree view, navigate to Sites > Default Web Site > adfs > ls.
  3. Select /adfs/ls folder and double-click the Authentication icon.
  4. Right-click Windows Authentication and select Advanced Settings.
  5. In the Advanced Settings dialog, for Extended Protection, select Off (if is not already selected).
  6. Select OK.

Perform Tasks in Active Directory

  1. In Active Directory on server running AD FS, create a Bullhorn CRM Group.
  2. Create a test user and add that user to the Bullhorn CRM Group. For example: mltest@domain.company.com
  3. Provide Bullhorn with the test user’s full username and password in Active Directory.

Save Certificate to a File

  1. In AD FS, navigate to Service > Certificates.
  2. Select token-signing certificate.
  3. Right-click View Certificate.
  4. On Details tab, select Copy to File.
  5. In Copy to File wizard, select Base-64 encoded X.5009 (.CER).
  6. Save the certificate to a file.
  7. Provide Bullhorn with the certificate file.

Configure Trust Relationships

  1. In AD FS, navigate to Trust Relationships > Relying Party Trusts.
  2. Right-click Relying Party Trusts and select Add Relying Party Trusts.
  3. At Welcome, click Start.
  4. At Select Data Source, select Enter Data About The Relying Party Manually.
  5. Click Next.
  6. Specify Display Name as "Bullhorn CRM" and select Next.

At Choose Profile

  1. Select AD FS 2.0 Profile, then click Next.
  2. At Configure Certificate, select Next.
  3. At Configure URL, click Enable Support For The SAML 2.0 WebSSO Protocol.
  4. Find your version of Bullhorn.
  5. Use your version of Bullhorn to enter in the appropriate URL into the Rely Party SAML 2.0 Service URL field:
    • For Bullhorn Novo, enter "https://universal.bullhornstaffing.com/universal-login/login".
    • For S Release, enter "https://www.bullhornstaffing.com/BullhornStaffing/SAML/Login.cfm".
  6. At Configure Identifiers, in the Relaying Party Trust Identifier field enter "https://welcome.bullhornstaffing.com".

At Choose Issuance Authorization Rules

  1. Select Permit All Users To Access This Relying Party, then click Next.
  2. At Ready to Add Trust, select Next.
  3. At Finish, click Open the Edit Claim Rules Dialog For This Relying Party Trust When Wizard Closes.
  4. Select Close.

At Edit Claim Rules For

  1. At Issuance Transform Rules tab, select Add Rule.
  2. At Choose Rule Type: set Claim Rule Template to Send LDAP Attributes As Claims, then click Next.
  3. At Configure Claim Rule:
    • In Claim Rule Name field, enter "Bullhorn Name ID".
    • Set Attribute Store to Active Directory.
    • Set first LDAP Attribute to E-Mail-Addresses and set first Outgoing Claim Type to Name ID.
  4. Select Finish.

At Issuance Authorization Rules

  1. Select Add Rule.
  2. At Choose Rule Type, set Claim Rule Template to Permit Or Deny Users Based On Incoming Claim, then click Next.
  3. At Configuration Claim Rule, in Claim Rule Name enter "Bullhorn CRM Users".
  4. Set Incoming Claim Type to Group SID.
  5. Select Browse and choose Bullhorn CRM Group.
  6. Select Finish.
  7. Select Close.

At AD FS > Trust Relationships > Relying Party Trusts

  1. Right-click Bullhorn CRM, then select Properties.
  2. At Endpoints tab, select Add. Address the following:
    • Set Endpoint type to SAML Logout.
    • Set Binding to POST.
    • In the URL field, enter "https://www.bullhornstaffing.com/BullhornStaffing/SAML/LogoutRequest.cfm".
    • In the Response URL field, enter "https://www.bullhornstaffing.com/BullhornStaffing/SAML/LogoutResponse.cfm".
  3. At the Advanced tab, set Secure hash algorithm to SHA-1.
  4. Select OK.

SSO User Enablement

After setting up your specific provider, SSO must be enabled for each user. You can grant user access individually or in bulk with assistance from Bullhorn Support.

You must be a Bullhorn Administrator to complete these steps.

Single User

Follow these steps to grant user access individually.

  1. Navigate to  Menu > Admin > Users.
  2. Click the Pencil icon to the left of the user to enable.
  3. In the Account Information section, from the Identity Provider drop-down, select your new client provider.
  4. In the new ATS Name ID field that appears, enter the Name ID of the user. Usually, this is their email address.
  5. If the user should also have access to SSO via their mobile device, select the Separate mobile Identity Provider check box.
  6. Click Save.

En Masse

Bullhorn can enable multiple users en masse by using a CSV file provided by you.

  1. Navigate to Menu > Admin > Users.
  2. Click Select an Action > Generate User List.
  3. Change the Format to Excel 2000, then click Generate Report.
  4. Open the downloaded file and edit it to only include users you want enabled.
    • Remove all API users or any that shouldn't have SSO access.
  5. Rename the Login Name column to User.
  6. Delete all other columns.
  7. Click  File > Save As.
  8. Select This PC as the location and change the file type to CSV (Comma delimited) (*.csv).
  9. Click Save.
  10. Send this file to Bullhorn Support.