SSO Setup for Microsoft Entra ID (Azure)

SAML Single Sign-On (SSO) enables users to use one set of login credentials to access multiple applications, such as Bullhorn and Email. This article will outline the steps for configuring SSO for Microsoft Entra ID (previously known as Azure). If you're looking to configure a different SSO provider, see the SSO Setup Instructions page.

Steps

In the Azure Portal, select the desired directory, or create a new one.
Open Azure Active Directory.
Open App registrations , then select New application registration.
Complete the following:
- Name: Whatever you desire, for example "Bullhorn".
- Supported account types: Single tenant
- Redirect URI:
  - Bullhorn Novo, enter "https://universal.bullhornstaffing.com/universal-login/login"
  - S-Release: enter "https://www.bullhornstaffing.com/BullhornStaffing/SAML/Login.cfm"
- Ensure drop-down is set to Web.
Select Register.
Click on the blue Add an Application ID URI hyperlink.
Click the blue Set hyperlink.
Update the App ID URI to "api://bullhornstaffing.com" and then click Save.
Navigate to API Permissions > Add a permission > Microsoft APIs > Microsoft Graph.
Enable the following:
- Delegated Permissions
  - Directory.AccessAsUser.All
  - User.Read
- Application Permissions
  - Device.Read.All: used to get and save the properties of the device object.
  - Directory.Read.All: used to get and save the properties of the device object.
  - Domain.Read.All: used to validate an associated domain with your Azure AD. It needs read access to perform and log that validation.
Select Add permissions.
Click on the blue hyperlink Name - App registrations
- In this example, Bullhorn Inc. - App registrations.
Select Endpoints.
Copy the URL in the Federation Metadata Document field.
Open a new browser and navigate to the copied URL.
Right-click anywhere on the page and select Save as... [or Save target as…], then choose to save it as an XML Document and send it through your Bullhorn ticket.
- This allows Bullhorn Support to complete the setup on their end.
- Alternatively, copy the following information from the resulting XML and send them through your Bullhorn ticket:
  - Login URL:
    <IDPSSODescriptor>
    <SingleSignOnService Location=” “> (copy the binding URL and send to Bullhorn)
  - Issuer:
    <EntityDescriptor entityID=” “> (copy the entity ID URL and send to Bullhorn)
  - Public Key (Certificate):
    <IDPSSODescriptor>
    <KeyDescriptor>
    <KeyInfo>
    <X509Data>
    <X509Certificate> (copy this certificate and send to Bullhorn. There may be more than one certificate listed. Send all to Bullhorn.)
Once the setup is complete, Support will provide you with a new URL to log in from.

SSO User Enablement

After setting up your specific provider, SSO must be enabled for each user. You can grant user access individually or in bulk with assistance from Bullhorn Support.

You must be a Bullhorn Administrator to complete these steps.

Single User

Follow these steps to grant user access individually.

Navigate to Menu > Admin > Users.
Click the Pencil icon to the left of the user to enable.
In the Account Information section, from the Identity Provider drop-down, select your new client provider.
In the new ATS Name ID field that appears, enter the Name ID of the user. Usually, this is their email address.
If the user should also have access to SSO via their mobile device, select the Separate mobile Identity Provider check box.
Click Save.

En Masse

Bullhorn can enable multiple users en masse by using a CSV file provided by you.

Navigate to Menu > Admin > Users.
Click Select an Action > Generate User List.
Change the Format to Excel 2000 and then click Generate Report.
Open the downloaded file and edit it to only include users you want enabled.
- Remove all API users or any that shouldn't have SSO access.
Rename the Login Name column to User.
Delete all other columns.
Click File > Save As.
Select This PC as the location and change the file type to CSV (Comma delimited) (*.csv).
Click Save.
Send this file to Bullhorn Support.