Applicant SSO Through SAML

Talent Platform supports ApplicantClosed (or Candidate or Talent) Customer talent - the person applying or hired for the job Single Sign-On (SSO) through SAML, designed specifically for enterprise customers that require authentication via an Identity Provider, often a requirement set by Information Security teams. This functionality is delivered through an integration with WorkOS, providing a secure, enterprise-grade solution that remains easy to configure during implementation.

Enabling Applicant SSO in Talent Platform

Enabling Applicant SSO Integration

  1. As an Administrator, navigate to Configuration > Settings > Integrations.

  2. Toggle the switch On to enable Applicant SSO Through SAML.

  3. Click the arrow next to Applicant SSO Settings to expand additional options.

  4. Click the arrow next to Single Sign-On Portal.

  5. In the text box, enter the SSO login URL provided by the customer.

Enabling Restrict Login to SSO

Some enterprise customers may require stricter security controls that prevent applicants from signing in with a username and password. Talent Platform supports this by allowing you to restrict login access to SSO only.

  1. As an Administrator, navigate to Configuration > Settings > System Settings > Onboarding.

  2. Ensure Applicant SSO Through SAML is enabled.

  3. Confirm a value is entered for the Single Sign-On Portal setting.

  4. Toggle Restrict Login to SSO to On.

  5. Click the arrow next to Restricted Login SSO Settings to expand the section.

  6. Enter a Single Sign-On Log Out URL, if provided by the customer.

When Restrict Login to SSO is enabled, applicants who visit the standard login page will be automatically redirected to the URL set in the Single Sign-On Portal. This streamlines the experience by skipping a page with only an SSO login option.

Enabling the Applicant SSO Adapter

  1. As an Administrator, navigate to Configuration > Settings > System Settings.

  2. In the Applicant SSO section, ensure Applicant SSO Through SAML is enabled.

  3. Click the arrow to expand Applicant SSO Settings.

  4. Click the arrow next to Integration Properties.

  5. In the Organization ID field, enter the customer’s WorkOS Organization ID.

    This ID begins with org_ followed by a long alphanumeric string (e.g., org_01EHZNVPK3SFK441A1RGBFSHRT).

Limitations of Applicant SSO Through SAML

  • Email Address Required for Account Association

    • Applicant accounts must be linked to their email address. Associating accounts using a phone number or username is not supported, as SAML sessions require an email attribute.

  • Just-in-Time (JIT) Provisioning Not Supported

    • Applicants cannot be automatically created upon first sign-in. Instead, their records must be created ahead of time through an API request, after the applicant has been provisioned in the customer’s identity provider.

  • Bullhorn ATS Cannot Be Used as an Identity Provider

    • Talent Platform does not support Bullhorn ATS or Candidate records as identity providers. While Bullhorn Identity supports candidate SSO via OpenID Connect (OIDC), Talent Platform requires SAML for Applicant SSO.