AzureAD Client Setup for LiveHire SSO
This guide will assist in setting up Azure Active Directory so that users within Azure can log into the LiveHire platform using SAML2 SSO.
Requirements
In order to use Azure AD with LiveHire, you will need an Azure Active Directory instance. Optionally this can be backed by an on-premises Active Directory. LiveHire supports both hybrid Azure AD and native Azure AD
Step 1. Company Subdomain
SSO requires that your users access LiveHire via a custom subdomain which is specific to your company account. Please speak to your Customer Service Manager to agree on a company subdomain and have it configured.
Once the subdomain is configured, your users will only be able to access the LiveHire platform via the subdomain and not the typical https://www.livehire.com URL.
The subdomain must consist only of alphanumeric characters and start with a letter.
Eg: “testingcompany”
From then on your users will be directed to login to https://testingcompany.livehire.com
Your chosen subdomain must be created by LiveHire. Please liaise with your Delivery Consultant or the LiveHire Support team to initiate this process.
Step 2. Azure AD Application Registration
From inside your Azure Active Directory, select “Enterprise applications” on the left-hand side. This will bring up a list of the applications (if any) that you have connected via SSO. Select “New application” from the top bar to begin creating the LiveHire SSO connection:
You will need to then select “Create your own application” from the top.
Select a name for this new app registration and click “Create” at the bottom.
Step 3. SSO and Claims setup
Once created, you should get an overview like below.
From here we can proceed to “Set up single sign on”:
From the next screen - select the “SAML” option.
There are two sections to fill out on this next screen. The first section should be filled out with the URL you have been given by LiveHire which is specific to your company. In the example below our company is called “demo2”, you should enter the company subdomain that was provided in Step 1.
Now we need to hit the edit button for section 2 - “User Attributes & Claims”.
Add/Delete/Change the claims there until they look like this: (NB: the existing UPN claims can't be edited or removed - just add the new UPN one as below)
NB: “JobTitle” and “Mobile” are optional - your internal fields that contain this information may also be different from the screen shot below.
Before saving and closing there is one more important claim to create which controls the Role assignments within LiveHire.
This step requires that you have security groups set up in your Azure AD that correspond to each of the roles in LiveHire. The default list of roles is included below, but depending on configuration, your implementation may have more.
-
LiveHire_Admin
-
LiveHire_Recruiter with Reporting
-
LiveHire_Recruiter
-
LiveHire_Approver
-
LiveHire_Hiring Manager
Your Delivery Consultant or LiveHire Support will be able to tell you the full list of roles for your scenario.
Click the “Add new claim” button one more time.
The name for this claim is “SecurityRole”, and you must expand the “Claim conditions” section at the bottom. From here you can select “Members” from the drop down, and then select your internal group that corresponds to each role.
You may have internal naming standards that dictate how your internal groups are named, by using these conditions we are able to transform from your internal naming standards to the values that LiveHire recognizes.
The source for each group definition should be “Attribute”, and then a static value provided for each group. Capitalisation and spacing is important, so the values should be entered exactly as below. Once this is done, hit “Save”
Step 4. Federation Metadata URL
Back on the main SAML page, within section 3, you will need to hit the blue “Copy” button next to the App Federation Metadata Url. An existing user with the Admin user role in LiveHire can finalise the SSO setup via the SSO Settings area. Alternatively, this URL can be sent to your Delivery Consultant or LiveHire Support in order to complete the setup on the LiveHire side.
Step 5. Saving SSO Settings Via the Admin Console
- Navigate to the Admin Console and then click the Company Settings tile.
If your account has the correct permissions, you will see a button labeled "SSO Settings" in the upper right hand corner of the page. If you do not see this, contact your Delivery Consultant or LiveHire Support to enable this feature.
Click the SSO Settings Button - If you're setting up SSO for the first time, click the Add SSO Config button. To edit an existing SSO config, click the row that you would like to edit.
To enable SSO, tick the Sub-Domain Enabled and SSO Enabled boxes, choose your ID Claims Policy and copy/paste your Metadata URL into the URL to SAML2 config XML field and click Add button.
Everything should now be switched over to using SSO for login and role assignment. To allow staff to access LiveHire, just add them to the appropriate group that corresponds with the LiveHire role.
To revoke access, just remove the account from all LiveHire groups. LiveHire will not allow a login unless the account is a member of one of those groups configured in the SecurityRole claim.