How can we help?

CyberArk SSO integration

Laura Dominoni
Laura Dominoni
  • Updated

Plan: Enterprise

Role: Owner Admin IT manager


CyberArk helps you mitigate the risks associated with insider threats, external cyber attacks, and other security vulnerabilities that could result from unauthorized or misused privileged access. The integration with Recruit keeps your accounts secure by protecting, monitoring, and controlling privileged access to them.

  • Enforce least privilege to protect your critical business assets

  • Empower your workforce across any device or app

  • Secure credentials across DevOps pipelines

  • Stay ahead of future threats by proactively researching attacks and trends

Before getting started

  • You’ll need admin credentials for your company’s CyberArk account.

  • Provisioned teammates must have required attributes: first name and last name.

  • We recommend opening a support ticket before activating SSO. This allows us to assist quickly if deactivation is needed.

  • For easier setup, keep both CyberArk and Recruit’s Authentication & Security settings pages open side by side.

Configure integration

Create an app in CyberArk

  1. Navigate to CyberArk and log in with your admin credentials. By default, the page redirects to the user portal.

  2. From the Identity User Portal on the left-hand side, navigate to the Admin Portal.

  3. In the left-hand side menu, scroll down to Apps & Widgets and select Web apps.

  4. At the top right of the screen, click Add Web Apps. The Add Web Apps window will pop up.

  5. Navigate to the Custom tab, and on the right-hand side, scroll down to find the SAML and click Add. This will create the new app and redirect you to the app page.

     

  6. In the app settings window, select Settings from the options on the left, and under Description, type “Recruit” in the Name field. Then, click Save.

     

  7. From the options on the left, select Permissions and click Add.

  8. Check Run and Automatically deploy for all users who need access to Recruit. Now, the app status will change to Deployed.

  9. Now, from the options on the left, select Trust. In the Metadata details, expand the Single Sign On URL dropdown. You’ll need the URL and the XML for the next step.

  10. In Recruit, from your avatar at the top right, go to Settings > System > Authentication & Security.

  11. Scroll down to Single Sign-On, find CyberArk on the list, and click Connect.

  12. Copy the Single Sign On URL value from CyberArk to the SAML SSO URL field in Recruit.

  13. Click Copy XML in CyberArk and paste the value into the Metadata XML field in Recruit.

  14. In CyberArk, scroll down to the Service Provider Configurations and check the Manual Configuration option.

    1. Copy ACS URL from Recruit to Assertion Consumer Service (ACS) URL on CyberArk.

    2. Copy Entity ID from Recruit to SP Entity ID / Issuer / Audience on CyberArk.

    3. Under Sign Response or Assertion?, check Both.

Set up provisioning

Provisioning is an automated process that ensures that users in your CyberArk directory are synced with Recruit.

⚠️ Important: Users must have a first and last name to be provisioned in Recruit.

  1. In your app configuration in CyberArk, navigate to Provisioning and click Enable provisioning for this application. A set of configuration options will display.

    1. Type https://app.comeet.co/scim/ in the SCIM Service URL field.

    2. Copy the Secret Token for your company from Recruit and paste it in the Bearer Token field in CyberArk.

    3. Click Verify. This process can take a couple of minutes. If the verification process is successful, an additional set of provisioning options will be displayed. You can edit this as necessary.

  2. Click Save.

Add roles for users to be provisioned in Recruit

  1. In the left-hand side menu, scroll down to Core services > Roles.

  2. Choose the role you want to add and click Add Role.

  3. Back in your app configuration in CyberArk > Provisioning, click Add to add the role to the mappings list.

  4. Type Recruit in the destination group field and click Done.

  5. To save your app settings and finish, click Save.

Check provisioning status

  1. In the left-hand side menu, scroll down to Core services > Users and select a relevant user. The user settings window will pop up.

  2. In the left-hand side menu, select the Provisioned Applications section. If user provisioning was successful, you’ll see the status Provisioned.

Set up the SAML response script

  1. In CyberArk, navigate to Apps & Widgets > Web apps > Recruit app. From the left-hand side options, select SAML Response.

  2. Scroll down to Custom logic and copy the following script:

    setAttribute('recruit_id', UserIdentifier);
  3. Click Save.

Activate the CyberArk integration in Recruit and test it

  1. In Recruit, go to Settings > Access > Authentication & SSO.

  2. Scroll down to Single Sign-On and find CyberArk on the list. You will see a notification about teammates synced with SSO.

  3. Click Activate and confirm the activation in the pop-up that appears. Don’t navigate away or close this page.

  4. Open an Incognito window and search for app.comeet.co.

  5. Once the login screen appears, select Sign in with SSO and enter the relevant email address. You should be redirected to CyberArk to log in to your SSO. After logging in:

    1. If you are redirected to the main Recruit dashboard: Great, it works!

    2. If you are redirected to the login page, take a screenshot of what you see and send it to us, then go back to the original window where you activated the SSO and click Deactivate.

🚨 Activating the SSO will automatically log out all of your users, so we recommend running any tests at times when your team does not have interviews or can step away from the system for the few minutes it'll take to test the integration.

Invite teammates to Recruit

To invite new teammates to Recruit:

  1. Ensure the new teammate was created in the SSO system and provisioned to access Recruit.

  2. In Recruit, navigate to the Teammates page and click Add Teammate.

  3. Type the teammate's name and select it from the dropdown.

  4. Click Invite.

Sign up using SSO

There are two options to sign up using SSO:

  • Sign up from Recruit’s website – users are redirected to sign in on your company’s SSO. If they are already signed up, they will be redirected to Recruit.

  • Sign in through the list of apps in your organization (from CyberArk).

SSO activation/deactivation

SSO activation and deactivation can only be done by your IT Administrator. If the account has been deactivated through SSO, please reach out to your IT Administrator to initiate reactivation via SSO as well.

If a teammate's account has been deactivated via SSO, you will need to reassign their roles in each position. Learn how to deactivate teammates and reassign their roles here.

FAQ

What happens when an employee leaves the company?

Once the employee has been deprovisioned in the SSO system, their access to Recruit will be blocked. On the teammates page, the employee will be marked as “Deactivated by SSO”. To reassign tasks and roles of employees who no longer have access to Recruit, click on Deactivate and choose the teammate to whom you would like to assign their current tasks.

 

Have more questions? Contact us at recruit.support@sparkhire.com

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.