Why is this important?
One-click access to everything!
SAML Single sign-on (SSO) enables users to log in to Job Ready and all related systems, whilst maintaining a central identity.
With SSO, users can access all of the applications they need with one set of login credentials, eliminating the need to remember a unique password for each different account.
SAML SSO provides the following benefits:
Improved experience for users:Reduces time having to sign on multiple times.
Improved security:Asking your users to only remember one password decreases their chance of making risky decisions, such as reusing passwords across multiple platforms.
Ability set the password change cycleJob Ready requires users to renew their passwords annually meeting standard requirements. However, SAML SSO lets you decide if you want a more frequent password expiry to meet your preferences.
How it works
Job Ready provides a SAML 2.0 compliant Service Provider interface.
This allows your users to login to Job Ready via authentication with your corporate Identity Provider. The SAML assertion returned to Job Ready will include the user’s email; if that email is associated with a valid user account, the user is logged in.
How to set up SAML SSO
You will need:
- SAML SSO enabled by Job Ready - contact Freshdesk Support to facilitate this.
- Azure Active Directory, or Azure AD Premium (license required)
- Job Ready Administrator privileges
Log in to your Azure Active Directory.
Select Enterprise Applications in the left-hand main menu> All Applications > New Application > Non-gallery application.
- Give your application a name related to the Application that you will be configuring.
- In the application record you just created, under Manage, click Single Sign-on.
- Select SAML-based Sign-on.
- In Job Ready, navigate to Admin Settings > SAML SSO. In Azure Active Directory, click the Edit button next to Basic SAML Configuration to Copy and Paste the Service Provider Entity ID, Assertion Consumer Service URL and the Sign-on URL field from Job Ready into Azure.
Copy from Service Provider Details Paste into 1. Basic SAML Configuration Service Provider Entity ID URL Identifier (Entity ID) field Assertion Consumer Service URL Reply URL field *Job Ready URL Sign-on URL field
*Enter this as your Job Ready URL with /saml on the end.
- In the Preview window, under 3. SAML Signing Certificate, click Download on 'Federation XML Data'.
- Go back to Admin Settings > SAML SSO in Job Ready.
- Select Choose File, to upload the Azure Federation XML Data file you just downloaded to the Job Ready SAML SSO Identity Provider Metadata (IdP) field.
- Select Force SSO, if applicable.
The Force SSO button restricts users to only log in using SSO. If the button is not selected, users will have both options to log in using password/username, as well as via Single Sign on.
- Go back to Azure Active Directory, navigate to the left-hand menu, and select Users and Groups.
- Add your users that correspond to your existing Job Ready user list, with matching emails.
You are ready to start using SSO!
The Single Sign-on button on the Job Ready login portal should now be visible.
When a user clicks on this link, they will be redirected to authenticate with Azure. They will not need to authenticate again once this is complete.
Is Job Ready returning an Invalid Signature on SAML Response error when attempting to sign in using SSO? Try these steps:
Open the Job Ready Enterprise Application in your Azure Active Directory.
Open the SAML Signing Certificate list by selecting the SAML Signing Certificate heading's Edit icon (a pencil).
Ensure there is only one active signing certificate on that list. Back up and delete any extra certificates.
Download the Federated Metadata XML file and upload it in the Job Ready SAML SSO admin section.
Ensure that the remaining steps are completed according to the Job Ready SAML SSO Configuration guide.
Log in to Job Ready via SAML SSO.
If you continue to experience issues after attempting these troubleshooting steps, please contact our team at Zendesk Support where we can investigate the issue further.