Skip to main content
All CollectionsImplementation & Integration GuidesOther Integrations +
SAML
SAML
Jordan Sherer avatar
Written by Jordan Sherer
Updated over 10 months ago

SSO

Pillar integrates with any SSO provider over SAML.

To integrate, you will need to configure a SAML 2.0 Application in your identity provider using the Pillar metadata:

Single Sign in URL

https://auth.pillar.hr/__/auth/handler

Audience URI (SP Entity ID):

https://app.pillar.hr

Name ID Format

EmailAddress

Attribute Statements:

name, Basic

user.firstName + " " + user.lastName

If you would like to assign the Pillar admin role to users based on your identity provider groups, you can do so with a SAML "role" claim:

Attribute Statements:

role, Basic

"Admin" or "Interviewer"

An example SAML Assertion should look similar to: 

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id6705107957415523935299808" IssueInstant="2022-11-08T13:27:12.687Z" Version="2.0"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk6w5f2q5paSojzt5d7</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">employee@domain.com</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2022-11-08T13:32:12.687Z" Recipient="https://auth.pillar.hr/__/auth/handler"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2022-11-08T13:22:12.687Z" NotOnOrAfter="2022-11-08T13:32:12.687Z">
        <saml2:AudienceRestriction>
            <saml2:Audience>https://app.pillar.hr</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2022-11-08T13:27:12.687Z" SessionIndex="id1667914032685.1686544979">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
        <saml2:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FirstNameHere LastNameHere
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

After configuring the application, you will need to share with Pillar these values from your Identity Provider:

  • Identity Provider Issuer (Your Entity ID)

  • Identity Provider SSO URL (Your Entity Login URL)

  • X.509 Signing Certificate (Your Entity Cert)

Did this answer your question?