SSO
Pillar integrates with any SSO provider over SAML.
To integrate, you will need to configure a SAML 2.0 Application in your identity provider using the Pillar metadata:
Single Sign in URL |
| |
Audience URI (SP Entity ID): |
| |
Name ID Format | EmailAddress |
|
Attribute Statements: | name, Basic | user.firstName + " " + user.lastName |
If you would like to assign the Pillar admin role to users based on your identity provider groups, you can do so with a SAML "role" claim:
Attribute Statements: | role, Basic | "Admin" or "Interviewer" |
An example SAML Assertion should look similar to:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id6705107957415523935299808" IssueInstant="2022-11-08T13:27:12.687Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk6w5f2q5paSojzt5d7</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">employee@domain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-11-08T13:32:12.687Z" Recipient="https://auth.pillar.hr/__/auth/handler"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2022-11-08T13:22:12.687Z" NotOnOrAfter="2022-11-08T13:32:12.687Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://app.pillar.hr</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2022-11-08T13:27:12.687Z" SessionIndex="id1667914032685.1686544979">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FirstNameHere LastNameHere
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
After configuring the application, you will need to share with Pillar these values from your Identity Provider:
Identity Provider Issuer (Your Entity ID)
Identity Provider SSO URL (Your Entity Login URL)
X.509 Signing Certificate (Your Entity Cert)