Overview

This article provides details about the information you provide when installing any of the Sign in with XX identity apps except 'Sign in with SAML'.  For 'Sign in with SAML', please refer to this article instead.


This article includes:


About automatically installed identity apps

When you (the owner) created your tenant, one identity app was automatically installed for you.  It's important that you understand the restrictions of this auto-installed app:

  • Which app was installed will vary depending on the way you created your TAS 'Owner' account - whatever method you used will be automatically added for 'User' principle types using the Aotal default settings. For example, if you created your owner account using the 'Sign in with Google' app, then the default identity app automatically installed will have been the 'Sign in with Google (Users)' app.
  • The identity app automatically installed for the tenant is setup with a restriction in place to allow ONLY YOU to use the identity app to sign in.  You will need to reinstall the app with different settings if you want other people to sign in to the store front or any apps using the sign in method.
  • The identity app automatically installed for the tenant uses the default Aotal settings, which means the Aotal name and logo will appear when you are providing authorization to allow use of your info by this app.  If/when you reinstall this identity app, you can use your organizations information to ensure it appears on authorizations screens instead of Aotal (refer below).

TIP:  You can check if an identity app was auto-installed at the time the tenant was created by looking for the associated email address which will appear at the bottom of the 'Manage' tab within the app.


Password considerations

Before installing any Sign in with XX identity apps for your tenant it is important to understand any impacts this may have on people using the app and how they reset their password in the future.  For example:

  1. Sign in with Email:  The password is stored within the applicable app/system it is linked to within your tenant.  Any password reset features previously controlled by the app/system where the password is stored are no longer used (even though they may still be visible within that app/system).  Instead, the password reset function is controlled completely by the Sign in with Email app - that is, people can reset their password by clicking on the 'Forgot password' link within the Sign in with Email app.
  2. Sign in with Facebook:  The password is managed by Facebook - if the person needs to change their password, they do so directly within their Facebook account not via the app in your tenant.
  3. Sign in with Google+:  The password is managed by Google - if the person needs to change their password, they do so directly within their Google+ account not via the app in your tenant.
  4. Sign in with LinkedIn:  The password is managed by LinkedIn - if the person needs to change their password, they do so directly within their LinkedIn account not via the app in your tenant.
  5. Sign in with Microsoft:  The password is managed by Microsoft - if the person needs to change their password, they do so directly within their Microsoft account not via the app in your tenant.


Pre-install requirements

This section applies to all of the Sign in with XX apps except for 'Sign in with Email'.  


Before you can install the app for a tenant, you need to obtain this information:

  • OAuth Client ID - This is the unique id for the identity provider for your organization.  When this is used, the authorization screen that presents to people using the app will include your organization name and logo.  
  • OAuth Client Secret - This is the secret key for the identity provider for your organization.  When this is used, the authorization screen that presents to people using the app will include your organization name and logo. 

TIP:  If you leave the above information blank when installing the app, the default Aotal Ltd account is used.  This means that the authorization screen presented to people using your Sign in with XX app will default to ''Aotal Ltd...' instead of your organization name, and the Aotal logo will appear instead of your organization logo.  


How you obtain the OAuth Client ID and OAuth Client Secret information varies depending on the identity provider, for more information please review the applicable article:

  • Setting up your organization identity in Facebook
  • Setting up your organization identity in Google+
  • Setting up your organization identity in LinkedIn
  • Setting up your organization identity in Microsoft
  • If you require assistance to set up your organization with any other identity providers, please contact Support.

  • Internal candidates - if you are going to recognize candidates as internal by the email address they used to sign in, obtain all of the email address formats your organization will need to recognize (e.g. @aotal.com, @aotal.co.nz etc).
  • IP address - If you are only going to allow sign in with the app if the person is accessing it from a specific IP address (e.g. your office), obtain the IP address that you want to restrict by (please note that at this time only one IP address can be specified - no IP address ranges or multiple lists).
  • Login restriction - If you are only going to access via this app by people who have an email address from your organization (e.g. @aotal.com), obtain all of the email address formats your organization will need to recognize to allow sign in (e.g. @aotal.com, @aotal.co.nz).


Install steps

When installing one of the Sign in with XX apps, you will be required to complete the prompts described below.


Principle type

  • This is the only required field when installing the app - select the principle type of person who will be using this app.


OAuth Client ID

  • Please note that this field does not appear on the 'Sign in with Email' app (as this app does not look to an external identity provider for sign in credentials).
  • Enter the App ID information you have obtained here.  Please note that you must provide the correct corresponding information in the next field or errors will occur.
  • If you leave this field blank the default Aotal Ltd account is used.  This means that the authorization screen presented to people using your Sign in with XX app will default to 'Aotal Ltd...' instead of your organization name, and the Aotal logo will appear instead of your organization logo.  


OAuth Client Secret

  • Please note that this field does not appear on the 'Sign in with Email' app (as this app does not look to an external identity provider for sign in credentials).
  • Enter the secret information you have obtained here.  Please note that you must provide the correct corresponding information in the previous field or errors will occur.
  • If you leave this field blank the default Aotal Ltd account is used.  This means that the authorization screen presented to people using your Sign in with XX app will default to 'Aotal Ltd...' instead of your organization name, and the Aotal logo will appear instead of your organization logo.  


Conditional attributes (JSON array)

  • This field is used for setting any Talent App Store fields based on conditions that are specified here.  For identity apps, this field is most often used for internal recognition of the person signing in (e.g. recognize the job seeker as internal if they sign in with an email address which ends in @aotal.com).
  • Please note that this field does not restrict the sign in of a person based upon their email address - it just sets TAS variables to define what happens after they sign in.  For sign in restriction by email address, please see 'Only allow logins with email matching (regex)' below.

  • This field requires an organization specific algorithm for it to function correctly.  Please use the examples below to work this algorithm out for your organization (if you require assistance, please contact Support before attempting to install the app):
    • SPECIFY ONE EMAIL FORMAT:  Use this algorithm to mark any job seeker as internal if they sign in with one specific type of email format.  In the example below, change the 'aotal.com' in the algorithm to the email format of your organization:
      • [{"emailRegex": ".*@aotal.com", "attributeName": "tas.roles.internal", "attributeValue": "true"}]
    • SPECIFY TWO OR MORE EMAIL FORMATS:  Use this algorithm to mark any job seeker as internal if they sign in with one of the email formats defined - please note that every format is separated by a pipe ( | ).  Remember to change the 'aotal.co.nz' and the 'aotal.com' in the example to the email formats you wish to restrict sign in by:
      • [{"emailRegex": ".*@(aotal.co.nz|aotal.com)", "attributeName": "tas.roles.internal", "attributeValue": "true"}]


Allow login if coming from IP address

  • This field allows the app use to be restricted by an IP address.  For example; if this app should only be used when people are on a specific network (e.g. at your office etc).
  • Enter the IP address that this app will be restricted to.  
  • Please note that at this time only one IP address can be entered into this field (i.e. no IP address ranges or multiple lists).


Only allow logins with email matching (regex)

  • This field allows the app use to be restricted to only users who have a certain email protocol.  For example, only let people sign in with this app if they have an email address from your organization (e.g. @aotal.com).  
  • This field requires you to specify the email address(s) that are allowed to sign in using this app.  Please use the examples below to work out the format you need to enter (if you require assistance, please contact Support before attempting to install the app):
    • RESTRICT SIGN IN TO ONLY ONE EMAIL FORMAT: Use the example below - remember to change the 'aotal.com' in the example to the email format you wish to restrict sign in by:
      • .*@aotal.com 
    • RESTRICT SIGN IN TO TWO OR MORE EMAIL FORMATS:  Use the example below to specify two or more email formats - please note that every format is separated by a pipe ( | ).  Remember to change the 'aotal.co.nz' and the 'aotal.com' in the example to the email formats you wish to restrict sign in by:
      • .*@(aotal.co.nz|aotal.com)


After installation

After the app has been installed, you can check the information that was provided in the 'Manage' tab of the app.