Overview

This article provides details about the information you provide when installing the 'Sign in with SAML' app.  For installing all other identity apps, please refer to this article.


This article includes:


About automatically installed identity apps

When you (the owner) created your tenant, one identity app was automatically installed for you.  It's important that you understand the restrictions of this auto-installed app:

  • Which app was installed will vary depending on the way you created your TAS 'Owner' account - whatever method you used will be automatically added for 'User' principle types using the Aotal default settings. For example, if you created your owner account using the 'Sign in with Google' app, then the default identity app automatically installed will have been the 'Sign in with Google (Users)' app.
  • The identity app automatically installed for the tenant is setup with a restriction in place to allow ONLY YOU to use the identity app to sign in.  You will need to reinstall the app with different settings if you want other people to sign in to the store front or any apps using the sign in method.
  • The identity app automatically installed for the tenant uses the default Aotal settings, which means the Aotal name and logo will appear when you are providing authorization to allow use of your info by this app.  If/when you reinstall this identity app, you can use your organizations information to ensure it appears on authorizations screens instead of Aotal (refer below).

TIP:  You can check if an identity app was auto-installed at the time the tenant was created by looking for the associated email address which will appear at the bottom of the 'Manage' tab within the app.


Password considerations

Please note that when using the Sign in with SAML identity app for your tenant:

  1. Passwords are still stored/managed by the controlling app/system the Sign in with SAML app is linked to within your tenant.
  2. There is no password reset function within the Sign in with SAML app.


Pre-install requirements

Before you can install the app for a tenant, you need to obtain this information:

  • Name - A name for the app - this will make the app appear as 'Sign in with NAME'.
  • Logo - A logo which will appear on the app in the app store - this file must be a .PNG, and must have a file size of less than 1MG (any dimensions are allowed at this time).
  • Metadata - The metadata for the app (e.g. metadata from your Microsoft active directories). If you are not sure what metadata looks like, here is a sample file.
  • Internal candidates - if you are going to recognize candidates as internal by the email address they used to sign in, obtain all of the email address formats your organization will need to recognize (e.g. @aotal.com, @aotal.co.nz etc).
  • IP address - If you are only going to allow sign in with the app if the person is accessing it from a specific IP address (e.g. your office), obtain the IP address that you want to restrict by (please note that at this time only one IP address can be specified - no IP address ranges or multiple lists).
  • Login restriction - If you are only going to access via this app by people who have an email address from your organization (e.g. @aotal.com), obtain all of the email address formats your organization will need to recognize to allow sign in (e.g. @aotal.com, @aotal.co.nz).

TIP:  Before installing this app for a production tenant environment, you may first like to install and try it in a test environment.


Install steps

Principle type

  • This field is required.  Select the principle type of person who will be using this app.


Name

  • This field is required.  This name will make the app appear as 'Sign in with NAME'.


Logo

  • This field is required.  Upload the .PNG file you have obtained.


Metadata

  • This field is required.  Copy and paste in the metadata information that you have obtained.


Claim mappings (JSON array)

  • This field is used for identifying the person for login purposes.  It maps attributes in the identity providers SAML assertion to TAS claims. In other words, TAS is taking the data returned as part of their successful authorization, and mapping it to defined fields in TAS - e.g. they might return information called Employee ID which to us is the persons email address.
  • At this time these fields are limited to:
    • tas.personal.email (Required)
    • tas.personal.givenName
    • tas.personal.familyName.
    • tas.personal.image

      An example of the format of the content of this field might be:
      [{"tas.personal.email":"mail"}, {"tas.personal.givenName":"cn"}, {"tas.personal.familyName":"sn"},]

  • Please note that this field is not required to install this app, however it should be completed unless you are prepared to manage the mapping within your identity provider (i.e. you could set up the claims to match TAS specifically in your back-end but you may not have the IT teams to support you in this).


Conditional attributes (JSON array)

  • This field is used for setting any Talent App Store fields based on conditions that are specified here.  For identity apps, this field is most often used for internal recognition of the person signing in (e.g. recognize the job seeker as internal if they sign in with an email address which ends in @aotal.com).
  • Please note that this field does not restrict the sign in of a person based upon their email address - it just sets TAS variables to define what happens after they sign in.  For sign in restriction by email address, please see 'Only allow logins with email matching (regex)' below.

  • This field requires an organization specific algorithm for it to function correctly.  Please use the examples below to work this algorithm out for your organization (if you require assistance, please contact Support before attempting to install the app):
    • SPECIFY ONE EMAIL FORMAT:  Use this algorithm to mark any job seeker as internal if they sign in with one specific type of email format.  In the example below, change the @aotal.com in the algorithm to the email format of your organization:
      • [{"emailRegex": ".*@aotal.com", "attributeName": "tas.roles.internal", "attributeValue": "true"}]
    • SPECIFY TWO OR MORE EMAIL FORMATS:  Use this algorithm to mark any job seeker as internal if they sign in with one of the email formats defined - please note that every format is separated by a pipe ( | ).  Remember to change the 'aotal.co.nz' and the 'aotal.com' in the example to the email formats you wish to restrict sign in by:
      • [{"emailRegex": ".*@(aotal.co.nz|aotal.com)", "attributeName": "tas.roles.internal", "attributeValue": "true"}]


Allow login if coming from IP address

  • This field allows the app use to be restricted by an IP address.  For example; if this app should only be used when people are on a specific network (e.g. at your office etc).
  • Enter the IP address that this app will be restricted to.
  • Please note that at this time only one IP address can be entered into this field (i.e. no IP address ranges or multiple lists).


Only allow logins with email matching (regex)

  • This field allows the app use to be restricted to only users who have a certain email protocol.  For example, only let people sign in with this app if they have an email address from your organization (e.g. @aotal.com).  
  • This field requires you to specify the email address(s) that are allowed to sign in using this app.  Please use the examples below to work out the format you need to enter (if you require assistance, please contact Support before attempting to install the app):
    • RESTRICT SIGN IN TO ONLY ONE EMAIL FORMAT: Use the example below - remember to change the 'aotal.com' in the example to the email format you wish to restrict sign in by:
      • .*@aotal.com
    • RESTRICT SIGN IN TO TWO OR MORE EMAIL FORMATS:  Use the example below to specify two or more email formats - please note that every format is separated by a pipe ( | ).  Remember to change the 'aotal.co.nz' and the 'aotal.com' in the example to the email formats you wish to restrict sign in by:
      • .*@(aotal.co.nz|aotal.com)


After installation

After the app has been installed, you can check the information that was provided in the 'Manage' tab of the app.