How to set up SSO with SAML

What you need to send us and where to find it so we can connect your career center when your organization uses SAML and your identity provider (IdP) handles sign-in.

This guide walks you through what we need from you, where to get each piece from your IdP, and why it matters. Once we have the information, we handle the technical setup on our side.

Who this is for

Association or organization admins whose identity provider (IdP) supports SAML 2.0 (e.g. iMIS SSO Premium, Azure AD, Okta, OneLogin, or another SAML IdP) and who need to connect it to the career center for single sign-on.

<aside> 💡

Quick answer — In your IdP, create a SAML application (or “SAML client”) for our application. Use the Entity ID, ACS URL, and ACS Binding we give you. After the app is configured, send us your IdP Entity ID, Single Sign-On URL, and IdP public certificate (X.509). We’ll tell you which NameID format to use. We handle the rest.

</aside>

How it works

When a member signs in from your career center:

They are sent to your identity provider’s login page.
Your IdP authenticates them and sends a signed SAML response back to us.
We verify the response and use it to log them in and, when configured, pull profile data so they don’t enter credentials again.

To make this work, we act as the Service Provider (SP) and your system is the Identity Provider (IdP). You create a SAML app in your IdP for our SP and give us the IdP details we need to trust and accept the SAML response.

What we need from you

Send us these. You get them from your IdP’s SAML application or from your IdP’s metadata document.

What we need	Where to get it	Why we need it
IdP Entity ID	In your IdP’s SAML app or metadata: the Entity ID (or “Issuer”) of the IdP. Often a URL or URN.	So our system can identify your IdP and match it to the SAML response.
Single Sign-On URL	In the SAML app or metadata: the SSO URL (or “Login URL”) where we send users to sign in.	This is where we redirect users to log in; it must match what your IdP expects.
IdP public certificate (X.509)	In the SAML app or metadata: the public X.509 certificate the IdP uses to sign SAML responses. Copy the full certificate (begin/end lines).	We use it to verify that SAML responses really come from your IdP.
Single Logout URL (optional)	If your IdP supports single logout: the Single Logout (or “SLO”) URL from the app or metadata.	So we can support “log out everywhere” when the user logs out of the career center.

NameID format — We will tell you which format to use in your IdP (e.g. email, persistent, or unspecified with username). Your IdP’s SAML app will have a NameID format or “Name ID format” setting; set it to what we specify.