BambooHR
Before You Begin
Introduction
This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for BambooHR.
About BambooHR
BambooHR is an online human resources (HR) software service for small and midsized businesses. BambooHR helps transition small and growing companies from spreadsheets to a Human Resource Information System (HRIS) that adapts to their changing needs.
After integrating BambooHR with Oracle Identity Cloud Service:
- Users can access BambooHR using their Oracle Identity Cloud Service login credentials.
- Users can launch BambooHR using the Oracle Identity Cloud Service My Apps console.
- Admins can assign users to the BambooHR app using the Oracle Identity Cloud Service administration console.
What Do You Need?
- An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
- A BambooHR account with authorization rights to configure federated authentication.
- Make sure that the email ID of each user in BambooHR matches the primary email ID of the Oracle Identity Cloud Service account.
- Identity Provider metadata. You can use the following URL to access the metadata:
https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadataand save the metadata in a text file. Use this file later to obtain the identity provider certificate in the "Obtaining the Identity Provider Certificate" section.
Prerequisite Step
A dedicated domain name is required before you can register and activate the BambooHR app. You obtain that domain name from BambooHR.
The BambooHR domain name appears in the login URL: https://<Domain_Name>.bamboohr.com that you received in an email from BambooHR.
Obtaining the Identity Provider Certificate
Use this section to obtain the Identity Provider Certificate in a format that is suitable for BambooHR.
Access the Identity Provider metadata file that you downloaded in the "What Do You Need?" section.
In the metadata file, locate the dsig:X509Certificate tags.
Copy the content between the dsig:X509Certificate tags into a text file. This content is the Oracle Identity Cloud Service signing certificate.
Add
-----BEGIN CERTIFICATE-----at the beginning of the content.Add
-----END CERTIFICATE-----at the end of the content.
Tip: Use this certificate content later during BambooHR configuration in the "Configuring SSO for BambooHR" section.
Configuring SSO for BambooHR
Access BambooHR as an administrator using the URL:
https://<Domain_Name>.bamboohr.com/. The BambooHR Home page appears.Note: When the user accesses BambooHR for the first time, the Welcome to BambooHR! pop-up window appears. Click Close to close the pop-up window. A pop-up window appears, click Okay, got it. The BambooHR Home page appears.
In the upper-right corner, hover over, and then click the Settings icon. The Settings page appears.
In the left navigation menu, click Apps. The Apps Settings page appears.
Locate the Not Installed section, and then locate and click Install next to SAML. The SAML Single Sign-On Settings pop-up window appears.
Use the table to update the federated authentication attributes, and then click Install. A success message is displayed stating that the SAML Single Sign-On was successfully installed.
Attribute Value SSO Login URL Enter the Sign-in URL/SSO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.x.509 Certificate Paste the identity provider certificate content that you obtained earlier in the "Obtaining the Identity Provider Certificate" section. Click People in the header menu. The People page displays a list of users.
Click the required user name to enable SSO access for that user. The People page displays the Personal tab.
In the upper-right corner, click the settings icon drop-down list.
Hover over BambooHR Access Level, and then select any one of the levels from the drop-down list. A success message is displayed stating that the user was successfully moved.
Note: Installing SSO for BambooHR deactivates the ability to log in using the user name and password. Remain logged in to the BambooHR session until you complete the next section to verify that Identity Provider initiated SSO from Oracle Identity Cloud Service works.
Obtaining API Key
A dedicated API Key is required before you can enable provisioning for BambooHR in Oracle Identity Cloud Service.
In the upper-right corner, hover over and click the user name icon, and then select API Keys from the drop-down list. The MY API Keys page appears.
Click + Add New Key. The Add New API Key pop-up window appears.
Enter API Key Name, and then click Generate Key. The API Key appears on the same pop-up window.
Click COPY KEY to copy the API Key. A success message is displayed at the top of the page.
Note: It is recommended to note the API Key immediately as the API Key appears only once. The API Key does not expire unless the user tries to delete it. Use this API Key value while enabling user provisioning for the BambooHR app in Oracle Identity Cloud Service. See the "Enabling Provisioning" section.
Click Done.
Configuring BambooHR in Oracle Identity Cloud Service
Use this section to register and activate BambooHR, and to enable provisioning and synchronization for BambooHR.
Registering and Activating the BambooHR App
Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
Click App Catalog.
Search for
BambooHR, and then click Add.In the App Details section, enter your BambooHR Domain Name, and then click Next.
Note: This is the domain name value obtained while performing the steps in the "Prerequisite Step" section.
Click Next to enable provisioning and synchronization for BambooHR. Oracle Identity Cloud Service displays the Provisioning page.
Enabling Provisioning and Synchronization for BambooHR
Use this section to enable provisioning and synchronization for managing user accounts in BambooHR through Oracle Identity Cloud Service.
Enabling Provisioning
On the Provisioning page, select Enable Provisioning.
Under the Configure Connectivity section, enter the API Key.
Note: This is the API Key value that you obtained while performing the steps in the "Obtaining API Key" section.
Click Test Connectivity. A success message is displayed stating that the connection is successful.
To view predefined attribute mappings between the user account fields defined in BambooHR and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.
Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and BambooHR Account columns, and then click OK. For example, if you want to add the External ID field, enter
$(user.externalId)in the User column, and then select the corresponding field from the drop-down list in the BambooHR Account column.Specify the provisioning operations that you want to enable for BambooHR:
Note: By default, the Create Account, Update Account and De-activate Account check boxes are selected.
Authoritative Sync: Automatically creates a user under the User's tab in Oracle Identity Cloud Service and assigns an account under the BambooHR app in the Oracle Identity Cloud Service for the corresponding user in BambooHR when users are imported from BambooHR.
Note: When Authoritative Sync option is enabled, administrators cannot create, update and deactivate users from Oracle Identity Cloud Service.
Create Account: Automatically creates a BambooHR account when BambooHR access is granted to the corresponding user in Oracle Identity Cloud Service.
Update Account: Automatically updates a BambooHR account when the corresponding user account is edited in Oracle Identity Cloud Service.
De-activate Account: Automatically deactivates or activates a BambooHR account when the BambooHR access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.
Enabling Synchronization
On the Provisioning page, select Enable Synchronization.
From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from BambooHR:
Note: By default, the Primary Email Address option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.
Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.
User Name: User name of the Oracle Identity Cloud Service user.
To match a BambooHR account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.
Note: By default, the name option is selected that represents the Email attribute of the BambooHR account. It is recommended not to change this default option.
From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:
Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields.
Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts.
In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.
After enabling provisioning and synchronization for BambooHR, you can synchronize the existing account details from BambooHR and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.
You can also manage BambooHR accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.
From the Synchronization schedule drop-down list, select an option to schedule the synchronization between BambooHR and Oracle Identity Cloud Service. Based on the selection, the synchronization will be scheduled during the specified intervals in Oracle Identity Cloud Service. By default the Never option is selected.
Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.
Verifying the Integration
Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP Initiated SSO) and BambooHR (SP Initiated SSO).
Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service
Access the Oracle Identity Cloud Service My Profile console using the URL:
https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.Log in using credentials for a user that is assigned to the BambooHR app. Oracle Identity Cloud Service displays a shortcut to BambooHR under My Apps.
Click BambooHR. The BambooHR Home page appears.
Note: When the user accesses BambooHR for the first time, the Welcome to BambooHR! pop-up window appears. Click Close to close the pop-up window. A pop-up window appears, click Okay, got it. The BambooHR Home page appears.
Confirm that the user that is logged in is the same for both BambooHR and Oracle Identity Cloud Service.
This confirms that SSO that is initiated from Oracle Identity Cloud Service works.
Verifying Service Provider Initiated SSO from BambooHR
Access BambooHR using the login URL:
https://<Domain_Name>.bamboohr.com. You are redirected to the Oracle Identity Cloud Service login page.Log in using credentials for a user that is assigned to the BambooHR app. The BambooHR Home page appears.
Note: When the user accesses BambooHR for the first time, the Welcome to BambooHR! pop-up window appears. Click Close to close the pop-up window. A pop-up window appears, click Okay, got it. The BambooHR Home page appears.
Confirm that the user that is logged in is the same for both BambooHR and Oracle Identity Cloud Service.
This confirms that SSO that is initiated from BambooHR works.
Troubleshooting
Use this section to locate solutions to common integration issues.
Known Issues
BambooHR displays the message, "The email you entered does not match any user in BambooHR. Please contact your administrator to enable access."
Cause 1: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in BambooHR.
Solution 1: Ensure that the user that you assign to the BambooHR app has an account in both Oracle Identity Cloud Service and BambooHR with the same email address.
Cause 2: The user account assigned to BambooHR is deleted under the People page of the BambooHR app, and the user attempts to initiate single sign-on.
Solution 2: Ensure that the user that you assign to the BambooHR app has an account in both Oracle Identity Cloud Service and BambooHR.
BambooHR displays the message, "You may not log in. This employee email has been disabled. Please contact your administrator to enable access."
Cause: The user account assigned to BambooHR is inactive under the People page of the BambooHR app, and the user attempts to initiate single sign-on.
Solution: Ensure that the user account is active under the People page of the BambooHR app.
Unknown Issues
For unknown issues, contact Oracle Support:
Go to https://support.oracle.com.
Select Cloud Support, and then sign in with your support credentials.
In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.
Select Oracle Identity Cloud Service as the service type.
Complete your service request.