1. Implementing Sourcing

10Security Configuration

Security

    Security Overview

    The Security configuration module enables Administrators to configure security settings related to password formats, single sign-on (SSO), and session timeout.

    The following sections are available in the Security module:

    • Password Settings

    • Session Timeout Security Settings

    • SSO/SAML Settings (OIF)

    • Security Settings

      Single Sign-On (SSO)

      Sourcing supports Single Sign-On (SSO) as an option for a customers' employees to gain access to the application from within their network without the need for credentials. This means an SSO process for employees to access Sourcing from the customers' network, not SSO between Sourcing and other applications.

      Sourcing supports Single Sign-On (SSO) as an option for a customers' employees to gain access to the application from within their network without the need for credentials. This means an SSO process for employees to access Sourcing from the customers' network, not SSO between Sourcing and other applications.

      Customers can select one of six values to automatically populate the SSOID with data from the Employee Connector from Recruiting. The chosen value from Recruiting will populate or re-map the SSOID in Sourcing. This allows easier deployment of Single Sign-On, and more choices in implementation.

      Customers must choose a single value from the following list of six:

      • Email

      • Personal Email Address

      • Corporate Email Address

      • SmartOrg Username

      • Candidate Username

      • Employee ID

      Additional implementation by Oracle is required to implement the above so please create a Service Request and contact your Oracle services or support representative for details.

      When using SSO, there is a setting, SSO Global Logout, that when enabled, terminates an employee’s session on the Identity Provider (IdP) when their Sourcing session is terminated either manually or through abandonment.

      Navigation: Configuration > Security > [SSO/SAML Settings (OIF)] > SSO Global Logout

      Note: All concurrent sessions within the browser will be terminated for the user if Global Logout is invoked through session termination in Sourcing. This may cause friction for users with concurrent applications using the network.

      Another setting, SSO Exit URL, allows Administrators to enter a configurable Exit URL. Employees who are authenticated through SSO can be directed to a specific destination page via the Exit URL when they terminate their session. Using this configurable Exit URL also ensures that employees only use the site in the authenticated state.

      Note: The SSO Exit URL setting accepts a single value which is applied to all users terminating sessions from SSO.

        User Session Timeout

        There are two configuration settings, Session Maximum Inactive Interval (seconds) and Session Timeout Reminder Interval (seconds), that allow Administrators to expire a user’s login session after a particular time period of browser inactivity.

        When a user abandons their session without terminating their login session, the session will be terminated unless action is taken by the user. A warning modal displays to the user advising them that their session will be terminated within a particular time period unless they extend their session by clicking OK on the modal. Clicking OK dismisses the modal and resets the timers. If no action is taken, the session terminates within the time configured by the Administrator.

        The feature is enabled at upgrade and cannot be disabled; a positive integer must be entered in both configurations. The delivered default value for the Session Maximum Inactive Interval is 1800 seconds. The delivered default value for the Session Timeout Reminder Interval is 1500 seconds.

          Prevent Sign Up with Company Email Domain

          A setting, Allow new user Sign Up with company Email Domain, enables Administrators to allow or prevent the creation of new users using the company email domain.

          This configuration option allows Administrators to prevent users from registering as new users using email addresses which include the customer’s corporate email domain, which would mark that user as an employee. This feature closes a backdoor which permitted non employees to view jobs posted only internally.

          Messaging and error handling informs users that a company domain cannot be entered into the Email field (when the setting is disabled). Users will be informed that this is an invalid action when they attempt to enter a company domain in the following areas:

          • Sign Up for Job Alerts

          • Sign Up (Referral Only mode)

          • Settings page

          • Apply modal

          • Upload Friend’s Resume

          The Allow new user Sign Up with company Email Domain setting has two configuration options. They are:

          • Enabled (On) – Allows creation of new system users with addresses using the company email domain.

          • Disabled (Off) – Does not allow creation of new system users with email addressed using the company email domain.

          Note:

          • Loaded employees still use the Sign Up button to claim their account for first time use.

          • Disabling this setting is recommended for customers where all employees are in the system already and where there is no use case where an employee should need to register as a new user.