1. Implementing Sourcing

10Security Configuration

Security Configuration

Security Overview

The Security configuration module enables Administrators to configure security settings related to password formats, single sign-on (SSO), and session timeout.

The following sections are available in the Security module:

  • Password Settings

  • Session Timeout Security Settings

  • SSO/SAML Settings (OIF)

  • Security Settings

Single Sign-On (SSO)

Sourcing supports Single Sign-On (SSO) as an option for a customers' employees to gain access to the application from within their network without the need for credentials. This means an SSO process for employees to access Sourcing from the customers' network, not SSO between Sourcing and other applications.

Customers can select one of six values to automatically populate the SSOID with data from the Employee Connector from Recruiting. The chosen value from Recruiting will populate or re-map the SSOID in Sourcing. This allows easier deployment of Single Sign-On, and more choices in implementation.

Customers must choose a single value from the following list of six:

  • Email

  • Personal Email Address

  • Corporate Email Address

  • SmartOrg Username

  • Candidate Username

  • Employee ID

Additional implementation by Oracle is required to implement the above so please create a Service Request and contact your Oracle services or support representative for details.

When using SSO, there is a setting, SSO Global Logout, that when enabled, terminates an employee’s session on the Identity Provider (IdP) when their Sourcing session is terminated either manually or through abandonment.

Navigation: Configuration > Security > [SSO/SAML Settings (OIF)] > SSO Global Logout

Note: All concurrent sessions within the browser will be terminated for the user if Global Logout is invoked through session termination in Sourcing. This may cause friction for users with concurrent applications using the network.

Another setting, SSO Exit URL, allows Administrators to enter a configurable Exit URL. Employees who are authenticated through SSO can be directed to a specific destination page via the Exit URL when they terminate their session. Using this configurable Exit URL also ensures that employees only use the site in the authenticated state.

Note: The SSO Exit URL setting accepts a single value which is applied to all users terminating sessions from SSO.

Native SSO

Native Single Sign-On (SSO) replaces the legacy SSO allowing the SSO flow directly into Sourcing. You'll need to make some configuration changes both in Sourcing as well as the Identity Provider (IDP) application on your infrastructure. 

To set up native SSO:

Begin in Sourcing:
  1. Navigate to Sourcing > Configuration > Security > SSO/SAML Settings (OIF).
  2. Confirm that the SSO Enabled setting is enabled.
  3. Confirm that the Legacy SSO setting is enabled.
  4. Contact your IDP Administrator and ask for your Metadata URL.
  5. In the IDP Metadata URL setting, enter the Metadata URL given to you by your IDP Administrator. If a valid URL is entered, the metadata will appear in the IDP Metadata setting. You can manually enter or edit the metadata in this setting as needed.
  6. Click Generate SP Metadata in the SP Metadata setting. An XML file with Service Provider (SP) metadata for the Sourcing application will be downloaded. Note that this SP Metadata is specific to each zone. Separate SP Metadata needs to be generated for staging and production zones.

    Now in your IDP application:

  7. The SP Metadata xml file from Step 6 above must be uploaded to the IDP.  Please contact your IDP Administrator as needed.

    If the SSO Administrator adds a new federation to the customer’s IDP, then the SSO remains operable until the cutover is made in Step 9.

    If the SSO Administrator replaces the federation on the customer’s IDP with a new one, then the SSO becomes inoperable until the cutover is made in Step 9.

  8. Your IDP-initiated SSO URL needs to reference the new federations created in Step 9. This URL string for the modification comes from your IDP.
    Note: This step, Step 8, is only applicable if you have an IDP-initiated flow from your Internet Service Provider (ISP) to Sourcing. If you have only an ISP-initiated flow from your IDP to Sourcing, you can skip this step. Please contact your SSO Administrator for information if you need to understand the difference between these two.

    Lastly, back to Sourcing:

  9. Disable the Legacy SSO setting. You're all set. Once you disable the Legacy SSO, you'll be using your newly configured Native SSO.

User Session Timeout

There are two configuration settings, Session Maximum Inactive Interval (seconds) and Session Timeout Reminder Interval (seconds), that allow Administrators to expire a user’s login session after a particular time period of browser inactivity.

When a user abandons their session without terminating their login session, the session will be terminated unless action is taken by the user. A warning modal displays to the user advising them that their session will be terminated within a particular time period unless they extend their session by clicking OK on the modal. Clicking OK dismisses the modal and resets the timers. If no action is taken, the session terminates within the time configured by the Administrator.

The feature is enabled at upgrade and cannot be disabled; a positive integer must be entered in both configurations. The delivered default value for the Session Maximum Inactive Interval is 1800 seconds. The delivered default value for the Session Timeout Reminder Interval is 1500 seconds.

Prevent Sign Up with Company Email Domain

A setting, Allow new user Sign Up with company Email Domain, enables Administrators to allow or prevent the creation of new users using the company email domain.

This configuration option allows Administrators to prevent users from registering as new users using email addresses which include the customer’s corporate email domain, which would mark that user as an employee. This feature closes a backdoor which permitted non employees to view jobs posted only internally.

Messaging and error handling informs users that a company domain cannot be entered into the Email field (when the setting is disabled). Users will be informed that this is an invalid action when they attempt to enter a company domain in the following areas:

  • Sign Up for Job Alerts

  • Sign Up (Referral Only mode)

  • Settings page

  • Apply modal

  • Upload Friend’s Resume

The Allow new user Sign Up with company Email Domain setting has two configuration options. They are:

  • Enabled (On) – Allows creation of new system users with addresses using the company email domain.

  • Disabled (Off) – Does not allow creation of new system users with email addressed using the company email domain.

Note:

  • Loaded employees still use the Sign Up button to claim their account for first time use.

  • Disabling this setting is recommended for customers where all employees are in the system already and where there is no use case where an employee should need to register as a new user.