Set up SSO to Checkr from Azure Active Directory

This article will show you how to configure a SAML SSO Application for Checkr in MS Azure AD. For general information about SAML SSO at Checkr, please review the following article:

Self-Service SSO: Enable Single Sign On using SAML for your account

• Configure IdP-initiated SSO
• Configure SP-initiated SSO

Configure IdP-initiated SSO

1. From the Microsoft Azure Active Directory tenant nav tray, click “Enterprise Applications”. On the resulting screen, click “New Application”.
   
2. On the next screen, click “Create Your Own Application”. A tray will slide out on the right side of the screen. Add a name for your Application, make sure “Non-gallery” is selected, and click the Create button.
   
3. Click “Assign users and groups”, then “Add user/group” and use the resulting interface to add relevant users and/or groups.
4. Ensure that users have a consistent attribute in Azure AD that matches their Checkr login email. The most common choices are usually user.mail or user.userprincipalname.
5. Return to your Application’s Overview page, then click “Get started“ in the box labeled “2. Set up single sign on“. On the next page, click “SAML”.
6. In Azure, update the following fields using the information provided on the “Single Sign On” screen in Checkr. NOTE: under “Attributes & Claims” you must have the “email” attribute; the “user.mail” part should be whatever User field your org uses to store the email addresses that will be used as Checkr logins.
   
7. After you complete the previous step, the “SAML Certificates” section in Azure will populate.
8. Transfer the following information from Azure to Checkr, then Save. NOTE: in the screenshot, a certificate has already been uploaded in Checkr, which is why there is a red “Remove Current Cert” button. If there were not already an active certificate, this would be a blue “Choose File” button.
   
9. Log out of the Checkr dashboard AND log out of Okta. Then click the “Test” button in Azure. The test connection will use your current User in Azure, so make sure that User has been assigned to the Application and has a Checkr username in the Azure field assigned to the email Attribute in your SAML setup.

Configure SP-initiated SSO

1. Before you start, make sure you have followed the steps for IdP-initiated SSO above.
2. In Checkr, navigate to Account Settings > Single Sign On.
3. Enter an email domain into the “Email Domain” field. When users arrive at Checkr’s login screen and enter a username, only usernames that end with this domain will be redirected to your IdP for authentication.
   
4. Then click “Save” in Checkr.
5. Configuration complete! Test your SP-initiated SSO flow by instructing a user to log out of Checkr, then navigate to the Checkr login screen. When they enter a username with the email domain you configured above, the password field should disappear. Upon submitting the login form, the user should be redirected to your IdP for authentication, then back to Checkr and logged in successfully.
6. If the previous step does not work, back in your Azure Application’s SSO config, add dashboard.checkr.com/login to the “Sign on URL” field. Save, then download the certificate again, and upload the new certificate in Checkr and save. Then retry. This has not been tested but may be required.