Checkr has introduced a self-service SAML setup feature for clients to use. The feature allows Checkr to serve as a service provider (SP) and allows customers to establish SAML connections with their preferred identity provider (IdP).
Checkr supports the standard SCIM APIs. Setting up these APIs allow an IdP to dynamically provision and deprovision users as they join the organization, move around within the organization or leave the organization. Enabling the SCIM API interfaces is currently performed by request. Contact your Customer Success Manager or to firstname.lastname@example.org to request that the SCIM provisioning process be initiated for your account.
For more information, refer to Does Checkr support Single Sign On integrations?
Checkr SSO has requirements for all SAML connections, and more specific requirements for IdP-initiated and SP-initiated connections. Before initiating the connection, review your Checkr account and IdP setup to confirm that your setup is compatible with Checkr SSO.
For all SAML connections
- Checkr doesn't provide and can't consume SAML Metadata.
- All traffic sent to Checkr is secured at the transport layer through HTTPS. Checkr doesn't support any additional assertion encryption.
For IdP-initiated connections
- If you have multiple Checkr accounts, each account requires a separate SAML connection.
- If you choose "ONLY" IdP-initiated connections, Checkr can't prevent your users from changing their passwords on the Checkr platform. If you use SP-initiated (with an email domain) connections, Checkr can enforce these rules.
- Your Checkr account can include users with different email address domains.
For SP-initiated connections
- If your organization has multiple Checkr accounts, you must first confirm that each of your email domains is attached to only one Checkr account. For example, users with an @bobsplumbingservice.com email address can be associated with only one of your Checkr accounts. Your users must log in to separate Checkr accounts with separate email addresses.
- Checkr accounts can have multiple unique email domains associated with that account’s SSO connection, but each domain can be associated with only one Checkr account.
- Checkr users are defined by their email address, which must be unique. Each Checkr user can belong to only one Checkr account at a time.
- Users must first authenticate through your IdP before they can access Checkr. Direct login to your account will be disabled.
Log in to your Checkr account as an admin, and then use the Account settings > Single Sign On tab in the Checkr Dashboard to view and update your SSO settings.
For more information, refer to View and configure SSO settings in the Checkr Dashboard User Guides.