You can establish SAML connections with your preferred identity provider (IdP) and use Checkr as a service provider (SP).
Checkr supports the standard SCIM APIs. To provision SCIM API for your account, contact Checkr.
Prerequisites
Checkr SSO has requirements for SAML connections, and more specific requirements for IdP-initiated and SP-initiated connections. Before initiating the connection, review your Checkr account and IdP setup to confirm that your setup is compatible with Checkr SSO.
For all SAML connections
- Checkr doesn't provide and can't interpret SAML metadata.
- Checkr uses HTTPS at the transport layer to secure network traffic you send to us. Checkr doesn't support additional assertion encryption.
For IdP-initiated connections
- If you have multiple Checkr accounts, each account requires a separate SAML connection.
- If you choose only IdP-initiated connections, Checkr can't prevent your users from changing their passwords on the Checkr platform. If you use SP-initiated connections with an email domain, Checkr can enforce these rules.
- Your Checkr account allows users to have different email address domains.
For SP-initiated connections
- If your organization has multiple Checkr accounts, you must first confirm that each of your email domains is attached to only one Checkr account. For example, users with an @bobsplumbingservice.com email address can be associated with only one of your Checkr accounts. Your users must log in to separate Checkr accounts with separate email addresses.
- Checkr accounts allow multiple unique email domains to be associated with that account’s SSO connection Each unique domain can be associated with only one Checkr account.
- Checkr identifies users by their email address, which must be unique. Each Checkr user can belong to only one Checkr account at a time.
- Users must first authenticate through your IdP before they can access the Checkr Dashboard. Setting up SP-initiated SSO diables direct login to your account.
Select your identity provider to learn how to enable SSO for Checkr.
Configure IdP-initiated SSO
- In the Microsoft Azure Active Directory tenant nav tray, select Enterprise Applications.
- Select New Application.
- Select "Create your own application."
- On the right side of the screen, use the steps below:
- Name your application.
- Confirm that "Non-gallery" is selected.
- Select Create.
- Select "Assign users and groups" and then "Add user/group" to add users or groups. Users you add must have a consistent attribute in Azure AD that matches their Checkr login email. The most common choices are usually user.mail or user.userprincipalname.
- On your application’s Overview page, select "Get started" in the "2. Set up single sign on" section.
- Select SAML.
- Use the information from the Single Sign On page in the Checkr Dashboard to update the information below in Azure:
- Basic SAML Configuration section in Azure
- Use the Single Sign On URL field in the Checkr Dashboard to update the Reply URL (Assertion Consumer Service URL) in Azure.
- Use the Audience field in the Checkr Dashboard to update the Identifier (Entity ID) field in Azure.
- Attributes & Claims section in Azure
- As the attribute, enter "email" and use all lowercase.
- Enter the user field your organization uses to store the email addresses for use as Checkr logins.
- Basic SAML Configuration section in Azure
- In Azure, the "SAML Certificates" section populates.
- In Azure, select the Download link next to Certificate (Base64). In the Checkr Dashboard, select Choose File in the Signing Certificate section to upload the file you downloaded from Azure. The image below shows a Remove Current Cert button where the Choose File button will be.
- Use the Login URL field in Azure to update the Sign In URL field in Checkr.
- In the Checkr Dashboard, select Save.
- Log out of the Checkr Dashboard.
- Log out of Azure.
Test your configuration
To test your configuration, use the steps below in Azure:
- Confirm that you assigned your current user to the application.
- Confirm that your current user has a Checkr user name in the field assigned to the email attribute.
- Select the Test button.
Configure SP-initiated SSO
- Complete the steps for IdP-initiated SSO above.
- In the Checkr Dashboard, navigate to Account settings > Single Sign On.
- In the Email Domain field, enter an email domain. Only user names with this domain can log in.
- Select Save.
Test your configuration
Ask a user on your Checkr account to complete the steps below:
- Log out of the Checkr Dashboard.
- Open the Checkr login screen.
- Enter a user name that has your configured email domain. The password field should disappear. The screen should redirect to your IdP for authentication and then back to Checkr and log in.
If the test fails, complete the steps below and then repeat the test:
- Return to your Azure application’s SSO configuration.
- In the "Sign on URL" field, add dashboard.checkr.com/login.
- Select Save.
- Download the certificate again.
- In the Checkr Dashboard, upload the new certificate and save.
Configure IdP-initiated SSO
Sign in to a Google Workspace account that has super admin permissions, and use the steps below:
- Select Home, and then select Apps.
- Select "Web and mobile apps."
- Select "Add custom SAML app."
- Enter the app name and an optional description and icon.
- Select Continue.
- In the Checkr Dashboard, select Account settings > Single Sign On.
- Use the information from the "Configure SSO for SAML" page in Google Workspace to update the Single Sign On page in the Checkr Dashboard:
- Use the SSO URL field in Google Workspace to update the Sign In URL field in the Checkr Dashboard.
- In Google Workspace, select the download icon next to the certificate.
- In the Checkr Dashboard, select Choose File in the Signing Certificate section to upload the file you downloaded from Google Workspace.
- In Google Workspace, select Continue.
- Use the information from the Single Sign On page in the Checkr Dashboard to update the Service Provider Details page in Google Workspace.
- Use the Single Sign On URL field in the Checkr Dashboard to update the ACS URL field in Google Workspace.
- Use the Audience field in the Checkr Dashboard to update the Entity ID field in Google Workspace.
- In Google Workspace, set the name ID format to "email."
- In Google Workspace, select Continue.
- In the "Attribute mapping" page of Google Workspace, select "Add another mapping."
-
Below "Google Directory attributes,", enter "Primary email."
-
Below "App attributes,", enter "email."
-
Select Add Mapping.
- In Google Workspace, select Finish.
Test your configuration
To test your configuration, use the steps below in Google Workspace:
- Open the Admin console.
- Select Home, and then select Apps.
- Select "Web and mobile apps."
- Select your custom SAML app.
- At the top left, select "Test SAML login." Your app should open in a separate tab.
Configure SP-initiated SSO
- Complete the steps for IdP-initiated SSO above.
- In the Checkr Dashboard, select "Account settings" > Single Sign On.
- In the Email Domain field, enter an email domain. Only user names with this domain can log in.
- Select Save.
Test your configuration
Ask a user on your Checkr account to complete the steps below:
- Log out of the Checkr Dashboard.
- Open the Checkr login screen.
- Enter a user name that has your configured email domain. The password field should disappear. The screen should redirect to your IdP for authentication and then back to Checkr and log in.
If the test fails, complete the steps below and then repeat the test:
-
- Return to your Google Workspace application’s SSO configuration.
- In the "Sign on URL" field, add dashboard.checkr.com/login.
- Select Save.
- Download the certificate again.
- In the Checkr Dashboard, upload the new certificate and save.
Configure IdP-initiated SSO
-
- In Okta, select the Applications tab and select Create App Integration.
- Select SAML 2.0 as the login method.
- In General Settings, configure basic visibility settings for your app in Okta. When you finish, select Next.
- In a new browser tab, log in to the Checkr Dashboard as an admin user and select Account settings > Single Sign On.
- Use the information from the Checkr Dashboard to update the fields below in Okta:
- Single sign on URL
- Audience URI (SP Entity ID)
- In Okta, select options for the items below and then select Next:
-
- Name ID format
- Application username
- Attribute Statements (optional)
-
- In Okta, answer questions on the Feedback page, and select Finish. The "How to Configure SAML 2.0 for {appname} Application" page should open. If the page doesn't open, select "View SAML setup instructions."
- Use the information from Okta to update the Sign In URL field in the Checkr Dashboard.
- In Okta, select "Download certificate."
- In the Checkr Dashboard, select Choose File in the Signing Certificate section to upload the file you downloaded from Okta.
- In the Checkr Dashboard, select Create.
- In Okta, select the Applications tab and select Create App Integration.
Test your configuration
Ask a user on your Checkr account to complete the steps below:
- Log out of the Checkr Dashboard.
- Log in to Okta and select the Checkr tile.
If the user can't log in, confirm that "email" is all lowercase in the Name field of the Email Attributes section. If you make changes to your configuration, use the steps below:
- In Okta, select "Download certificate."
- In the Checkr Dashboard, select Choose File in the Signing Certificate section to upload the file you downloaded from Okta.
- In the Checkr Dashboard, select Create.
Configure SP-initiated SSO
- Complete the steps for IdP-initiated SSO above.
- In the Checkr Dashboard, select Account settings > Single Sign On.
- In the Email Domain field, enter an email domain. Only user names with this domain can log in.
- Select Save.
Test your configuration
Ask a user on your Checkr account to complete the steps below:
- Log out of the Checkr Dashboard.
- Open the Checkr login screen.
- Navigate to dashboard.checkr.com, and enter a user email with your configured email domain. The password field should disappear. The screen should redirect to your IdP for authentication and then back to Checkr and log in.