Checkr has introduced a self-service SAML setup feature for clients to use. The feature allows Checkr to serve as a Service Provider (SP) and allows customers to establish SAML connections with their preferred identity provider (IdP).

Checkr supports the standard SCIM APIs. Setting up these APIs allow an IdP to dynamically provision and deprovision users as they join the organization, move around within the organization or leave the organization. Enabling the SCIM API interfaces is currently performed by-request. Reach out to your Customer Success Manager or to clients@checkr.com to request that the SCIM provisioning process be initiated for your account.

For more information, see Does Checkr support Single Sign On integrations?

Prerequisites

Checkr SSO has requirements for all SAML connections, and more specific requirements for IdP-initiated and SP-initiated connections. Please review your Checkr account and IdP setup to confirm that your setup is compatible with Checkr SSO before initiating the connection.

For all SAML connections

• Checkr does not provide and cannot consume SAML Metadata.
• All traffic sent to traffic is secured at the transport layer through HTTPS. Checkr does not support any additional assertion encryption.

For IdP-initiated connections

• If you have multiple Checkr accounts, each account requires a separate SAML connection.
• if you choose "ONLY" IdP-initiated connections, Checkr cannot prevent your users from changing their passwords on the Checkr platform. (If you use SP-initiated (with an email domain) connections, Checkr can enforce these rules.)
• Your Checkr account may mix users with different email address domains.

For SP-Initiated connections

• If you have multiple Checkr accounts for your organization, you must first confirm that each of your email domains is attached to only one Checkr account. (For example: Users with an @bobsplumbingservice.com email address may only be associated with one of your Checkr accounts.) Your users must log into separate Checkr accounts with separate email addresses.
• Checkr accounts may have multiple unique email domains associated with that account’s SSO connection, but each domain may only be associated with one Checkr account.
• Checkr users are defined by their email address, which must be unique. Each Checkr user may belong to only one Checkr account at a time.
• Users will be unable to access Checkr without first authenticating through your IdP. Direct login to your account will be disabled.

SAML setup

Log into your Checkr account as an Admin, then use the Account Settings > Single Sign On tab in the Checkr Dashboard to view and update your SSO settings.

For more information, see View and configure SSO settings in the Checkr Dashboard User Guides.