Checkr provides the tooling to enable customers to configure their SSO using SAML through the Checkr Dashboard.
Frequently Asked Questions
Does Checkr support JIT (just-in-time) provisioning via SAML?
No. Provisioning of users must be performed by manual user management in the Checkr Dashboard or through SCIM APIs.
Can a SAML request change authorizations within Checkr?
No. Checkr requires management of user roles either through the Checkr dashboard or through SCIM APIs. We do not support adjustment of authorization or assignment of roles through SAML requests.
Are you able to supply SAML metadata to us for your endpoint? Can you read metadata from us instead of manually entering SAML information in the Checkr Dashboard?
No. Checkr does not presently support either generating or ingesting SAML metadata. Configuration of the connection must be done manually.
What are the requirements for the Subject:NameID value?
The Checkr Dashboard recommends making use of values such as UUID or GUID from your Identity Provider. The requirement is that the Subject NameID must be a unique identifier. This could be an email address, username, UUID, GUID, or any other unique identifier that is easy to manage from within your IdP.
I have multiple Checkr accounts. Can I use SSO on all of them?
It depends! Checkr can support SSO on multiple accounts, however there are several caveats. Each account will require a separate SSO application and separate SSO setup in your IdP. If those accounts use the same email address domain for user logins, you cannot provision SP-initiated SSO for any of your accounts, although IdP-initiated SSO will work.
Can I prevent users from logging into Checkr with a Checkr-specific password?
You can, provided you are able to move to SP-initiated SSO. When you enable SP-initiated SSO, your users will be redirected to your IdP for authentication. Checkr will not ask your users for a password.
My account has account hierarchy enabled or my account uses Geos. Can I make use of SCIM?
You can. Today’s process requires you to provision users via SCIM. However, there is no ability to assign users programmatically to account nodes (or Geos) through the SCIM API. Therefore, you must establish a process where a Checkr Administrator will assign a newly created user to a Node (or Geo) within your account after the SCIM interface has concluded its work.
Does Checkr support Roles or other SCIM endpoints?
Today, Checkr only supports provisioning through the Users SCIM endpoint. You must manually configure Roles by mapping Checkr roles defined using the Checkr Dashboard to your internal roles.
When sending the user roles defined in the Checkr Dashboard as part of a SCIM Users request, be certain to send the role as all lower-case with an underscore (_) character replacing spaces. (For example: Send “Limited User” as “limited_user”.)
Do you support assertion encryption for your SAML connections?
Not yet. However, Checkr requires an HTTPS endpoint for your IdP and only accepts inbound SAML requests via HTTPS. This provides a layer of encryption between the IdP and Checkr and prevents third parties from reading the information in transit.