Contact Menu

Single Sign-on (SSO)

Configuration of sign-on with SAML SSO

SAML-based single sign-on (SSO) allows users access to Firstbird through an identity provider (IdP) of your choice.



Firstbird supports identity provider (IdP) initiated flow, service provider (SP) initiated flow and just-in-time provisioning.

For SP login, please go to

Your IdP should ensure that a user is authenticated and authorized before sending a request. If a user is not authorized, the request shouldn't be sent.


Step 1: Setup your Identity Provider (IdP)

First, create a connection for Firstbird at your IdP. Below you will find several provider created "how to" articles for activating SAML for your Firstbird account:

Manual Identity Provider (IdP) configuration

For an easy setup, you will find all important information for the configuration of your IdP directly in your Firstbird company account in "Account Preferences" - "Authentication" - Single Sign-on" (only visible when SSO was activated by Firstbird).

All important information at a glance:

  • Entity-ID

  • Post-Backup-URL for SSO-Login (SSO)

  • Address of Metadata.xml
    (If automatic configuration is possible)




Settings for the configuration of your Identity Provider

  • NameID (mandatory field)


    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">

Your unique identifier






  • Email attribute (mandatory field)


<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">


     xmlns:xsi="" xsi:type="xs:string">




  • Session duration attribute (optional)


The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Firstbird before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used.

<saml:Attribute Name="">


        xmlns:xsi="" xsi:type="xs:string">86400




Step 2: Set-up your Firstbird account (SP configuration)

Finalize the configuration in Firstbird with the following three important items from your IdP:

  1. Entity-ID 
    This is the unique identification for the connection to Firstbird and will be provided by your IdP.
  2. SSO Service URL
    This is the address of your IdP. Firstbird will send all authentication requests to this URL.
  3. Signing Certificate
    Firstbird requires that SAML assertions are signed and that a valid X.509 .pem certificate is stored at Firstbird to verify your identity.


All settings described above can be found in the Metadata XML of your IdP.

Firstbird offers three options to make the configuration as easy as possible:

1. Configuration via IdP Metadata.XML upload
2. Configuration via IdP Metadata URL
3. Manual configuration


1. Configuration via IdP Metadata.XML upload

You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.



2. Configuration via IdP Metadata URL

You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.



3. Manual configuration

If none of the above options are suitable for you, the configuration can be done manually as well.




Click the button "Save Configuration" to save your settings.


Step 3: Activate SSO

As soon as you saved the SSO settings, you're able to activate SSO for your Firstbird company account.


After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to login only via SSO.




In the case that you are having trouble with SSO, please contact our support.


SSO for exisiting user

You can activate SSO for your company account even if some users have already registered through your Firstbird company account. This will be done through an automatic link. The email address of the existing Firstbird user will be sent from your IdP via assertion attribute to Firstbird and must be an existing user email address in Firstbird.

If the email address is not identical, a new user account will be created.



Authentication via Single Sign-On (SSO) only

In addition to logging in with SSO and a password, there is also the option to allow log in via SSO only. This is only available if single sign-on has been enabled for your Firstbird company account and is in use.


Activate authentication via Single Sign-On (SSO) only

Before enforcing SSO for your Firstbird company account, make sure, together with your IT, that SSO is configured properly (see article "Configuration of Sign-on with SAML SSO"). When done, go to your "Account Preferences", "Authentication" and next to "Single Sign-On".

To enable authentication via SSO only, click on the toggle next to "Authentication via Single Sign-On only".


When activated, the user will see the following login screen:



If this happens, please contact our support.

As soon as authentication via SSO only has been activated, the following features are inactive:

  • Invite users via Firstbird
  • Registration page
  • Multi-Factor Authentication
  • Password Policy




Your IdP Certificate Has Been Updated

In the case that your IdP's certificate has been updated, please change the certificate in your Firstbird company account as well. Otherwise, your users will not able to log in via SSO anymore.

As a precautionary measure, we recommend creating a backup administrator user with an email address that is not part of SSO, such as

If your IdP certificate has changed, you'll be able to login with this backup administrator login, together with your IT department, to update the certificate under your "Account Preferences". 

To update the certificate, go to "Account Preferences", under the "Single Sign-On" heading and click the button "Expand" to show "Single Sign-On Configuration".

Depending on your current settings, please

  1. Upload a new "Metadata file",
  2. Add a new "Metadata URL" or
  3. Simply update the "Signing certificate" to "Manual settings".



Click on the button "Save configuration" to save your changes.

Please update the certificate together with your IT department to make sure all changes are correct.




Just-In-Time provisioning for SAML SSO

Providing attributes with JIT provisioning allows Talent Scouts to skip corresponding registration steps.

Recruiters will receive all information needed for reward management and can identify Talent Scouts more easily, for example if employee-ID is provisioned. 

Company administrators no longer need to assign roles to users manually after registration. The appropriate role can be assigned automatically when a user registers with Firstbird.

All changes of user data in your system will be automatically adopted and applied to users the next time they log into Firstbird. This assures your user data is always up-to-date. Profile information provided with JIT provisioning cannot be changed by the user.

  • First name attribute (optional)


<saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">


        xmlns:xsi="" xsi:type="xs:string">Max




  • Last name attribute (optional)


<saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xmlns:xsi="" xsi:type="xs:string">Mustermann</saml:AttributeValue>



  • Employee-ID-attribute (optional)


<saml:Attribute Name=“employee_id” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>DE123456789




  • Department-ID-attribute (optional)


<saml:Attribute Name=“department” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>Sales




  • Location-ID-attribute (optional)


<saml:Attribute Name=“location” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>Vienna




  • User-Role-attribute (optional)


Please note! This attribute is predefined and its value must be one of the following to assign the corresponding role:

    • Talent Scout: ROLE_TALENT_SCOUT
    • Recruiter: ROLE_RECRUITER
    • Company-Administrator: ROLE_COMPANY_ADMIN


<saml:Attribute Name=“role” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>


        xmlns:xsi=“” xsi:type=“xs:string”>ROLE_TALENT_SCOUT




What happens if the role is not available or cannot be recognized?

The attributed role will not be provisioned and the default role as Talent Scout will be assigned.

What happens when location and/or department is not available?

The location/department will not be provisioned and the user must select their location/department during registration.

What happens when locations/departments with the same name exist?

When two or more of the same locations/departments exist, the location/department set in the account settings will be assigned.

Can the profile information provided be updated?

Yes, changed profile information of a user is automatically updated at the subsequent login.