How to Configure SAML 2.0 for BambooHR

Read this before you enable SAML

Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page. They will only be able to access the app through the Okta service.

Backup URL

BambooHR does not provide a backup log-in URL where users can sign in using their username and password. A BambooHR admin can disable SAML by uninstalling the Okta SAML application in BambooHR to allow username and password sign in.


Supported Features

The Okta/BambooHR SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Navigate to BambooHR at https://<your_subdomain>.bamboohr.com where <your_subdomain> is your organization's subdomain, and sign in with your existing credentials. This URL is the default relay state for your organization.

  2. Go to: Settings > Apps:

    go to Settings > Apps

  3. Scroll down to Okta, then click Install:

    Select Okta, then click Install

  4. Enter the following:

    • SSO Login Url: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • x.509 Certificate: Copy and paste the following (be sure to include the Begin Certificate and End Certificate lines:

      Sign in to the Okta Admin app to generate this value.

    • Click Install:

    Enter configuration information

  5. In Okta, select the Sign On tab for the BambooHR SAML app, then click Edit:

    • Saml Name ID: Select the Name ID that will be used in the SAML SSO mode (either Email or User Name).

    • Click Save:


  6. Done!


For SP-initiated SSO

  1. Go to your BambooHR URL (for example, https://<your_subdomain>.bamboohr.com).

  2. You will be prompted to sign in to Okta (if there is no active Okta session). You will then be automatically logged in to your BambooHR account.