In another article, we explained how to enable single sign-on (SSO) via a company domain using the basic method. This article outlines an alternative approach using integration with Entra ID (formerly Azure Active Directory). Please share this article with your IT department so they can complete the setup.
Step 1 – Generate the App Federation Metadata URL
In Entra ID, go to the Azure Active Directory service.
From the left-hand menu, select Enterprise applications.
At the top, click + New application.
Select + Create your own application.
In the right-hand panel, enter a name (e.g. eRecruiter) to help identify the application later.
Choose the option Integrate any other application you don’t find in the gallery, then click Create.
Once the application has been created, configure it as follows:
In the left-hand menu, select Single sign-on.
In the center panel, choose the SAML option. You should now see a configuration panel similar to the one shown in the screenshot.
Note: Start from point 3 in the configuration process.
Click Add a certificate, then choose New certificate. Set the certificate’s validity according to your organization's internal security policy.
Click Save, then click the three-dot menu on the right and set the certificate status to Active.
The certificate will now appear in Section 3 of the panel.
Send the App Federation Metadata URL and the domain name to be used for login to eRecruiter at [email protected] and to the person who originally provided this instruction.
Step 2 – After Sending the Metadata URL
Once eRecruiter receives your Metadata URL, we will configure it on our side and send you a response containing a link with data that needs to be imported into your application:
After importing the file, Section 1 of the SAML configuration should resemble the example provided in the screenshot.
Next, configure Section 2 as follows:
Email – the user's email address.
Note: This field is for informational purposes only and will not be used to map users from Entra ID to accounts in the eRecruiter system.UserId – a unique text-based identifier for each user (for example:
userPrincipalNamein Entra ID). eRecruiter uses this attribute to identify users from Entra ID. Every user account in the eRecruiter system that is allowed to log in via Entra ID must have a unique identifier. Two users in eRecruiter cannot have the same UserId from Entra ID. Once attributes are configured, grant users access to the application according to your organization's internal policies.
Example attribute configuration is shown in the screenshot:
Note: After clicking Edit, ensure the Claim name is set to UserId:
When adding a new claim, leave the Namespace field empty:
Step 3 – Test the Login, Confirm Expected Error, and Schedule Activation
Once the configuration is complete:
Go to system.erecruiter.pl
Click Log in with your company domain (this redirects to auth.erecruiter.pl) – the option is located below the standard login form.
In the next window, enter your company domain (previously submitted to eRecruiter) and click Log in.
Attempt to log in using your domain credentials. Expected outcome: You should receive the following message: “Log in with username and password in order to proceed to domain login”:
If a different error appears, return to Edit → Attributes & Claims and verify the configuration based on Step 2. If everything appears correct, take a screenshot of this section and send it to eRecruiter along with:
The exact date and time of the login attempt
A description or screenshot of the error message
5. Once the expected error has been confirmed, send eRecruiter the timestamp (date and time) of your test attempt and inform us when you'd like to enable domain login for your users.