Managing SSO Users on Harver

Follow

In this article:

  1. SSO users
  2. Advanced SSO configurations
  3. Lite SSO configurations
  4. Example Scenario: Onboarding a New Recruiter to Harver

SSO Users:

For all SSO-enabled accounts, users are created upon their first login using SSO authentication and updated with each subsequent login. Additionally, user information is refreshed automatically every two hours when the Harver session expires.

By default, SSO authentication ensures that user attributes such as First Name, Last Name, and Email Address are strictly managed by the Identity Provider (IdP) - the customer’s SSO provider (e.g., Okta or Azure AD).

Advanced SSO configurations:

For customers with legacy account types (regular or retail, non-OneType accounts) and those using an Advanced SSO setup, some or all user permissions—including Admin, Recruiter, Regions, and Locations are also managed by the Identity Provider (IdP).

Xnip2025-01-29_11-59-43.jpg

Not editable SSO user

When a user profile is not editable in Harver, the User Management UI displays an SSO badge, and the edit option is unavailable. Instead, an “SSO” label is shown.

Any changes to these parameters cannot be made within Harver and must be handled by the customer’s IT team, following their internal processes.

Lite SSO configurations:

Customers using OneType accounts with the Lite SSO configuration option can partially manage and modify a user’s permissions within the Harver platform.

In these cases, the SSO badge is still displayed, but the edit icon remains available, allowing certain permission changes directly in Harver.

Xnip2025-01-29_11-58-04.jpg

Partially editable SSO user

If permissions are not provided by the IdP, all users are automatically assigned to the default permission group: “Recruiter without PII.”

From there, either Support or an account admin can manually update the permissions for each user.

Please note that default values are defined by the customer during the SSO configuration process.

Screenshot 2025-01-29 at 11.57.07.png

Partially editable SSO user with read-only fields

The values managed and updated by the IdP (typically First Name, Last Name, and Email Address) are read-only. A notification bar informs users that these fields cannot be edited within Harver.

All other non-SSO-controlled values can be modified by an Account Admin or the Harver Support team.

Example Scenario: Onboarding a New Recruiter to Harver:

  1. Customer’s IT assigns permissions
    1. Following their internal process, the customer’s IT team assigns the new recruiter the appropriate permissions to access Harver.
  2. The recruiter logs in for the first time
    1. They visit Harver and enter their company email address.
    2. They are redirected to their IdP (SSO provider) for authentication.
    3. After successful authentication, they are redirected back to Harver.
  3. User profile creation
    1. Harver automatically creates the recruiter’s user profile with:
    2. The “Recruiter” role (without PII access).
    3. The default location: “Headquarters.”
  4. Updating permissions (if needed)
    1. A customer Account Admin logs into Harver and updates the new user’s profile, granting PII access and modifying assigned locations.
    2. Alternatively, a customer stakeholder can request these updates through Harver Support, and the Harver Support team will apply the changes.
  5. Permissions take effect
    1. The recruiter can refresh the Harver page or log back in to see the updated permissions.

 

Was this article helpful?
0 out of 0 found this helpful