UC Recruit Project Site

Updates, information, and documentation for UC Recruit, the system-wide academic employee recruitment web application

Authentication using Single Sign-On

Attribute Release Policy

We request that customer campuses configure their Identity Provider (IdP) to release eduPersonPrincipleName (eppn) or similar unique user ID attribute (unique UID) to the UC Recruit Service Provider (SP). No other attributes are required by UC Recruit.

For the transaction of data and log-in to succeed, Recruit requires:

  1. The OID of the campus’s unique UID be provided to Recruit administration.
  2. The campus unique UID match the external_user_id provided to Recruit via the directory feed.

Currently UC Recruit limitations when using single sign-on (SSO) authentication are:

  • The Applicants and References areas do not support SSO.  Instead, authentication is handled internally by UC Recruit.
  • Inter-campus authentication (e.g.: UC Irvine faculty authenticates to UC San Diego’s Recruit system) is not supported.
  • Only the unique UID attribute (eppn or similar unique user ID) is supported by UC Recruit

Logout Behavior

On log out, UC Recruit clears the user’s session, but a secure log out, which disallows re-authenticating without a prompt for username and password, requires that the campus’s IdP and SSO systems take one of the following approaches:

  1. Direct the browser to a custom-built session clearing / logout URL
  2. Have a short IdP session timeout in place

Without one of the above logout approaches in place, clicking logout would allow a user to click back into a login-protected area of Recruit and be automatically re-authenticated without a prompt for username and password.

Many IdPs’ default logout behavior is to only logout of the Recruit application. In that case, the user will continue to be logged into the campus’s other SSO applications. This satisfies Recruit’s needs; single log-out is a campus policy decision.

Logout Redirect URLs

If the campus wishes to use single log-out, logout URLs can be chained, leading through each system that should be logged out of before optionally returning to Recruit.

To use this optional logout URL chain, the campus’s identity web services must support URLs and parameters embedded in the query string of the log out URL.  This ‘return’ parameter instructs the system at each step of the chain to send an HTTP redirect to the browser after successfully logging the user out of the system.

Note: The process of redirection is started on the Recruit SP end, so the redirection URLs and query string parameters required by the IdP/SSO systems, need to be provided to Recruit administration, in order for redirection to work.

Example logout URL chain (URL is provided without encoding to enhance readability):

https://idp.uc.edu/logout?return=https://sso.uc.edu/logout?return=https://recruit.uc.edu/

This logout URL chain causes the following sequence of actions to occur:

  1. Clear session on SP (implied) and forward to the IdP
  2. Logout of the IdP and redirect to SSO
  3. Logout of SSO and redirect to Recruit
  4. Land on Recruit home page in a fully logged-out state

SSO SP Contacts

For new campuses joining Recruit seeking information on set up, or for issues regarding single sign-on, please contact UCRecruit-Support@uci.edu.