2. Configure Your Organization’s Identity Provider

The information that is provided on this page is intended to aid a user in setting up Single Sign-On for Talent Suite by using a third-party Identity Provider (IdP).

Configure Your Organization’s Identity Provider
Identity configuration varies based on the specific Identity Provider (IdP) system your organization is using. The configuration steps are specified in the IdPs training and documentation. IBM takes no responsibly for the content in third-party programs, and the process on this page might not accurately represent the IdP system.

If your organization's IdP system supports setting up an Service Provider (SP) setup by importing a SAML metadata file, then the IBM Talent Suite SAML metadata file can be uploaded to the IdP system. If the IdP system does not support the import, this process configures the IdP system manually to communicate with Talent Suite as the SP.

SSO metadata files expire and need to be replaced before the date and time of expiration.

Note: Do not upload the certificates on this page for configuring BrassRing Single Sign-On.
Select the Talent Suite Service Provider links to download the Talent Suite SSO metadata files. These metadata files are uploaded to your organization's Identity Provider. Download and uncompress the .xml file for use in the Identity Provider. If your organization's Identity Provider requires . cer files, see Create Certificate Files from the metadata files. Ensure that the correct region and environment are downloaded. If your organization's Talent Suite URL starts with
IdP configuration Tips
The following URL patterns show some of the values your organization's IdP system might require to be set during the manual configuration of that IdP. These values are based on the IBM US-Prod environment as denoted by https://2x.kenexa.com. Ensure that the URL is updated for correct region and environment. If the import of metadata is used for IdP configuration, the IdP import parses these details from the Talent Suite metadata files.
  • Single Sign On URL = https://2x.kenexa.com/sps/inboundSSOProd/saml20
  • Destination URL = https://2x.kenexa.com/sps/inboundSSOProd/saml20/login
  • Recipient URL, also known as Assertion Consumer Service (ACS) = https://2x.kenexa.com/sps/inboundSSOProd/saml20/login if the SAML Response has SubjectConfirmation and SubjectConfirmationData tags for the Subject.
  • Audience Restriction = https://2x.kenexa.com/sps/inboundSSOProd/saml20
Configuring the Identity Provider
  • For more information on configuring an Azure AD, Okta, and ADFS IdP specific configuration, see Azure AD, Okta, and ADFS IdP Specific Configuration
  • All of the required Talent Suite SSO information is in the downloaded TS metadata files. If your organization's IdP system does not support upload of a Talent Suite metadata file, manual configuration is required and the Talent Suite SSO information can be obtained from the metadata file content.
To obtain the Talent Suite SSO information from the metadata file content;
  1. Define the entityID of Talent Suite. This can be found in the entityID tag in the Talent Suite metadata file, for example entityID=https://[THE-ENV].kenexa.com/sps/inboundSSO.../saml20
  2. Define Talent Suites ACS address. This is where the your organization's IdP sends the SAML Assertions and can be found in the AssertionConsumerService tag in the IBM Talent Suite metadata file, for example https://[THE-ENV].kenexa.com/sps/inboundSSO.../saml20/login
  3. Define NameID Format. The Talent Suite supported formats are defined in the NameIDFormat tag in the metadata file. IBM suggests that emailAddress is used, although some IdP system might call this email, as the starting point since some of the systems such as ADFS do not support unspecified.
  4. Set SAML Signature Algorithm. SHA-256 must be used as Talent Suite only uses SHA-256 algorithm.
  5. Set Relay State information. The Relay State information is determined by the IdP system. If no Relay State information is needed this field can be left blank.
  6. Configure SAML {assertions) signing. If the your organization's IdP requires SAML {assertions) to be signed, upload the IBM Talent Suite signing certificate which can be found in downloaded Talent Suite metadata file in the Configure Your Organization’s Identity Provider section.
  7. Configure SAML response encryption. If the your organization's IdP SAML response is required to be encrypted, upload the Talent Suite encryption certificate which can be found in Talent Suite metadata file in the Configure Your Organization’s Identity Provider section.
Create Certificate Files from the metadata files
Your organizations IdP provider might require the signing and encryption certificate to be uploaded instead of the metadata file.
  1. To create certificate files from the metadata files, download and extract the metadata file.
  2. Open the .xml metadata file with an HTML editor or a Notepad application.
  3. Open a new blank Notepad instance and enter the text 
    -----BEGIN CERTIFICATE-----
  4. For the signing certificate, locate the tag <md:KeyDescriptor use="signing">, and copy the code inside the <X509Certificate> tags. Do not include the <X509Certificate> or </X509Certificate> tags.
    The Certificate Code
  5. On a new line in the Notepad page, paste the code.
  6. On a new line, enter the text 
    -----END CERTIFICATE-----
  7. Select File > Save as.
  8. Select Save as type > All Files (*.*).
  9. Enter the file name with the extension .cer, for example TalentUSProdSigningCertificate.cer .
  10. Select Save.
For the encryption certificate, repeat this process for the <X509Certificate> code in the <md:KeyDescriptor use="encryption"> tags.
The Encryption key descriptor