This article addresses an issue where users attempting to sign in to BambooHR with a service account are redirected to Okta as the Identity Provider (IdP). After the redirection for Single Sign-On (SSO), a 403 error is displayed, indicating the application is not assigned to the user.
- BambooHR
- Single Sign-On
- Universal Directory
This issue occurs because BambooHR does not permit service accounts to be authenticated by an external IdP. These accounts are managed locally within BambooHR and cannot be assigned to the application in Okta, leading to an access denied error during the SSO process.
The Bamboo HR team provides a bypass authentication option during SAML configuration so that users can bypass SSO and sign in with a service account by enabling email and password logins for the employees who need to use the service account:
- Navigate to Apps on the BambooHR settings page, select any of the above-mentioned available SAML apps, and, after that, there will be a redirect to the provider's settings page.
- Once the box for Allow optional email & password login has been selected, click Save.
- Employees will be given the option to select Log in with Email and Password in BambooHR going forward.
