The BambooHR integration replaces password-based login with biometric authentication via SAML 2.0 using Touch ID, Face ID, or LiveID through the 1Kosmos mobile app.
Integration type
SSO
Updated
Overview
1Kosmos integrates with BambooHR as a SAML 2.0 identity provider, replacing password-based login with biometric authentication via the 1Kosmos mobile app. Supported biometric options include Touch ID, Face ID, and liveness-checked LiveID. After setup, users who navigate to the BambooHR URL are redirected to 1Kosmos, authenticate biometrically, and are returned to BambooHR without entering a password.
BambooHR supports SAML via a native marketplace app installed from the BambooHR Apps section. The SAML configuration accepts the 1Kosmos SSO URL and x.509 signing certificate directly. Both IdP-initiated and SP-initiated SSO flows are supported.
A critical note: BambooHR does not provide a backup login URL once SAML is enabled. If SSO is misconfigured, admins cannot sign in using a username and password. The only recovery path is to uninstall the SAML app from within BambooHR, which requires admin access. Test thoroughly with a single user before enforcing SAML for the organization.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
BambooHR administrator access: Admin rights to the BambooHR account, including access to Settings → Apps.
BambooHR company subdomain: Your BambooHR URL subdomain (the portion before .bamboohr.com) is required as the SP Identifier in AdminX. Locate this in BambooHR under Settings → Account → Company URL.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for BambooHR:
Field | Where to find it |
|---|---|
SSO Login URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
x.509 Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Fixed BambooHR SP values to enter in AdminX:
Field | Value |
|---|---|
Entity ID (SP Identifier) | BambooHR-SAML |
ACS URL | https://[your-subdomain].bamboohr.com/saml/consume.php |
NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Integration steps
Step 1: Locate your BambooHR company URL
Log in to BambooHR as an administrator and navigate to Settings → Account.
Note the Company URL displayed. The subdomain portion (everything before .bamboohr.com) is used in the ACS URL and as a reference during testing.
Step 2: Add BambooHR as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "BambooHR" as the Application Name, set Instance to Production, and enter your BambooHR URL (https://[subdomain].bamboohr.com) as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add a claims mapping foremailwith Format set toUsername. Click Next.Enter
BambooHR-SAMLas the Entity ID andhttps://[subdomain].bamboohr.com/saml/consume.phpas the ACS URL. Set Method to POST. Enable Assertion signing. Click Save.Copy the SSO Login URL and x.509 signing certificate from AdminX → Settings → IdP Configuration.
Step 3: Install and configure the SAML app in BambooHR
In BambooHR, click the Settings icon at the top right and navigate to Apps.
Scroll to the Single Sign-On section and click SAMLv2.0, then click Install.
On the SAML Single Sign-On settings page, paste the 1Kosmos SSO Login URL into the SSO Login URL field.
Paste the 1Kosmos x.509 signing certificate into the x.509 Certificate field.
If you want to allow optional email and password login alongside SSO, check Allow optional email and password login.
Click Install to activate SAML for the organization.
Step 4: Test the integration
Open an incognito browser window and navigate to your BambooHR URL.
You will be redirected to the 1Kosmos login screen. Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to BambooHR as an authenticated user with the correct role and permissions.
Test with a single user before disabling the optional email and password login fallback.
Attribute mappings
Source (1Kosmos) | Target (BambooHR) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary SSO identifier; must match the BambooHR account email |
Integration notes
BambooHR does not provide a backup login URL once SAML is enabled and the optional email/password login is disabled.
If SSO breaks, the only recovery path is to uninstall the SAML app from BambooHR Settings → Apps, which requires a BambooHR admin session. Enabling Allow optional email and password login during initial rollout provides a safety net.
Consider keeping this enabled until SSO has been validated across the full user base. The Entity ID for BambooHR is always the fixed string BambooHR-SAML regardless of your subdomain.
