Frequently Asked Questions

Is there an annual date that these Certificates expire for IBM? Or, do these Certificates expire a year from the date the SSO was set up between the client and IBM?

It is an annual, global date.

How do I obtain the ACS URL for Infinite Talent?

If the ACS (Assertion Consumer Service) URL is required during the SSO configuration in your IdP system such as Azure or Google, this information can be found in each environment's SSO metadata files as the Location attribute value of the md:AssertionConsumerService tag.

Can we put new Signing and Encryption Certificates in the Signing Certificate and Encryption Certificate fields?

Yes. The second field is for the update.

Will the Infinite BrassRing Platform automatically use the Signing and Encryption Certificates in the second field if the Certificates listed in the first field are expired?

Yes, Infinite BrassRing Platform automatically uses the Signing and Encryption Certificates in the second field.

When the Signing and Encryption Certificates in the first field expire, will the Certificates in the second field automatically move up to the first field location such that the second field will be blank and available for next year’s new Certificates?

No. There is no automated move, but the certificate in the first field is automatically marked as invalid when it expires. If the admin users come back the next year, they are able to spot which one to choose.

When the Infinite's Encryption and Signing Certificates for the Infinite BrassRing Platform SSO in Production expires, are the new Infinite BrassRing Platform metadata information (Encryption & Signing Certificate information) available for the Infinite Production Environment in the Infinite Knowledge Center.

Yes. Before the Infinite Talent Certificate for SSO expires, a communication is sent to clients that use SSO. The communication has the details on when the new certificate is activated, how to obtain the new Certificate, when the old one expires, the steps that might need to be taken by the clients, and what changes might occur in the metadata file, if any.

When I try to log in, my IdP login page keeps opening and I can no longer log in to access the SSO settings in the Admin Application. How can I get access to the Admin Application again?

This issue might occur if the Authentication by identity provider only setting is enabled on the Admin Applicaiton → Identity Source page. The option bypasses the Infinite BrassRing Platform login page to open the IdP login page. To regain access to the required environment, enter the environments URL from the list into your browser and replace Client_Name with your organizations client name. You can then log back into Infinite BrassRing Platform and access the Admin Application and SSO configuration pages again.

• US Staging: https://2x-staging.kenexa.com/wps/portal/$tenant/Client_Name?sso.ts.login=true

• US Production: https://2x.kenexa.com/wps/portal/$tenant/Client_Name?sso.ts.login=true

• EU Staging: https://2x-dc2-staging.kenexa.com/wps/portal/$tenant/Client_Name?sso.ts.login=true

• EU Production: https://2x-dc2.kenexa.com/wps/portal/$tenant/Client_Name?sso.ts.login=true

After we have the metadata file from Infinite Talent, what do we need to do?

Your organization needs to update your IdP system with the new certificates. Depending on the IdP system being used, you can pass the certificate by extracting from the metadata file or pass the metadata file directly. However, the signature change might not even be needed. If your IdP was configured without a signature validation, then the system continues to work even without refreshing the Certificate.

If we are using Ping Identity for our SSO solutions, how can we construct our IdP SSO URL for Infinite BrassRing Platform?

Your organization needs to use PartnerSpId in your URL pattern as indicated in the Ping Identity documentation. Infinite is not responsible for the content of third-party websites. If you use PartnerId or PartnerIdpId, that does not work. For example: https://clinet's-idp-url?PartnerSpId=https://2x.kenexa.com/sps/inboundSSOProd/saml20&TargetResource=https://2x.kenexa.com/wps/myportal/$tenant/client-name.

What signature algorithm does TS use for signing their certificates?

Infinite BrassRing Platform uses SHA256 with RSA algorithm for signing

How do I check the validity dates of SSO certificates?

• Infinite BrassRing Platform certificate: A Infinite BrassRing Platform Admin with access to SSO, selects Menu → SSO → Inbound and can select Show Details for the certificate. A message box displays the details of the certificate including the validity and expiration dates.

• Client / customer IdP certificate: Infinite does not have access to these. The clients IdP admins needs to check their certificates validity.

How do we enable SSO for multiple Users?

Administrators can enable SSO for multiple users, only if the tenant is set up for SSO. Administrators can import their users into Infinite BrassRing Platform in one of two ways. Administrators can do a direct import or temporarily enable the Consider all users eligible for SSO option for users during import process.

1. For more information on importing users in Infinite BrassRing Platform, see How to Import Users.

2. Batch Integration uses a .csv file to import users into the Infinite BrassRing Platform. Real-Time integrations use XML files and transported through a web service to an Infinite endpoint. Administrators must first export their users and then import the users into Infinite BrassRing Platform. For more information, see How to Import Users.

3. Depending on the number of users being imported, importing might take a long time to complete. Alternatively, Administrators can import users and enable the Consider all users eligible for SSO option during import. Using this option is a two-step process. First, users are imported with the setting Consider all users eligible for SSO and after import, users need to be added as Infinite BrassRing Platform users AND be enabled for SSO. For more information, see the Advanced Settings section on the Configure Talent Suite Inbound SSO page. The Consider all users eligible for SSO is intended only to be used temporarily.