Skip to main content
All CollectionsPartnerships
Rippling - How do I set up my integration?
Rippling - How do I set up my integration?

An overview of Merge’s partnership with Rippling and instructions on how to access the integration

Updated over 2 months ago

Overview

We’re incredibly excited to have entered into a formal partnership with Rippling to offer a premium Rippling integration to our customers. This integration facilitates a much more streamlined customer experience than in the past and opens up the potential for your product to be featured in the Rippling App Shop, increasing its visibility and reach.

This guide will outline the prerequisites and steps to access the integration and highlight what data will be accessible.

Prerequisites

To access the Rippling integration, you must be on Merge’s Professional or Enterprise plan. If you want to upgrade your plan, please contact us at [email protected] and our team will assist you.

Data availability

The Rippling integration will support these Common Models:

  • Companies

  • Employees

  • Employments

  • Groups

  • Locations

For a detailed breakdown by field, please refer to our docs here.

Application process

To utilize the Rippling integration, the Merge team must submit an application to the Rippling App Shop on your behalf. The first step of that application process is a pre-vet review.

1. Submit your information for a pre-vet review

If you’re interested in using the Rippling integration, our team is here to guide you. Let your CSM know, and they will submit your company name and website to Rippling for a pre-vet decision. This early step allows us to gauge Rippling's potential approval or rejection, providing you with a clearer path forward.

Pre-vet decisions are typically made within 7 days. Please see the section below on how to interpret Rippling's decision.

2. Apply to the Rippling App Shop

If Rippling has approved the pre-vet, your CSM will work with you to gather all necessary information to apply to the Rippling App Shop. You can preview the questions here.

Please do not apply yourself. Your CSM must apply for you.

Rippling will review all applications within 7 days. Please see the section below on how to interpret Rippling's decision. While you wait for Rippling’s decision, we recommend checking the Building the integration section below for a list of technical requirements you can review now.

Interpreting Rippling’s application decision

Approvals for both the pre-vet and the Rippling App Shop application are at Rippling’s sole discretion, and Rippling may or may not choose to share any information regarding the reason(s) a particular application was approved or denied. Rippling has let us know that the outcome would be the same if you had applied for a partnership directly with Rippling.

Approved

If you are approved following both the pre-vet review and the Rippling App Shop application, your product is on track to be added to the Rippling App Shop at no charge to you. The next step is to build the integration as outlined below and have Rippling check it.

Rejected

If you are rejected during either the pre-vet review or the Rippling App Shop application, you, unfortunately, won’t be able to integrate with Rippling via Merge or otherwise.

Building the integration

Once your application has been reviewed and approved, your CSM will set up a meeting to go through the remainder of the process.

In addition, they will share the following items which you will need to complete the remaining steps:

  1. Rippling Sandbox OAuth Credentials

  2. Your Webhook Token

  3. The URL for your Sandbox App Shop Listing

  4. Logins for the Rippling Parter Portal and Test Company

1. Configure your app listing

Access the Rippling Partner Company portal here. Under the Manage Listings table, click the arrow on the right


Next, hit the arrow to the right again on the Listing Versions table.

Set your listing information

The first step will be to set up your listing by uploading logos and writing descriptions. You can do so by clicking Listing Information and navigating through the sub-menus.

We recommend clicking through other app listings to get a feel for the type of information to include and how it will be displayed. Below is an example from Adobe. You can see other listings here.

You'll be able to view your own listing once you get to the section testing your installation flow.

Set your redirect URL

Go to Integration to set up a redirect URL. When a customer in Rippling wishes to connect your application using your listing in the Rippling App Shop, they will be redirected to this URL when they click connect.

​You’ll want to set this URL to the page in your product where you have Merge Link embedded or where you will set up the logic to handle the Rippling redirect. See the Configure Merge Link section below for more info.

2. Set up the testing environment

Add your sandbox OAuth credentials in the Merge Dashboard

  1. Under Testing, click Sandbox client ID and secret

  2. Grab the URL of your testing application from the Sandbox app status page

  3. Copy these credentials and paste them into your Merge Dashboard under Integrations > Rippling after clicking Edit at the bottom to update your OAuth credentials.


    If your CSM provided a Webhook Token, enter that as the Signature Key. If not, you can leave it empty - it will only be needed in the "Beta testing" phase later.

Test the installation flow

  1. Switch to the Admin account of your testing integration company, as shown below

  2. Go to the sandbox app link your CSM shared with you. You should see your app listing.

  3. Hit Connect Account and walk through the installation process. After a few steps, Rippling will redirect you to the redirect URL you set up with a few parameters attached, as detailed in their documentation.

    The most relevant bits are your code and redirect_uri parameters. In the next section, Configure Merge Link, we'll cover how to use both.

3. Configure Merge Link

Rippling customers can install your product from within your app or within Rippling, which is a different flow than other integrations offered through Merge. As a result, your Merge Link setup will need to be slightly modified.

Install initiated from Rippling

  1. Your customer will install your app by hitting the "Connect account" button on your listing in the App Shop

  2. They will be prompted with a few screens to make selections on, one of which is a scopes page they will need to agree to

  3. On the last screen of the flow, they will be redirected back to your product after hitting "Continue". The redirect will take them to the redirect URL you set up earlier.

  4. Once they log in to your product, you'll need to ensure Merge Link opens up automatically, preconfigured with the OAuth information from Rippling. To do that, you'll need to make these modifications to your current Merge Link setup:

    1. When Rippling redirects to your product, you must parse the URL to extract the variables below. Note that you may need to decode the URL before extracting the variables.

      • code

      • redirect_uri

    2. You should have your redirect page automatically open Merge Link but with a new parameter added to the API request made to Merge’s POST /link-token endpoint. Set all the parameters as you would normally, but include a new parameter, integration_specific_config, as shown below. Enter the code retrieved earlier as the oauth_code.

      {
      "end_user_email_address": "[email protected]",
      "end_user_organization_name": "Test Organization",
      "end_user_origin_id": "12345",
      "categories": [
      "hris",
      "ats"
      ],
      ...
      "integration_specific_config": {
      "rippling": {
      "oauth_code": "3h1jj8ssdf31dfji3o1jjdfjasd"
      }
      }
      }

      Important: You will need to update your backend SDK to the latest version before you can use the new integration_specific_config field.

    3. Merge Link will open to a "Connect your account" screen, where your customer will agree to Merge's End User Terms. Once they hit "Next," the connection is complete.

  5. Rippling requires that all app installs finish in Rippling, so once your user finishes the linking flow and you retrieve the account token successfully from Merge, you’ll need to redirect back to the redirect_uri that you extracted earlier.

Install initiated from your app

With the Rippling integration enabled in your Merge Dashboard, Merge Link will show the Rippling tile in the integration selector within your product and will return via the GET /api/organizations/integrations endpoint if you've designed your own integration marketplace.

When a customer tries to initiate a connection to Rippling in your product, Merge Link will automatically redirect to your Rippling App Shop listing page.

Your customer will log in to Rippling and install your app through the Rippling App Shop. The remainder of the installation flow will be as outlined above in the Install initiated from Rippling section.

Important: For this to work, you must ensure that when Rippling redirects back to your app, a new link token is created, as explained in step 4b in Install initiated from Rippling.

4. Set up Rippling SSO

Rippling requires that all integrations, by default, support Single Sign-On (SSO) and follow all the requirements outlined in the Rippling SAML SSO Guide.

  1. Go to your app listing and select Capabilities > Capabilities setup

  2. Select Configure Settings

  3. Select SAML on the next screen and hit Save Edits

From this point onwards, the process should be similar to a standard SSO setup, so we recommend following Rippling’s SAML SSO Guide. While going through it, note that one requirement requires a setup related to Merge:

For this requirement, you’ll need to use a passthrough request since Merge handles the integration's authentication for you.

  1. Once your customer has connected their account through Merge, use this passthrough request to hit Rippling’s GET SAML Metadata endpoint.

    Request:

    curl --location 'https://api.merge.dev/api/hris/v1/passthrough' \
    --header 'x-account-token: <MERGE_ACCOUNT_TOKEN>' \
    --header 'Authorization: Bearer <MERGE_PRODUCTION_KEY>' \
    --header 'Content-Type: application/json' \
    --data '{
    "method": "GET",
    "path": "/saml/idp_metadata",
    "headers":{
    "Content-Type": "application/json"
    }
    }'

  2. The response from the passthrough request (shown below) will be compressed as a BASE64_GZIP. You'll need to uncompress the response field to get the final output.

  3. From the final output response (in XML shown below), access the customer’s entityID, X509Certificate, and SingleSignOnService URL, which are referenced in Rippling’s general guide.

    <ns0:EntityDescriptor
    xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ns1="urn:oasis:names:tc:SAML:metadata:algsupport"
    xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.rippling.com/661ec508e8fec64240f2cf6a/idp.xml" validUntil="2034-02-23T19:16:31Z">
    <ns0:Extensions>
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
    <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
    <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
    </ns0:Extensions>
    <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
    <ns0:KeyDescriptor use="signing">
    <ns2:KeyInfo>
    <ns2:X509Data> <ns2:X509Certificate>MIICfTCCAeYCA2JRIzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCVVMxCzAJ
    BgNVBAgMAkNBMQswCQYDVQQHDAJTRjERMA8GA1UECgwIUmlwcGxpbmcxLTArBgNV
    BAsMJE1lcmdlIElOVENPIG1lcmdlZGV2dGVzdGluZ29hdXRoMGUxMTEZMBcGA1UE
    AwwQd3d3LnJpcHBsaW5nLmNvbTAgFw0yNDA0MTYxOTE2MjlaGA8yMTI0MDMyMzE5
    MTYyOVowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0Yx
    ETAPBgNVBAoMCFJpcHBsaW5nMS0wKwYDVQQLDCRNZXJnZSBJTlRDTyBtZXJnZWRl
    dnRlc3RpbmdvYXV0aDBlMTExGTAXBgNVBAMMEHd3dy5yaXBwbGluZy5jb20wgZ8w
    DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKQFauSE8mCNEQLBvOuhFe1jOMDd0nIM
    zmni/F2JIoux6GCrlCvD7sjnf+j/3/UWhM5oXQg9Ks9/Oks2JXxGfqTHDmR7u+iE
    EGqgJL3QR/TBND/BqByCZxsc3917AF7Gg65Mgn/2cZ5bzcytsaUHqXYg22SN3fvH
    Fd6i3+gxbVzlAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAmWSDoVK2SIv1WBWAzrSt
    uq5aH5FiblttEd8iFiz5fcSsy2bFIXAhmynOXto7S8rAwYs/C8otP4Ki5SYTGpXK
    WC6FoxDJAOOHR8qjj2+25FxEuMCW+nGV8FMTlzcKmDUfFS9t22w1F7Pm0waSfbYZ
    WAJJxMteadz67Z7KTDaqBZY=
    </ns2:X509Certificate>
    </ns2:X509Data>
    </ns2:KeyInfo>
    </ns0:KeyDescriptor>
    <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.rippling.com/api/platform/sso/sp-initiated/661ec508e8fec64240f2cf6a" />
    <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.rippling.com/api/platform/sso/sp-initiated/661ec508e8fec64240f2cf6a" />
    </ns0:IDPSSODescriptor>
    <ns0:Organization>
    <ns0:OrganizationName xml:lang="en">Rippling</ns0:OrganizationName>
    <ns0:OrganizationDisplayName xml:lang="en">Rippling</ns0:OrganizationDisplayName>
    <ns0:OrganizationURL xml:lang="en">https://www.rippling.com</ns0:OrganizationURL>
    </ns0:Organization>
    <ns0:ContactPerson contactType="support">
    <ns0:GivenName>Support</ns0:GivenName>
    <ns0:EmailAddress>[email protected]</ns0:EmailAddress>
    </ns0:ContactPerson>
    </ns0:EntityDescriptor>

5. Set up user management

Rippling requires that all integrations, by default, support User Management and follow all the requirements outlined in the Rippling User Management Guide. We recommend reading through each requirement. Outlined below is guidance on how you can achieve each through Merge:

Merge already supports webhooks for Rippling’s employee.created and employee.deleted events, you'll just need to set them up once and they will work automatically for all Rippling connections.

Configure the third-party webhook

  1. In the Merge Dashboard, go to Integrations > Rippling

  2. Click Edit at the bottom to edit your OAuth credentials

  3. Enter the Webhook Token your CSM provided you as the Signature Key

Now, whenever a Linked Account is connected, Rippling webhooks will be automatically set up for that account.

Configure the Merge webhook

Now that Merge is receiving webhooks from Rippling, you can subscribe to Merge’s webhooks to receive these updates:

  1. Create a new Merge webhook here.

  2. Subscribe to the Changed data webhook for Employee Updated events. For specific fields, select field_mappings

New Merge field

Merge has added an org-wide field mapping automatically set up each time a Rippling linked account is connected:

Target Field Name: is_rippling_provisioned

You won't see this target field in the Merge dashboard, and it won't be editable, but when you hit Merge’s GET /employees or receive a webhook via the Employee.updated events for a Rippling linked account, you’ll see the following returned as part of the regular response body:

"field_mappings": {
"organization_defined_targets": {
"is_rippling_provisioned": "true/false"
}
}
...

When this field is marked "true", it represents an employee that should have provisioned access to your app. If marked "false", this is an employee in Rippling that should not have access to your app. You should use this field to provision and deprovision users within your product.

Important notes:

  • remote_data needs to be turned on for the Employee Common Model for this new field to show up.

  • Rippling does not send webhooks for sandbox accounts. You'll need to wait until the "Beta testing" phase to test the webhooks.

As long as you are on Merge’s daily or highest sync plans, you should already update all employee data every 24 hours or more frequently. You should additionally use the new is_rippling_provisioned field to provision and de-provision users within your product during these recurring syncs.

Have a button in your UI hit Merge’s force resync endpoint.

You should use the new is_rippling_provisioned field to provision and de-provision users within your product instead of any other field you may be using for other integrations.

Merge stores third-party system IDs in each common model's remote_id field. In this case, we recommend storing the remote_id of employees along with the rest of the data you need for your use case.

Integration review

Once you’ve tested your integration and think it is ready to review, let your CSM know, and they will schedule a meeting to verify the requirements have been met. Together you'll submit your app listing to Rippling for final review.

Please do not submit your integration for review without meeting with your CSM first.

Beta testing

Once Rippling has reviewed and approved your integration, you will proceed to beta testing, where shared customers can install your app and test the integration using their production Rippling companies.

Before testing with live customers, make sure you swap out your partner credentials in the Merge dashboard under Integrations > Rippling for the production equivalents.

Final steps

Please refer to Rippling's app listing workflow docs to learn more about the beta testing phase and what comes after.

Important notes

  • Uninstalls — Rippling doesn't currently provide a way to support uninstalling a Rippling app via API. The admin in your customer's Rippling account is the only person who can uninstall the application. This means if a linked account is deleted in Merge, you'll need to have your customer also delete the application in Rippling. And, if the application is deleted in Rippling, your end user should request the linked account be deleted in Merge. You can delete linked accounts in Merge via the Merge dashboard or by using the POST /delete-account endpoint.

  • Fees — Merge covers the cost of partnering with Rippling, so there are no additional fees for you. However, Rippling will still require your customers to purchase its "app package" to access apps from the Rippling App Shop. Note that this fee is Merge-agnostic. For the most accurate information on pricing, we recommend your customers reach out to their Rippling representative.

  • Adding more admins to your test company - follow this video guide

  • To see more information and FAQs, refer to Rippling’s documentation here.

Did this answer your question?