Custom Connectors for On-Prem HR Systems Without Opening the Network
A practical playbook for PeopleOps leaders who need modern hiring integrity controls without ripping and replacing a legacy on-prem HR stack.
If your integrity gate depends on a brittle on-prem connector, you do not have a gate. You have a suggestion.Back to all posts
The incident pattern: verification quietly disappears
Your on-prem HR system sits behind layers of controls that were designed for payroll and benefits, not for high-volume hiring events. When a connector fails, the failure is usually invisible to recruiters until the worst moment: late-stage candidates and executive pressure. The goal is to integrate without creating new inbound attack paths. The winning pattern is an outbound-only secure tunnel where an on-prem agent initiates the connection, pushes or pulls whitelisted data, and produces immutable logs that show exactly what happened for each candidate.
Choose a tunnel architecture that does not require inbound firewall holes.
Define ownership, SLAs, and review queues so the process is fast and defensible.
Implement idempotent, observable event flows with canary rollouts and kill switches.
Ownership, automation, and systems of record
Make this explicit before anyone writes code. Otherwise the connector becomes a political hot potato when an offer is blocked or a candidate complains. Recommended operating model: Recruiting Ops owns the workflow and exception handling, Security owns the tunnel and credential posture, and Hiring Managers only see outcomes and appeal requests, not raw biometric artifacts. Automation should cover 90% of candidates: data sync, verification initiation, and pass-fail routing. Manual review should be reserved for edge cases that would otherwise create false positives or candidate churn.
Recruiting Ops (owner): stage gating rules, exception queues, candidate comms templates, SLA for manual review.
Security/IT (approver): outbound tunnel, credential rotation, network allowlists, access logging, retention controls.
TA leaders (accountable): policy decisions, rollout sequencing, and escalation when hiring is blocked.
Source of truth: ATS for stages and decisions; verification service for identity outcome and Evidence Pack; on-prem HR for employee record creation after offer acceptance.
Secure tunnel architecture that works with legacy on-prem
Default to an outbound-only agent that runs inside the on-prem network and connects to a broker endpoint in the cloud. No inbound ports, no ad-hoc VPN accounts for vendors, and no shared database credentials living in a script. Use a narrow data contract. You do not need full HR tables to run hiring integrity gates. Most teams only need candidate identifiers, requisition ID, stage changes, and offer status. Design for resilience: when the on-prem system is down, queue events, keep the ATS experience responsive, and replay once connectivity returns. Your control must fail closed for verification gates, but your integration must fail gracefully for non-gating updates (like pushing interview notes).
On-prem connector agent: outbound TLS connection, rotates short-lived credentials, pulls from HR system via read-only integration account.
Cloud broker: terminates mutual TLS, validates payload signatures, enforces allowlisted routes per tenant.
Event bus + replay store: persists events with dedupe keys for idempotent processing.
Observability: trace ID across ATS event, tunnel session, verification request, and callback webhooks.
Step-by-step: build the custom connector without slowing hiring
Start with the hiring gates, not the integration. Define which ATS stages require identity verification to be completed before scheduling or before offer. This prevents accidental "skip to keep moving" behavior.
Define the minimal event schema. Include candidate_id, requisition_id, stage, and a stable idempotency key. Keep PII fields minimal and encrypt at rest.
Implement outbound-only connectivity. Deploy the on-prem agent in a constrained subnet, restrict egress to the broker hostname, and enforce mutual TLS.
Authenticate safely. Prefer OAuth/OIDC device flow or short-lived signed tokens issued to the agent. If you must use static secrets, store them in a vault and rotate aggressively. Avoid long-lived API keys in config files.
Make delivery idempotent. Every stage change event must be safe to replay. Use a dedupe table keyed by (source_system, event_id) so retries do not duplicate ATS actions or verification requests.
Add rollouts and kill switches. Ship the connector behind a feature flag, run a canary on one business unit or a small requisition set, then expand. Include a one-click "disable verification gating" emergency option with approvals and logging.
Close the loop with Evidence Packs. When verification runs, attach an Evidence Pack reference (not raw biometrics) back to the ATS record so decisions are auditable.
Route only ambiguous cases to review: name mismatch, document unreadable, liveness inconclusive, voice mismatch above threshold.
Require reviewers to pick a reason code and add a short note. This reduces reviewer fatigue and improves audit quality.
Set an SLA and an escalation path. If review breaches SLA, default to a candidate-friendly retry flow, not an indefinite hold.
Connector policy artifact you can hand to Security and Ops
Use a single policy file to make your connector behavior explicit: what it can reach, how it authenticates, what it logs, and how it rolls back. This is the document that prevents "tribal knowledge" outages.
Anti-patterns that make fraud worse
Each of these increases funnel leakage or creates blind spots that proxy candidates exploit.
Fail-open stage gating: letting candidates schedule or receive offers when verification is "temporarily unavailable" without a logged exception workflow.
Shared service accounts: one on-prem credential used across environments and vendors, making audit findings and breach impact worse.
Unobserved retries: connector retry loops without idempotency and trace IDs, creating duplicate candidate records and hiding dropped verification callbacks.
What happens when the ATS or on-prem system is down
Plan for two outages: the ATS API being unavailable and the on-prem HR system being unreachable. Your connector should never block the recruiter UI, and your verification gate should never silently disappear. If ATS is down: queue outbound updates and keep verification results in the broker until the ATS recovers. If on-prem is down: accept ATS events, mark them pending, and replay once the agent reconnects. Operationally, define a "degraded mode" banner for Recruiting Ops so they know what is delayed versus what is blocked. This prevents panic escalations and undocumented workarounds.
Replay window and retention: store events long enough to survive weekend outages, but not indefinitely.
Dead-letter queue with alerting: notify Recruiting Ops and Security when events exceed retry thresholds.
Backpressure: rate limit to protect the on-prem HR system from bursty hiring events.
Change management: firewall and certificate changes require a scheduled connector health check.
Where IntegrityLens fits
IntegrityLens AI is the first hiring pipeline that combines a full Applicant Tracking System with advanced biometric identity verification, AI screening, and technical assessments. Stop juggling multiple tools, manage your entire hiring lifecycle in one secure platform. In an on-prem world, IntegrityLens typically sits as the hiring control plane while your legacy HR system remains the system of record for employee administration. The secure tunnel connector becomes the bridge that keeps stages, decisions, and verification outcomes consistent. Who uses it: TA leaders to run the funnel, recruiting ops to manage exceptions and evidence, and CISOs to sign off on identity, fraud, and audit posture.
ATS workflow across Source candidates - Verify identity - Run interviews - Assess - Offer.
Risk-Tiered Verification with typical end-to-end verification in 2-3 minutes (document + voice + face) and under 3 minutes before interviews.
AI screening interviews available 24/7 across time zones.
Technical assessments in 40+ programming languages.
Evidence Packs and Zero-Retention Biometrics options to support privacy-first review and audits.
Sources
31% manager survey: Checkr, "Hiring Hoax" (2025) https://checkr.com/resources/articles/hiring-hoax-manager-survey-2025 1 in 6 remote applicants fraud signals: Pindrop, "Why your hiring process is now a cybersecurity vulnerability" https://www.pindrop.com/article/why-your-hiring-process-now-cybersecurity-vulnerability/
Related Resources
Key takeaways
- Use outbound-only tunnels to avoid inbound firewall exceptions and reduce blast radius.
- Make the ATS the hiring workflow source of truth, and treat verification as a gated control with an auditable Evidence Pack.
- Design for failure: queue when on-prem is down, replay idempotently, and ship with kill switches and canary rollouts.
- Prefer OAuth/OIDC or short-lived credentials over static API keys for connector auth and rotation.
Operator intent: make the connector reviewable by Security, runnable by IT, and auditable by Recruiting Ops.
Includes: outbound-only egress, mutual TLS, idempotency, canary rollout, and a kill switch that logs every use.
version: 1
connector:
name: legacy-hr-onprem-tunnel
environment: prod
ownerGroup: peopleops-recruiting-ops
securityApproverGroup: security-iam
network:
mode: outbound-only
egressAllowlist:
- host: broker.integritylens.example
port: 443
inboundPorts: []
mtls:
clientCertRef: vault://pki/connector/legacy-hr/prod/client-cert
serverCaRef: vault://pki/connector/legacy-hr/prod/server-ca
auth:
strategy: oidc-token-exchange
oidc:
issuer: https://login.company.example
audience: integritylens-broker
clientIdRef: vault://secrets/connector/legacy-hr/prod/oidc-client-id
privateKeyRef: vault://secrets/connector/legacy-hr/prod/oidc-private-key
tokenTtlSeconds: 600
dataContract:
outboundEvents:
- type: candidate.stage_changed
requiredFields: [event_id, occurred_at, candidate_id, requisition_id, stage]
piiFields: [candidate_email]
encryptionAtRest: aes-256
inboundCommands:
- type: verification.request
requiredFields: [command_id, candidate_id, risk_tier]
delivery:
idempotency:
dedupeKey: "${source_system}:${event_id}"
replayWindowHours: 72
retries:
maxAttempts: 12
backoffSeconds: [5, 15, 30, 60, 120, 300]
deadLetter:
enabled: true
alertTo: ["sec-ops@company.example", "recruiting-ops@company.example"]
rollout:
canary:
enabled: true
percent: 10
match:
requisitionIds: ["REQ-ENG-2026-041", "REQ-DS-2026-009"]
killSwitch:
enabled: true
name: disable-verification-gating
requiresApprovalFrom: ["peopleops-recruiting-ops", "security-iam"]
onActivate:
logEventType: connector.killswitch_activated
notify: ["vp-people@company.example", "ciso@company.example"]
observability:
trace:
propagateHeaders: ["x-candidate-trace-id", "x-requisition-id"]
logs:
redactFields: ["candidate_email"]
retentionDays: 30
metrics:
emit: ["events_sent", "events_failed", "verification_requests", "dlq_depth"]
Outcome proof: What changes
Before
Integrations relied on ad-hoc VPN access and a shared service account. Verification results were inconsistently attached to candidate records, creating escalations late in the funnel and weak audit trails.
After
Deployed an outbound-only tunnel agent with mutual TLS, idempotent event replay, and a documented kill switch. Recruiting Ops gained a single exception queue with reason codes, while Security gained clear controls for access, retention, and approvals.
Implementation checklist
- Confirm systems of record: candidate profile, requisition, stage, decision, and verification outcome.
- Choose tunnel pattern: agent-based outbound connector vs VPN vs private link (default to outbound-only agent).
- Implement idempotent event delivery with replay and dedupe keys.
- Add a manual review queue for edge cases (name mismatch, doc unreadable, liveness inconclusive).
- Ship with canary rollout, feature flags, and a one-click connector disable.
- Instrument trace IDs that follow one candidate across ATS, tunnel, and verification service.
Questions we hear from teams
- What is an outbound-only secure tunnel for HR integrations?
- It is an integration pattern where an agent inside your on-prem network initiates a secure, encrypted connection to a cloud broker, so you do not open inbound firewall ports to connect hiring systems.
- Do we need to replace our on-prem HR system to add identity verification gates?
- No. You can keep the on-prem system as the employee system of record and use a tunnel connector to synchronize only the minimal hiring events needed to run verification and maintain audit trails.
- How do we avoid slowing down candidates when manual review is required?
- Keep manual review narrow, SLA-bound, and reason-coded. Most candidates should complete automated verification quickly, while edge cases get a retry-first flow and a clearly communicated timeline.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
