Single sign-on integration guide
SECURITY Full Access or Team Access
NAVIGATION
When SSO is enabled, users will only be able to access and/or install Workplace with their SSO credentials unless they (or the group they are a member of) have been exempted from SSO. To learn how to exempt users from SSO, refer to Manage the SSO login exclusions list.
Once authenticated by the IdP (Identity Provider), the SAML 2.0 protocol is used to authenticate access to Workplace. A user can simply login once to the IdP, and can then access multiple applications without further authentication.
Requirements
To enable the single sign-on feature, the following requirements must be met:
- You must be an administrator or super administrator in Workplace or a manager administrator or a team administrator in Workplace Manager.
- You must have an administrator account in the IdP.
IMPORTANT The users that will utilize this feature must have accounts within Workplace and the IdP, and their email addresses for both must match.
If your IdP is not listed, use the information displayed on the Workplace Online > Single Sign-On page to create a metadata XML file or URL from within your IdP.
How to...
Implementing this integration requires setup from within both Workplace and the IdP.
For the specific IdPs listed below, initial steps are taken within the IdP. Workplace has created “applications” within those IdPs to make the process as easy as possible, but please note that you can use other IdPs as well.
- Microsoft AD Azure
Implementation instructions: Click here
- Okta
Implementation instructions: Single sign-on: Okta - Other IdPs
While we can't provide specific instructions for how to integrate with all IdPs, as processes will vary, we can offer the following guidance:Use the SAML 2.0 configuration method
- In Workplace, go to Configuration > Integrations > Single Sign-On tile > Setup or Manage button. This page pictured below provides you with the information you need to create a metadata file within your IdP. You can then import the resulting xml file into Workplace.
- Log in to Workplace Online using the administrator credentials for your team.
- Go to Configuration > Integrations > click the SSO tile for your preferred IdP > Configure button.
Using the XML file or URL from the IdP, the final step is to activate the feature within Workplace Online.
- Enter the Metadata URL
or
Select the XML Metadata File option, then click Choose File and upload the XML metadata file provided by your IdP. - To add users and/or groups to the SSO Login Exclusions list, type a name or email address of a user or the name of a group, or use the Pick From Team link or icon to open a selection window. Users and users who belong to the groups on this list will not be required to log in using SSO.
- Click the Save button.
- Select the I confirm this information is correct and I trust this IdP check box.
- Click Approve.
Users and users who belong to the groups on this list will not be required to log in using SSO.
- Go to Configuration > Integrations > click the SSO tile for your preferred IdP > Configure button.
-
To add users and/or groups to the SSO Login Exclusions list, type a name or email address of a user or the name of a group, or use the Pick From Team link or icon to open a selection window.
- To remove users and/or groups from the SSO Login Exclusions list, click the X next to the name of the user or group in the selection field.
- Click Save.
- Go to Configuration > Integrations > click the SSO tile for your preferred IdP > Configure button.
- Change your settings as desired.
- Click Save.
- Select the I confirm this information is correct and I trust this IdP check box.
- Click Approve.
Click the Enable SSO/Disable SSO button, depending on the current SSO state.
Once enabled, the SSO tab will display an event log of SSO related activities on your team. These events will also be shown on the Reports tab.
Once the integration is enabled, user will additionally be able to access Workplace in the following ways:
- Via the application within the IdP interface.
The specific steps will be dependent on your IdP. - Navigating to the Workplace Online login page, once already authenticated with the IdP.
The URL with the correct subdomain must be used for this to function. - Via the standard login page.
If SSO is enabled for your team, and you have not yet authenticated through your IdP, you'll be prompted to use your SSO login after you've entered your Workplace user name and have clicked the Next button.