Single-Sign On (SSO) gives users access to Workplace through an Identity Provider (IdP) that you control. This offers some benefits for you and your team:
- It's more secure: Provides an additional security and governance layer (no credentials are stored outside of your company’s controlled systems or transmitted over the network).
- It's easier for end users: Sign into Workplace by using the same SSO credentials as other systems (e.g. laptop or internal applications), so your users can access Workplace without having to remember another password.
Workplace is directly supported by several identity providers, including Azure AD, G Suite, Okta, OneLogin, Ping Identity which offer direct connectors to make setup easier.
Turn on SSO for Workplace
Once you have successfully completed the SSO configurations below, users provisioned in Workplace will be able to authenticate via your selected Identity Provider.Prerequisites
In order to enable SSO authentication in Workplace you will need to:
- Have access to your Identity Provider's configuration settings.
- Have a System Administrator role assigned in Workplace.
- Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
Enabling SSO requires some changes in your Identity Provider and Workplace. There are three stages:
Here is a detailed overview of each step:Configure your IdP for SSO with Workplace
1. Configure your IdP to enable SSO for Workplace
Follow the your Identity Provider's instructions below to configure SSO for Workplace. All of the cloud-based Identity Providers we support offer a pre-configured app to make Workplace setup easier:
Workplace also supports ADFS as an SSO provider. Read more on How to configure ADFS as an SSO provider for Workplace.
All of the configurations above will provide at least a SAML URL, SAML Issuer URL and a X.509 certificate we will use in the next steps to configure Workplace. Please note them down.
2. Configure Workplace to authenticate users via SSO
This ties in your SSO provider with Workplace:
- SAML URL
- SAML Issuer URL
- SAML Logout Redirect (Optional)
- SAML Certificate
3. Enable SSO for your usersEnable SSO for your users
You can now enable SSO for your users in one of these ways:
- Enable SSO for a user
- Enable SSO in bulk for all or for a portion of your users
Enable SSO for a user
You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:
Enable SSO in bulk for all or for a portion of your users
You can use different approaches to enable SSO for all or a subset of your users:
- Use our Account Management API to update Login method field for a set of users automatically. Most Identity Providers that integrate with Workplace rely on such API to synchronize authentication settings for your all your users at scale. Read more at Account Management API.
- Login method is among the fields we support for bulk editing. You can set
Login methodfield to SSO for a set of users by using spreadsheet import feature. You can read more at Bulk Account Management.
SAML Logout Redirect (Optional)
You can choose to optionally configure a SAML Logout URL in the SSO configuration page which can be used to point at your Identity Provider's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.Reauthentication frequency
You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never. You can also force a SAML reset for all users using the Force Reauthentication Now button.
Workplace SSO Architecture
Workplace supports SAML 2.0 for SSO, by giving admins the option to manage access to the platform by using an Identity Provider (IdP) they control. Workplace receives and accepts SAML-based assertions from the IdP and plays the role of the SAML Service Provider (SP) in the following authentication flow:
- Fills out username and clicks on Continue button OR
- Clicks on Login with SSO button.
<samlp:AuthnRequest>object passed in the request has data, such as
Issuerwhich contains the Workplace instance ID, and
NameIDPolicywhich has been agreed between IdP and SP beforehand that specifies constraints on the name identifier to be used to represent the requested subject. Workplace requires that the NameID contain the user's email address (
- Response is signed with the certificate issued by the IdP;
emailAddressreturned in the SAML assertions matches the one used to initiate the SSO flow;
- Authentication was successful (