Single Sign On Authentication
Workplace can be integrated with identity providers (IdPs) for user authentication. This makes it easier for users to sign into Workplace using the same Single Sign On (SSO) credentials they use with other systems.
Single Sign On for Workplace is directly supported by the following IdPs:
- ADFS (Active Directory Federation Service)
- Azure AD
- G Suite (formerly Google Apps for Work)
- Ping Identity
Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO, so even if your IdP isn't listed you may find it's compatible as long as it supports SAML 2.0.
In order to enable SSO authentication you will need to:
- Have access to your IdP's configuration settings
- Be assigned a System Administrator role in Workplace
Once you have successfully completed the SSO configurations all of the users provisioned in Workplace will be able to authenticate via your selected IdP.
As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to your SAML identity provider.
Based on your chosen SAML identity provider (IdP), follow the relevant links below on completing the setup installation processes:
ADFS (Active Directory Federation Service)
- SSO system uses: Windows Server 2016, Windows Server 2012 R2, Active Directory Domain Services (AD DS) or Windows Server 2008 R2.
- Active Directory Federation Services (ADFS) 2016, v3 or v2.
- Workplace System Administrator has the exact same email address as your corresponding Active Directory user.
SSO for Workplace is free as part of your Google Apps subscription.
OktaOkta Configuration Guide (docx)
- In the Company Dashboard, go to the Authentication tab.
- Under SAML Authentication, select SSO Only from the drop-down list.
- Input the values from your IdP into the corresponding fields:
- SAML URL
- SAML Issuer URL
- SAML Certificate
You may need to open up the downloaded certificate in a text editor in order to copy/paste this into the field
- Depending on your IdP, you may need to enter the Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
- Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your IdP login page presented. Enter your credentials in as normal to authenticate.
Troubleshooting: Ensure the email address being returned back from your IdP is the same as the Workplace account you are logged in with.
- Once the test has been completed successfully, scroll to the bottom of the page and click the Save button.
- All users using Workplace will now be presented with your IdP login page for authentication.
You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never.
The minimum value for the SAML check on mobile applications is set to one week.
You can also force a SAML reset for all users using the button: Require SAML authentication for all users now.