Single Sign On Authentication

Overview

Workplace can be integrated with identity providers (IdPs) for user authentication. This makes it easier for users to sign into Workplace using the same Single Sign On (SSO) credentials they use with other systems.

Single Sign On for Workplace is directly supported by the following IdPs:

Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO, so even if your IdP isn't listed you may find it's compatible as long as it supports SAML 2.0.

Prerequisites

In order to enable SSO authentication you will need to:

  1. Have access to your IdP's configuration settings
  2. Be assigned a System Administrator role in Workplace

Once you have successfully completed the SSO configurations all of the users provisioned in Workplace will be able to authenticate via your selected IdP.

IdP Configuration

As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to your SAML identity provider.

Based on your chosen SAML identity provider (IdP), follow the relevant links below on completing the setup installation processes:


ADFS (Active Directory Federation Service)

Requirements:

  • SSO system uses: Windows Server 2016, Windows Server 2012 R2, Active Directory Domain Services (AD DS) or Windows Server 2008 R2.
  • Active Directory Federation Services (ADFS) 2016, v3 or v2.
  • Workplace System Administrator has the exact same email address as your corresponding Active Directory user.
ADFS SSO Configuration Guide (PDF)

ADFS Configuration Video:

Something Went Wrong
We're having trouble playing this video.

Azure AD


G Suite

SSO for Workplace is free as part of your Google Apps subscription.


Okta

Okta Configuration Guide (docx)

OneLogin


Ping Identity

Workplace Configuration

  1. In the Company Dashboard, go to the Authentication tab.
  2. Under SAML Authentication, select SSO Only from the drop-down list.
  3. Input the values from your IdP into the corresponding fields:
    1. SAML URL
    2. SAML Issuer URL
    3. SAML Logout Redirect (Optional)
    4. SAML Certificate
      You may need to open up the downloaded certificate in a text editor in order to copy/paste this into the field
  4. Depending on your IdP, you may need to enter the Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
  5. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your IdP login page presented. Enter your credentials in as normal to authenticate.
    Troubleshooting: Ensure the email address being returned back from your IdP is the same as the Workplace account you are logged in with.
  6. Once the test has been completed successfully, scroll to the bottom of the page and click the Save button.
  7. All users using Workplace will now be presented with your IdP login page for authentication.

SAML Logout Redirect (optional)

You can choose to optionally configure a SAML Logout Url which can be used to point at your IdP's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the url that was added in the SAML Logout Redirect setting.

Example with ADFS:

  • Update the Workplace relying party trust to add a SAML Logout Endpoint to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  • Update the settings in Workplace so that the SAML Logout Redirect is set to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  • Save the settings

When you now log out, you'll be logged out from both Workplace and ADFS.

Reauthentication Frequency

You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never.

The minimum value for the SAML check on mobile applications is set to one week.

You can also force a SAML reset for all users using the button: Require SAML authentication for all users now.