Authentication



Learn about your options for allowing users access to Workplace.
Overview

Overview

Single-Sign On (SSO) gives users access to Workplace through an Identity Provider (IdP) that you control. This offers some benefits for you and your team:

  • It's more secure: Provides an additional security and governance layer (no credentials are stored outside of your company’s controlled systems or transmitted over the network).
  • It's easier for end users: Sign into Workplace by using the same SSO credentials as other systems (e.g. laptop or internal applications), so your users can access Workplace without having to remember another password.

Workplace is directly supported by several identity providers, including Azure AD, G Suite, Okta, OneLogin, Ping Identity which offer direct connectors to make setup easier.

?
Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. It's an industry standard, so this translates in our capability to integrate easily with any Identity Provider that supports SAML 2.0, even if not listed in this page, or to even create your own SSO implementation.

Turn on SSO for Workplace

Once you have successfully completed the SSO configurations below, users provisioned in Workplace will be able to authenticate via your selected Identity Provider.

Prerequisites

Prerequisites

In order to enable SSO authentication in Workplace you will need to:

  • Have access to your Identity Provider's configuration settings.
  • Have a System Administrator role assigned in Workplace.
  • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
?
By default, Workplace supports one Identity Provider for SSO in each instance. This means in order to enable SSO for every user you should have a global Identity Provider in place for SSO. Alternatively we support a mixed authentication scenario where some users will authenticate by using SSO and others by using Workplace username and password credentials or we offer Multiple Identity Provider support in our Enterprise plan.

High-level instructions

Enabling SSO requires some changes in your Identity Provider and Workplace. There are three stages:

1
Configure your Identity Provider (IdP) to enable SSO for Workplace.

2
Configure Workplace to authenticate users via SSO.

3
Enable SSO for your users.

Here is a detailed overview of each step:

Configure your IdP for SSO with Workplace

1. Configure your IdP to enable SSO for Workplace

Follow the your Identity Provider's instructions below to configure SSO for Workplace. All of the cloud-based Identity Providers we support offer a pre-configured app to make Workplace setup easier:

G-Suite
Azure AD
Okta
OneLogin
Ping
Duo

Workplace also supports ADFS as an SSO provider. Read more on How to configure ADFS as an SSO provider for Workplace.

All of the configurations above will provide at least a SAML URL, SAML Issuer URL and a X.509 certificate we will use in the next steps to configure Workplace. Please note them down.

?
For the X.509 certificate, you may need to open up the downloaded certificate in a text editor in order to use in the next steps.
Configure Workplace to authenticate users via SSO

2. Configure Workplace to authenticate users via SSO

This ties in your SSO provider with Workplace:

1
In the Admin Panel, select Security.

2
Click on the Authentication tab.

3
Check the Single Sign-On (SSO) checkbox.

4
Click +Add New SSO Provider.

5
Type in the values provided by your Identity Provider into the relevant fields:
  • SAML URL
  • SAML Issuer URL
  • SAML Logout Redirect (Optional)
  • SAML Certificate

?
Depending on your Identity Provider, you may need to copy the values for Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section and configure your Identity Provider accordingly.

5
Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.

?
Troubleshooting: Ensure the email address being used to authenticate with your IdP is the same as the Workplace account you are logged in.

6
Once the test has been completed successfully, scroll to the bottom of the page and click Save button.

7
If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

3. Enable SSO for your users

Enable SSO for your users

You can now enable SSO for your users in one of these ways:

  • Enable SSO for a user
  • Enable SSO in bulk for all or for a portion of your users

Enable SSO for a user

You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:

1
In the Admin Panel, select People.

2
Search for the user that you want to enable for SSO.

3
Click on the ... button and select Edit Person's Details.

4
Select SSO at Log in with.
Enable SSO in bulk for all or for a portion of your users

You can use different approaches to enable SSO for all or a subset of your users:

  • Use our Account Management API to update Login method field for a set of users automatically. Most Identity Providers that integrate with Workplace rely on such API to synchronize authentication settings for your all your users at scale. Read more at Account Management API.
  • Login method is among the fields we support for bulk editing. You can set Login method field to SSO for a set of users by using spreadsheet import feature. You can read more at Bulk Account Management.
SAML Logout Redirect

SAML Logout Redirect (Optional)

You can choose to optionally configure a SAML Logout URL in the SSO configuration page which can be used to point at your Identity Provider's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.

Reauthentication frequency

Reauthentication frequency

You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never. You can also force a SAML reset for all users using the Force Reauthentication Now button.

Workplace SSO Architecture

Workplace SSO Architecture

?
This section provides a more detailed overview of the SSO flow supported by Workplace. Custom SAML-based SSO solutions should follow the guidelines outlined above to integrate with Workplace for authentication.

Workplace supports SAML 2.0 for SSO, by giving admins the option to manage access to the platform by using an Identity Provider (IdP) they control. Workplace receives and accepts SAML-based assertions from the IdP and plays the role of the SAML Service Provider (SP) in the following authentication flow:

1
SP-initiated SSO. A SSO-enabled user lands on Workplace sign-in page, then:
  • Fills out username and clicks on Continue button OR
  • Clicks on Login with SSO button.

2
Workplace does a HTTP Redirect binding from SP to IdP. The <samlp:AuthnRequest> object passed in the request has data, such as Issuer which contains the Workplace instance ID, and NameIDPolicy which has been agreed between IdP and SP beforehand that specifies constraints on the name identifier to be used to represent the requested subject. Workplace requires that the NameID contain the user's email address (nameid-format:emailAddress).

3
Workplace expects a HTTP Post binding from IdP to SP. A SAML token is returned containing user assertions including Authentication status. Workplace post-back URL (also called the Assertion Consumer Service URL) is configured at IDP-level and points to company's Workplace instance /work/saml.php endpoint.

4
Workplace, before letting a user in, checks if:
  • Response is signed with the certificate issued by the IdP;
  • emailAddress returned in the SAML assertions matches the one used to initiate the SSO flow;
  • Authentication was successful (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>).