English (US)
Log in
होम
होम
TECHNICAL RESOURCES CENTER
Need help with setting up Workplace, managing domains or other technical info? Look no further.
Getting Started
Just launched Workplace and not sure what to do next? We've got everything you need right here.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
In-depth hubs
Our resource hubs will help you master some of Workplace's most popular features and embrace new ways of working.
Help Center
Find step-by-step instructions and answers to frequently asked questions.
Set up Guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Authentication
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organization to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Live Video resources
Looking to use Live Video to transform your Town Halls? This is the place to get tips, guides and practical insights.
Knowledge Library resources
Wish your intranet was a little more inspiring? Use these Knowledge Library resources to get started.
Working from Home with Workplace
So you've embraced remote work - now what? Stay on top of your game with these guides, videos and customer stories.
New rules of engagement
Turn hybrid teams into high-performing teams by learning more about the new rules of employee engagement.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
Integrations
    Security
      Interactive Demo
        Customer Stories
        Workplace for Good
          Pricing Plans
            ROI Calculator
              Events & Webinars
                Ebooks & Guides
                  Newsroom
                    Workplace One Partner Program
                      Service & Reseller Partners
                        Ways to Work
                          Workplace Toolkits
                            Workplace Academy
                              Support
                                Customer Communities
                                  What's New in Workplace
                                    English (US)

                                    Authentication

                                    Learn about your options for allowing users access to Workplace.

                                    Overview

                                    Overview

                                    Single-Sign On (SSO) gives users access to Workplace through an Identity Provider (IdP) that you control. This offers some benefits for you and your team:

                                    • It's more secure: Provides an additional security and governance layer (no credentials are stored outside of your company’s controlled systems or transmitted over the network).
                                    • It's easier for end users: Sign into Workplace by using the same SSO credentials as other systems (e.g. laptop or internal applications), so your users can access Workplace without having to remember another password.

                                    Workplace is directly supported by several identity providers, including Azure AD, G Suite, Okta, OneLogin, Ping Identity which offer direct connectors to make setup easier.

                                    ?
                                    Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. It's an industry standard, so this translates in our capability to integrate easily with any Identity Provider that supports SAML 2.0, even if not listed in this page, or to even create your own SSO implementation.

                                    Turn on SSO for Workplace

                                    Once you have successfully completed the SSO configurations below, users provisioned in Workplace will be able to authenticate via your selected Identity Provider.

                                    Prerequisites

                                    Prerequisites

                                    In order to enable SSO authentication in Workplace you will need to:

                                    • Have access to your Identity Provider's configuration settings.
                                    • Have a System Administrator role assigned in Workplace.
                                    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
                                    ?
                                    By default, Workplace supports one Identity Provider for SSO in each instance. This means in order to enable SSO for every user you should have a global Identity Provider in place for SSO. Alternatively we support a mixed authentication scenario where some users will authenticate by using SSO and others by using Workplace username and password credentials or we offer Multiple Identity Provider support in our Enterprise plan.

                                    High-level instructions

                                    Enabling SSO requires some changes in your Identity Provider and Workplace. There are three stages:

                                    1
                                    Configure your Identity Provider (IdP) to enable SSO for Workplace.

                                    2
                                    Configure Workplace to authenticate users via SSO.

                                    3
                                    Enable SSO for your users.

                                    Here is a detailed overview of each step:

                                    Configure your IdP for SSO with Workplace

                                    1. Configure your IdP to enable SSO for Workplace

                                    Follow the your Identity Provider's instructions below to configure SSO for Workplace. All of the cloud-based Identity Providers we support offer a pre-configured app to make Workplace setup easier:

                                    G-Suite
                                    Azure AD
                                    Okta
                                    OneLogin
                                    Ping
                                    Duo

                                    Workplace also supports ADFS as an SSO provider. Read more on How to configure ADFS as an SSO provider for Workplace.

                                    All of the configurations above will provide at least a SAML URL, SAML Issuer URL and a X.509 certificate we will use in the next steps to configure Workplace. Please note them down.

                                    ?
                                    For the X.509 certificate, you may need to open up the downloaded certificate in a text editor in order to use in the next steps.
                                    Configure Workplace to authenticate users via SSO

                                    2. Configure Workplace to authenticate users via SSO

                                    This ties in your SSO provider with Workplace:

                                    1
                                    In the Admin Panel, select Security.

                                    2
                                    Click on the Authentication tab.

                                    3
                                    Check the Single Sign-On (SSO) checkbox.

                                    4
                                    Click +Add New SSO Provider.

                                    5
                                    Type in the values provided by your Identity Provider into the relevant fields:
                                    • SAML URL
                                    • SAML Issuer URL
                                    • SAML Logout Redirect (Optional)
                                    • SAML Certificate

                                    ?
                                    Depending on your Identity Provider, you may need to copy the values for Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section and configure your Identity Provider accordingly.

                                    5
                                    Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.

                                    ?
                                    Troubleshooting: Ensure the email address being used to authenticate with your IdP is the same as the Workplace account you are logged in.

                                    6
                                    Once the test has been completed successfully, scroll to the bottom of the page and click Save button.

                                    7
                                    If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

                                    3. Enable SSO for your users

                                    Enable SSO for your users

                                    You can now enable SSO for your users in one of these ways:

                                    • Enable SSO for a user
                                    • Enable SSO in bulk for all or for a portion of your users

                                    Enable SSO for a user

                                    You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:

                                    1
                                    In the Admin Panel, select People.

                                    2
                                    Search for the user that you want to enable for SSO.

                                    3
                                    Click on the ... button and select Edit Person's Details.

                                    4
                                    Select SSO at Log in with.
                                    Enable SSO in bulk for all or for a portion of your users

                                    You can use different approaches to enable SSO for all or a subset of your users:

                                    • Use our Account Management API to update Login method field for a set of users automatically. Most Identity Providers that integrate with Workplace rely on such API to synchronize authentication settings for your all your users at scale. Read more at Account Management API.
                                    • Login method is among the fields we support for bulk editing. You can set Login method field to SSO for a set of users by using spreadsheet import feature. You can read more at Bulk Account Management.
                                    SAML Logout Redirect

                                    SAML Logout Redirect (Optional)

                                    You can choose to optionally configure a SAML Logout URL in the SSO configuration page which can be used to point at your Identity Provider's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.

                                    Reauthentication frequency

                                    Reauthentication frequency

                                    You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never. You can also force a SAML reset for all users using the Force Reauthentication Now button.

                                    Workplace SSO Architecture

                                    Workplace SSO Architecture

                                    ?
                                    This section provides a more detailed overview of the SSO flow supported by Workplace. Custom SAML-based SSO solutions should follow the guidelines outlined above to integrate with Workplace for authentication.

                                    Workplace supports SAML 2.0 for SSO, by giving admins the option to manage access to the platform by using an Identity Provider (IdP) they control. Workplace receives and accepts SAML-based assertions from the IdP and plays the role of the SAML Service Provider (SP) in the following authentication flow:

                                    1
                                    SP-initiated SSO. A SSO-enabled user lands on Workplace sign-in page, then:
                                    • Fills out username and clicks on Continue button OR
                                    • Clicks on Login with SSO button.

                                    2
                                    Workplace does a HTTP Redirect binding from SP to IdP. The <samlp:AuthnRequest> object passed in the request has data, such as Issuer which contains the Workplace instance ID, and NameIDPolicy which has been agreed between IdP and SP beforehand that specifies constraints on the name identifier to be used to represent the requested subject. Workplace requires that the NameID contain the user's email address (nameid-format:emailAddress).

                                    3
                                    Workplace expects a HTTP Post binding from IdP to SP. A SAML token is returned containing user assertions including Authentication status. Workplace post-back URL (also called the Assertion Consumer Service URL) is configured at IDP-level and points to company's Workplace instance /work/saml.php endpoint.

                                    4
                                    Workplace, before letting a user in, checks if:
                                    • Response is signed with the certificate issued by the IdP;
                                    • emailAddress returned in the SAML assertions matches the one used to initiate the SSO flow;
                                    • Authentication was successful (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>).