Configuring single sign-on (SSO) for Workplace
Please note that Workplace only supports the SHA-1 and SHA-2 algorithms for signing SAML Certificates.
To configure SSO for Workplace from your computer:
- Click on the left panel of Workplace.
- Click Security, then click Authentication at the top bar.
- Under Log in, select Single sign-on (SSO).
- Input the values from your IdP into the fields listed:
- Name of the SSO Provider
- SAML URL
- SAML Issuer URL
- SAML Logout URL Redirect (Optional)
- SAML Certificate (You may need to open up the downloaded certificate in a text editor in order to copy/paste this into the field.)
- Depending on your IdP, you may need to enter the Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
- Scroll to the bottom of the section and click Test SSO. A popup window will appear with your IdP login page. Enter your credentials in as normal to authenticate. Ensure the email address being returned back from your IdP is the same as the Workplace account you're logged in with.
- Once the test has been completed successfully, scroll to the bottom of the page and click Save. All users using Workplace will now be presented with your IdP login page for authentication.
Adding multiple SSO providers is only available to users of Workplace Enterprise.
To add multiple SSO providers:
- Under your default SSO Provider, click Add New SSO Provider.
- Follow the steps to configure SSO listed above.
- Once completed, you'll see an Other section with the name of the provider you entered.
- You can now add employees to the IdP they belong to based on their domain by clicking Assign Email Domains.
SAML Logout Redirect (optional):
You can choose to configure an SAML Logout URL which can be used to point at your IdP's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.
Example with ADFS:
- Update the Workplace relying party trust to add a SAML Logout Endpoint to https://"adfs server"/adfs/ls/?wa=wsignout1.0
- Update the settings in Workplace so that the SAML Logout Redirect is set to https://"adfs server"/adfs/ls/?wa=wsignout1.0
- Save the settings. When you now log out, you'll be logged out from both Workplace and ADFS.