English (US)
Log in
Головна
Головна
GETTING STARTED
Get your whole company connected in as little as 5 weeks.
Choosing Workplace
Let's get into all the reasons that Workplace is the right choice for your business.
Solutions
From leveling-up company communication to building a better culture, we’re here to solve your toughest challenges.
Customer Stories
Find out how organizations like yours are using Workplace to solve their most important business challenges.
Why Workplace
Why Workplace? Because it's familiar, mobile, secure, integrated and connects everyone. Why else?
Diversity & Inclusion
We’re doing our bit for a better world by making sure every employee feels seen, heard and valued.
Future of Work
Learn how to take your first step into the metaverse with Meta's hardware and software solutions.
How can Workplace help you?
From leveling-up company communication to building a better culture, we’re here to solve your toughest challenges.
Business Communication
Our easy-to-use tools will make your most important messages unmissable, and your intranet inspirational.
Employee Engagement
Ditch the email for more engaging company-wide conversations that give every employee a voice.
Strengthen Culture
Show people you’re committed to culture by empowering everybody to be the best version of themselves.
Getting Connected
Bring your entire organization together on Workplace, even if they don't have an email address.
Frontline Workers
61% of frontline managers say there’s a disconnect in communication with head office. We help close the gap.
Remote and Hybrid Working
Whether they’re working from home or the office, Workplace keeps your employees connected to your company’s culture.
Browse All
Organizations of all shapes and sizes are gaining a competitive edge with Workplace. Find your favorite story.
Podcasts
Listen to our Pioneer Podcasts to hear some of our favorite success stories from our biggest champions.
TECHNICAL RESOURCES CENTER
Get help with setting up Workplace, managing domains and other technical issues.
Mastering Workplace Features
Ready to become a Workplace pro? Learn all the ins-and-outs of our key features with in-depth guides, step-by-step user instructions and resource hubs.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
Help Center
Find step-by-step instructions and answers to frequently asked questions.
Support
Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
What's New in Workplace
Stay up to speed with all the latest Workplace innovations, feature announcements and product updates.
Set up Guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Authentication
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organization to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
Support
Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
Get in touch
Need help with your Workplace account? Fill out this form to get all the answers you need from our customer support.
Security
    Customer Stories
    Workplace for Good
      Getting Started
        Interactive Demo
          Pricing Plans
            Forrester ROI Study
              Events & Webinars
                Ebooks & Guides
                  Newsroom
                    Become A Partner
                      Service & Reseller Partners
                        Integrations Partners
                          Start Using Workplace
                            Mastering Workplace Features
                            Workplace Use Cases
                              Workplace Academy
                                Customer Communities
                                  English (US)

                                  Authentication: Single Sign-On (SSO)

                                  Learn about your options for allowing users access to Workplace.

                                  Overview

                                  Overview

                                  Single-Sign On (SSO) gives users access to Workplace through an Identity Provider (IdP) that you control. This offers some benefits for you and your team:

                                  • It's more secure: Provides an additional security and governance layer (no credentials are stored outside of your company’s controlled systems or transmitted over the network).
                                  • It's easier for end users: Sign into Workplace by using the same SSO credentials as other systems (e.g. laptop or internal applications), so your users can access Workplace without having to remember another password.

                                  Workplace is directly supported by several identity providers, including Azure AD, G Suite, Okta, OneLogin, Ping Identity which offer direct connectors to make setup easier.

                                  ?
                                  Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. It's an industry standard, so this translates in our capability to integrate easily with any Identity Provider that supports SAML 2.0, even if not listed in this page, or to even create your own SSO implementation.

                                  Turn on SSO for Workplace

                                  Once you have successfully completed the SSO configurations below, users provisioned in Workplace will be able to authenticate via your selected Identity Provider.

                                  Prerequisites

                                  Prerequisites

                                  In order to enable SSO authentication in Workplace you will need to:

                                  • Have access to your Identity Provider's configuration settings.
                                  • Have a System Administrator role assigned in Workplace.
                                  • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
                                  ?
                                  By default, Workplace supports one Identity Provider for SSO in each instance. This means in order to enable SSO for every user you should have a global Identity Provider in place for SSO. Alternatively we support a mixed authentication scenario where some users will authenticate by using SSO and others by using Workplace username and password credentials or we offer Multiple Identity Provider support in our Enterprise plan.

                                  High-level instructions

                                  Enabling SSO requires some changes in your Identity Provider and Workplace. There are three stages:

                                  1
                                  Configure your Identity Provider (IdP) to enable SSO for Workplace.

                                  2
                                  Configure Workplace to authenticate users via SSO.

                                  3
                                  Enable SSO for your users.

                                  Here is a detailed overview of each step:

                                  Configure your IdP for SSO with Workplace

                                  1. Configure your IdP to enable SSO for Workplace

                                  Follow the your Identity Provider's instructions below to configure SSO for Workplace. All of the cloud-based Identity Providers we support offer a pre-configured app to make Workplace setup easier:

                                  G-Suite
                                  Azure AD
                                  Okta
                                  OneLogin
                                  Ping
                                  Duo

                                  Workplace also supports ADFS as an SSO provider. Read more on How to configure ADFS as an SSO provider for Workplace.

                                  All of the configurations above will provide at least a SAML URL, SAML Issuer URL and a X.509 certificate we will use in the next steps to configure Workplace. Please note them down.

                                  ?
                                  For the X.509 certificate, you may need to open up the downloaded certificate in a text editor in order to use in the next steps.
                                  Configure Workplace to authenticate users via SSO

                                  2. Configure Workplace to authenticate users via SSO

                                  This ties in your SSO provider with Workplace:

                                  1
                                  In the Admin Panel, select Security.

                                  2
                                  Click on the Authentication tab.

                                  3
                                  Check the Single Sign-On (SSO) checkbox.

                                  4
                                  Click +Add New SSO Provider.

                                  5
                                  Type in the values provided by your Identity Provider into the relevant fields:
                                  • SAML URL
                                  • SAML Issuer URL
                                  • SAML Logout Redirect (Optional)
                                  • SAML Certificate

                                  ?
                                  Depending on your Identity Provider, you may need to copy the values for Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section and configure your Identity Provider accordingly.

                                  5
                                  Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.

                                  ?
                                  Troubleshooting: Ensure the email address being used to authenticate with your IdP is the same as the Workplace account you are logged in.

                                  6
                                  Once the test has been completed successfully, scroll to the bottom of the page and click Save button.

                                  7
                                  If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

                                  3. Enable SSO for your users

                                  Enable SSO for your users

                                  You can now enable SSO for your users in one of these ways:

                                  • Enable SSO for a user
                                  • Enable SSO in bulk for all or for a portion of your users

                                  Enable SSO for a user

                                  You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:

                                  1
                                  In the Admin Panel, select People.

                                  2
                                  Search for the user that you want to enable for SSO.

                                  3
                                  Click on the ... button and select Edit Person's Details.

                                  4
                                  Select SSO at Log in with.
                                  Enable SSO in bulk for all or for a portion of your users

                                  You can use different approaches to enable SSO for all or a subset of your users:

                                  • Use our Account Management API to update Login method field for a set of users automatically. Most Identity Providers that integrate with Workplace rely on such API to synchronize authentication settings for your all your users at scale. Read more at Account Management API.
                                  • Login method is among the fields we support for bulk editing. You can set Login method field to SSO for a set of users by using spreadsheet import feature. You can read more at Bulk Account Management.
                                  SAML Logout Redirect

                                  SAML Logout Redirect (Optional)

                                  You can choose to optionally configure a SAML Logout URL in the SSO configuration page which can be used to point at your Identity Provider's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.

                                  Reauthentication frequency

                                  Reauthentication frequency

                                  You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never. You can also force a SAML reset for all users using the Force Reauthentication Now button.

                                  Workplace SSO Architecture

                                  Workplace SSO Architecture

                                  ?
                                  This section provides a more detailed overview of the SSO flow supported by Workplace. Custom SAML-based SSO solutions should follow the guidelines outlined above to integrate with Workplace for authentication.

                                  Workplace supports SAML 2.0 for SSO, by giving admins the option to manage access to the platform by using an Identity Provider (IdP) they control. Workplace receives and accepts SAML-based assertions from the IdP and plays the role of the SAML Service Provider (SP) in the following authentication flow:

                                  1
                                  SP-initiated SSO. A SSO-enabled user lands on Workplace sign-in page, then:
                                  • Fills out username and clicks on Continue button OR
                                  • Clicks on Login with SSO button.

                                  2
                                  Workplace does a HTTP Redirect binding from SP to IdP. The <samlp:AuthnRequest> object passed in the request has data, such as Issuer which contains the Workplace instance ID, and NameIDPolicy which has been agreed between IdP and SP beforehand that specifies constraints on the name identifier to be used to represent the requested subject. Workplace requires that the NameID contain the user's email address (nameid-format:emailAddress).

                                  3
                                  Workplace expects a HTTP Post binding from IdP to SP. A SAML token is returned containing user assertions including Authentication status. Workplace post-back URL (also called the Assertion Consumer Service URL) is configured at IDP-level and points to company's Workplace instance /work/saml.php endpoint.

                                  4
                                  Workplace, before letting a user in, checks if:
                                  • Response is signed with the certificate issued by the IdP;
                                  • emailAddress returned in the SAML assertions matches the one used to initiate the SSO flow;
                                  • Authentication was successful (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>).