Authentication

Make logging in easy for your Workplace community by integrating with your single sign-on provider or ADFS. Visit the Customer resource Center for more information about authentication.

This article is only applicable to users of Workplace Advanced.
Users and admins can authenticate in 2 ways on Workplace:
Username and Password
  • The username will be in the form of an email address which has been provisioned in advance.
  • The password is set by the user upon confirming their identity through a unique link sent to the email address registered on Workplace.
Single Sign-On (SSO)
  • The username will be in the form of an email address which has been provisioned in advance.
  • Instead of a password, authentication credentials will be provided by an SSO provider.
Single Sign-On
This article is only applicable to users of Workplace Advanced and Workplace Enterprise.
Workplace can be integrated with identity providers (IdPs) for managing user authentication. This makes it easier for users to sign into Workplace using the same single sign-on (SSO) credentials they use with other systems.
You can also add multiple SSO providers to your Workplace which allows multiple IdPs to be used at the same time.
SSO for Workplace is directly supported by the following IdPs:
In addition to SSO for authentication, our partners above also support automated account provisioning and user management.
Note: Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. You may find IdPs not listed above compatible as long as they use SAML 2.0 protocol.
This article is only applicable to users of Workplace Advanced.
In order to enable single sign-on (SSO) authentication you'll need to:
    1. Have access to your IdP's configuration settings.
    2. Be assigned a System Administrator role in Workplace.
Learn more about single sign-on authentication.
This article is only applicable to users of Workplace Advanced and Workplace Enterprise.
To configure SSO for Workplace from your desktop computer:
  1. From your Admin Panel, go to the Security tab and select Authentication at the top bar.
  2. Under Login, select Single-Sign On (SSO).
  3. Input the values from your IdP into the fields listed:
  • Name of the SSO Provider
  • SAML URL
  • SAML Issuer URL
  • SAML Logout URL Redirect (Optional)
  • SAML Certificate (You may need to open up the downloaded certificate in a text editor in order to copy/paste this into the field.)
  1. Depending on your IdP, you may need to enter the Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
  2. Scroll to the bottom of the section and click Test SSO. A popup window will appear with your IdP login page. Enter your credentials in as normal to authenticate.
    Ensure the email address being returned back from your IdP is the same as the Workplace account you're logged in with.
  3. Once the test has been completed successfully, scroll to the bottom of the page and click Save. All users using Workplace will now be presented with your IdP login page for authentication.
Adding multiple SSO providers is only available to users of Workplace Enterprise.
To add multiple SSO providers:
  1. Under your default SSO Provider, click Add New SSO Provider.
  2. Follow the steps to configure SSO listed above.
  3. Once completed, you'll see an Other section with the name of the provider you entered.
  4. You can now add employees to the IdP they belong to based on their domain by clicking Assign Email Domains.
SAML Logout Redirect (optional):
You can choose to configure an SAML Logout URL which can be used to point at your IdP's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.
Example with ADFS:
  1. Update the Workplace relying party trust to add a SAML Logout Endpoint to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  2. Update the settings in Workplace so that the SAML Logout Redirect is set to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  3. Save the settings. When you now log out, you'll be logged out from both Workplace and ADFS.
This article is only applicable to users of Workplace Essential and Workplace Advanced.
No, we do not take SAML attributes and provision users, however you can use self invite, or one of the provisioning methods outlined here.
To mimic partial behavior of Just-In-Time provisioning, you must ensure that single sign-on is enabled and Self Invite is on. Once you've made sure your community's settings are updated with those changes, you can create a SCIM-based user management/connector app.
This article is only applicable to users of Workplace Advanced.
You can configure Workplace to prompt for an SAML check every day, 3 days, week, 2 weeks, month or never. The minimum duration for the SAML check on mobile applications is set to 1 day.
You can also force an SAML reset for all users using the button: Force Reauthentication Now.
Two-factor authentication and single sign-on are two different types of authentication methods. Once a community admin enables SSO, two-factor authentication is turned off as a result.
Active Directory Federation Services (ADFS)
This article is only applicable to users of Workplace Advanced.
Configuring ADFS for Workplace requires the following:
  • SSO system using Windows Server 2016, Windows Server 2012 R2, Active Directory Domain Services (AD DS) or Windows Server 2008 R2.
  • Active Directory Federation Services (ADFS) 2016, v3 or v2.
  • Workplace System Administrator has the exact same email address as your corresponding Active Directory user.
This article is only applicable to users of Workplace Essential and Workplace Advanced.
See the ADFS section on this page for more information on how configure log into Workplace via ADFS.
For additional information in English, you can also access this document.