Workleap

With SSO (single sign-on), users can access their Workleap products without memorizing another username and password. Give them the option to sign in using their credentials for the following products:

To activate Slack SSO for your Workleap account:

Open Settings and select SSO from the side menu.

Select Connect to your Slack workspace.

1. Open Settings and select SSO from the side menu.
2. Select Connect next to Slack.
3. Select Connect to your Slack workspace.

Slack SSO is activated per workspace. To connect additional workspaces, select Add another workspace. Select the trashcan icon to disconnect a workspace. Select the pencil icon to reconnect or delete a previously connected workspace.

Note: To manage your Slack SSO settings in the future, go to Settings &gt; SSO &gt; View settings (next to Slack).

To activate Google or Microsoft 365 SSO for your Workleap account:

Toggle on the product you want to activate.

1. Open Settings and select SSO from the side menu.
2. Toggle on the product you want to activate.

Select the toggle to enforce SSO. If activated, your user base can only log in to your Workleap products using the SSO options you've activated. That means users won't be able to log in with their username/password or by opening magic links.

Note: If a user not in your SSO directory tries to log in with this option enabled, we'll let them know to contact you.

SAML is a markup language used for SSO authentication. To request a SAML SSO setup in Workleap, follow the steps outlined in the sections below.

Workleap doesn't support Single Logout (SLO).

All authentication requests must be signed by an SHA-256 algorithm.

- Workleap only supports SAML 2.0.
- Workleap doesn't support Single Logout (SLO).
- All authentication requests must be signed by an SHA-256 algorithm.

To enable SAML SSO for your organization, <a href="mailto:support@workleap.com" rel="nofollow noopener noreferrer" target="_blank">submit a request to our support team</a>.

- You must provide your application's SAML metadata, including the:
  - Identity provider SSO URL.
  - Issuer URL.
  - X.509 certificate.

Ensure the NameID value is persistent.

- urn:oasis:names:tc:SAML:attribute:email
 - The value must be email.
- urn:oasis:names:tc:SAML:attribute:subject-id
 - The value must be a unique identifier from your identity provider (IdP).

- Create a SAML 2.0 application.
 - You must provide your application's SAML metadata, including the:
 - Identity provider SSO URL.
 - Issuer URL.
 - X.509 certificate.
- Ensure the NameID value is persistent.
- Add the following attributes:
 - urn:oasis:names:tc:SAML:attribute:email
 - The value must be email.
 - urn:oasis:names:tc:SAML:attribute:subject-id
 - The value must be a unique identifier from your identity provider (IdP).

Tip: We'll give you an ACS URL for your SAML setup once we receive your issuer URL and X.509 certificate. If you need a temporary URL to create your SAML 2.0 application, use <a href="https://www.placholder.com" rel="nofollow noopener noreferrer" target="_blank">https://www.placholder.com</a>.

Note: SAML SSO is configured using a service provider (SP)-initiated setup for better security and compatibility with our features. If you have questions, ask our support team.

SSO

Activate SSO

Slack

Google or Microsoft 365

Enforce SSO

SAML

SAML Considerations

Enable SAML