Skip to main content

SSO

Workleap Settings

Updated over 3 weeks ago

With SSO (single sign-on), users can access their Workleap products without memorizing another username and password. Give them the option to sign in using their credentials for the following products:

  • Slack

  • Google

  • Microsoft 365

Note: You can have multiple SSO options active at once.

Activate SSO

Slack

To activate Slack SSO for your Workleap account:

  1. Open Settings and select SSO from the side menu.

  2. Select Connect next to Slack.

  3. Select Connect to your Slack workspace.

Slack SSO is activated per workspace. To connect additional workspaces, select Add another workspace. Select the trashcan icon to disconnect a workspace. Select the pencil icon to reconnect or delete a previously connected workspace.

Note: To manage your Slack SSO settings in the future, go to Settings > SSO > View settings (next to Slack).

Google or Microsoft 365

To activate Google or Microsoft 365 SSO for your Workleap account:

  1. Open Settings and select SSO from the side menu.

  2. Toggle on the product you want to activate.

Enforce SSO

Select the toggle to enforce SSO. If activated, your user base can only log in to your Workleap products using the SSO options you've activated. That means users won't be able to log in with their username/password or by opening magic links.

Note: If a user not in your SSO directory tries to log in with this option enabled, we'll let them know to contact you.

SAML2

SAML is a markup language used for SSO authentication. To request a SAML2 SSO setup in Workleap, follow the steps outlined in the sections below. Workleap provides support for integrating SAML2-based Single Sign-On (SSO) using identity providers such as Microsoft Azure and Okta. To ensure a seamless transition with your SSO system during migration to Workleap, certain preparatory and post-migration actions must be executed. The SAML setup relies heavily on accurate metadata sharing and coordination with Workleap's operations team. The following subsections outline configurations, necessary attributes, and troubleshooting recommendations for setting up SAML2 SSO.

SAML2 Considerations

  • Workleap only supports SAML 2.0.

  • Workleap doesn't support Single Logout (SLO).

  • All authentication requests must be signed by an SHA-256 algorithm.

Enable SAML2

SAML2 During Migration

During migration to Workleap, the SAML setup cannot function correctly until the migration process is finalized. The operations team at Workleap requires updated metadata from your organization to configure the SAML setup properly. You can provide initial configuration values ahead of time, but some necessary modifications depend on the finalization. Once the migration is complete, Workleap will provide the SSO URL, Audience URI (SP Entity ID), and Required Attributes necessary to complete the integration process. Ensure these details are entered correctly in your identity provider (IdP).

To enable SAML2 SSO for your organization, submit a request to our support team.

To complete your request, you must:

  • Create a SAML 2.0 application.

  • You must provide your application's SAML metadata, including the:

  • Identity provider SSO URL.

  • Issuer URL.

  • X.509 certificate.

  • Ensure the NameID value is persistent.

  • Add the following attributes:

  • urn:oasis:names:tc:SAML:attribute:email

  • The value must be email.

  • urn:oasis:names:tc:SAML:attribute:subject-id

  • The value must be a unique identifier from your identity provider (IdP).

  • Example Configuration Values:

    • ACS URL: Your organization's Assertion Consumer Service URL.

    • Entity ID: Your organization's Entity ID.

Tip: Once we receive your issuer URL and X. 509 certificate, we'll give you an ACS URL for your SAML setup. If you need a temporary URL to create your SAML 2.0 application, use https://www.placholder.com.

Note: SAML SSO is configured using a service provider (SP)-initiated setup for better security and compatibility with our features. If you have questions, ask our support team.

General Troubleshooting Tips

  1. Metadata and certificate issues: Ensure your metadata XML and certificates are correct and match the configuration within your identity provider.

  2. URL redirects: If users encounter blank pages upon accessing the login application, check that the redirect URIs specified in the IdP point towards your intended Workleap URLs.

  3. Reach out to support: Always engage with Workleap's support team for final setup steps and troubleshooting advice.

  4. Resolving SAML Errors Before Migration: Verify the completion of the migration process, as SAML configurations may not fully operate until finalized.

  5. Avoiding Authentication Redundancies: When using multiple methods, such as SAML and Google SSO, deactivate redundant options to streamline access and avoid conflicts.

  6. Testing Post-Migration: Regularly validate the SSO functionality to confirm proper authentication post-migration.

Did this answer your question?