Enable Single Sign-On (SSO)

Overview

Single Sign-On allows users to login into WorkBoard without using basic authentication via a Username/Password. This increases productivity and reduces security risks for your organization.

WorkBoard is able to integrate with Identity Providers (IDP) that support the industry-standard SAML 2.0 protocol for SSO. These include IDPs such as Okta, Azure AD, Ping Identity, Workspace, Centrify, and OneLogin to name a few.

How does Single Sign-On work with WorkBoard?

The two different ways of signing into WorkBoard via SSO are by navigating directly to WorkBoard (Service-Provider/SP initiated) or navigating to the employee application portal and signing in and then selecting/clicking on WorkBoard (Identity Provider/IDP initiated).

Below is a simple diagram showing the Service Provider Initiated Workflow. 

 

A diagram showing the Service Provider Initiated Workflow

 

Set Up SAML SSO with WorkBoard

Note: WorkBoard Administrators are not able to setup/configure SSO. You will need to contact WorkBoard to disable Username/Password authentication in order to enable SAML Single Sign-On.

Use the URLs as follows to complete the SSO configuration. The {organization_unique_identifier} at the end of each URL should be replaced with your Organization Unique identifier name. Your Organization Unique identifier name is your Org’s name in lowercase lettering. (For example, Workboard’s Organization Unique identifier name would be: “workboard”)

  • Note for EU Orgs Only: If you are an EU Org, please replace the “www.myworkboard.com” in the below URLs to “www.myworkboard.eu”. If this is not changed, your SSO configuration will fail. 

Assertion Consumer Service (ACS)

      https://www.myworkboard.com/lib/php/simplesaml/www/module.php/saml/sp/saml2-acs.php/{organization_unique_identifier}
    

 

Entity ID

https://www.myworkboard.com/lib/php/simplesaml/www/module.php/saml/sp/metadata.php/{organization_unique_identifier}

 

Relay State URL

https://www.myworkboard.com/wb/user/login?saml_sso={organization_unique_identifier}

 

SP Metadata URL

https://www.myworkboard.com/lib/php/simplesaml/www/module.php/saml/sp/metadata.php/{organization_unique_identifier}

 

Name ID

Name ID: Email address (user.mail)
Name ID Format: UNSPECIFIED

 

Add Metadata to Your WorkBoard Instance

  1. Inputting the provided URLs and confirming the Name ID formatting
  2. Download the XML metadata file from the Okta application that was configured
  3. Navigate to Myworkboard.com and log in with your credentials
  4. Under your profile picture, click on the drop-down arrow and select "Administrator Tools"
    mceclip0.png

  5. Under the Administrator Tools, navigate to SSO configuration on the left-side menu pane
    Note: If you don't see "SSO Configuration", you'll need to have IT Admin credentials in WorkBoard. See your CSM or SSO rep for further assistance.
    mceclip1.png

  6. On the SSO Page, input your Organization's unique identifier (Ex: "workboard") into the first field
    Note: This is case sensitive and needs to match the Organization's unique identifier that was put at the end of the provided URLs that were submitted in Okta.
    mceclip2.png

  7. Upload the XML Metadata file that was downloaded from Okta and hit SAVE.
    Note: You should see a green banner stating SSO was successfully configured.

mceclip3.png

Configure an application in your IDP and add appropriate users to the group which will access WorkBoard.

Set up SSO with the WorkBoard for Okta App

mceclip1.png

 

Set up SSO with the WorkBoard for Azure AD App

mceclip0.png

 

Set up SSO for ADFS

mceclip0.png

 

We recommend finalizing the activation of SSO with you. This way if there is an error and we need to roll back a chance, we minimize the potential for extended downtime.

 

Tip: You may want to schedule when you activate SSO in order to minimize disruption to your users. We recommend setting expectations with your users that this is will be a standard maintenance activity, beginning at your scheduled time and is expected to last 5 minutes.

 

FAQ

Can I have some users leverage SSO and some not? Yes. WorkBoard has the ability to exempt users you identify from SSO authentication. Each user must be configured for one or the other. A single user cannot authenticate both via SSO and WorkBoard sign-in page with email + password. 

Can WorkBoard integrate with multiple identity providers? WorkBoard is able to use the same metadata for multiple WorkBoard tenants, but cannot use multiple metadata configurations for a single WorkBoard tenant.

My organization is large and we have many different IDPs. What do I do? WorkBoard is able to integrate SAML authentication for customers that have a single federated IDP. We are not able to connect to multiple IDPs for a single tenant.

My organization rotates security certificates. Does that matter? When your organization updates its certificate, new metadata will be generated. Simply forward the updated XML or URL to the metadata and we will apply the update.

Pitfalls & Basic Troubleshooting

You must set up the same group of users in your SSO AD or Security Group as who you are provisioning into your WorkBoard instance. If these are not consistent, users will be presented either an error page or redirect to register for a WorkBoard trial account. 

Best Practice: Make sure the users you add to your SSO AD or Security Group match the provisioning template you provide your WorkBoard team.

Ready for the next step?

Configure Automated User Provisioning for Okta

Configure Automated User Provisioning for Azure AD

 

For more help enabling and configuring SSO for your organization, please talk to your Customer Success Manager or Contact us.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request