Configuring SSO and SCIM API Automated User Provisioning for Azure AD

Overview

Azure AD makes it easy to configure Single Sign-On and Automate User Provisioning.

Requirements

  • Access to Azure AD Portal
  • MSFT Global Admin Permissions

    Note: Please reach out to your Organization's Internal IT Team or Microsoft Support if assistance is needed to obtain access and/or Global Admin permissions to complete the steps necessary to configure SSO.

  • Access to the Org's Workboard Instance
  • Workboard Org IT Admin Permissions

    Note: Please reach out to your CSM, Workboard SSO contact, or Workboard Tech Support for assistance obtaining Workboard access and/or IT Admin permissions.

Getting Started

  1. Select Enterprise Applications from the Azure Active Directory Portal

     

     

  2. Navigate to Create a New Application

     

     

  3. Add Non-gallery application

    Note: Do not use the suggested WorkBoard application in Azure AD as it does not support SCIM or EU. It is highly recommended to create a New Non-Gallery Application in Azure AD.

     

  4. Enter a name for the application

     

     

  5. Click Assign Users and Groups to identify those who you want to be able to access WorkBoard

     

     

  6. Click Set Up Single Sign-On

     

     

  7. Select SAML

     

     

  8. Complete Sections 1-3 using the Unique Organization Identifier URLs you were provided and download Federation Metadata XML to provide back to WorkBoard.

    The {organization_unique_identifier} contained at the end of the provided URLs should be your Organization Unique identifier name. Your Organization Unique Identifier name is your Org’s name in lowercase letters. (For example, Workboard’s Organization Unique identifier name would be: “workboard”.) 


    Note: This is case sensitive so we suggest using lowercase lettering and keeping the name as simple as possible.

    Replace "{organization_unique_identifier}" that's located at the end of each URL with your Organization unique identifier name. Additionally, when inputting the URLs provided into Azure AD, double-check the URL for any improper spacing.


    Note for EU Orgs Only: If you're an EU Org, replace the “www.myworkboard.com” in the following URLs to “www.myworkboard.eu”. If this is not changed, your SSO configuration will fail. 

    Assertion Consumer Service (ACS) (Required)

    https://www.myworkboard.com/lib/php/simplesaml/www/module.php/
    saml/sp/saml2-acs.php/{organization_unique_identifier}

    Entity ID (Required)

    https://www.myworkboard.com/lib/php/simplesaml/www/module.php/
    saml/sp/metadata.php/{organization_unique_identifier}

    Relay State URL (Optional)

    https://www.myworkboard.com/wb/user/login?saml_sso={organization_
    unique_identifier }

    SP Metadata URL (Optional)

    https://www.myworkboard.com/lib/php/simplesaml/www/module.php/
    saml/sp/metadata.php/{organization_unique_identifier }

    Name ID (Required) 

    Name ID: Email address (User.mail)
    Name ID Format: UNSPECIFIED

Add Metadata to Your WorkBoard Instance

  1. After inputting the provided URLs and confirming the Name ID formatting, download the XML metadata file from the Azure AD application that was configured.
  2. Navigate to Myworkboard.com and log in with your credentials.
  3. Under your profile picture, click on the drop-down arrow and select "Administrator Tools".
    mceclip0.png
  4. Under the Administrator Tools, navigate to SSO configuration on the left-side menu pane.
    Note: If you don't see "SSO Configuration" you'll need to have IT Admin credentials in WorkBoard. See your CSM or SSO rep for further assistance.
    mceclip1.png
  5. On the SSO Page, input your Organization's unique identifier (Ex: "workboard") into the first field.
    Note: This is case sensitive and needs to match the Organization's unique identifier that was put at the end of the provided URLs that were submitted in Azure AD.
    mceclip0.png
  6. Upload the XML Metadata file that was downloaded from Azure AD and hit SAVE.
    Note: You should see a green banner stating SSO was successfully configured.
    mceclip1.png

Test it Out

Test out SSO with a user who has already been added to the Org instance by logging into their WorkBoard account to confirm they hit SSO.

Due to being on the WB SSO exemption list, The Admin who configured SSO should not test unless they are removed from the SSO exemption list under the WorkBoard Admin tools -> SSO Configuration beforehand.

After SSO is configured, the user will have to input their password one time. After that initial SSO login, then the user should no longer have to input their password when logging into their WorkBoard account again. The Exempt admin account will have to input a password until they are removed from the exemption list on the SSO Configuration page in WorkBoard.

Get Started with SCIM Provisioning

To Set up SCIM Provisioning, you'll need a Secret SCIM API Token. Reach out to your Workboard Tech Support Team, CSM, or Workboard SSO contact to request a Secret SCIM API Token ticket to be submitted to the Dev Team.

Note: It can take up to 48-72 hours for Workboard to provide the Secret SCIM API Token. Once the token is provided, it will only be valid for 1 week. After 1 week, a new Secret SCIM API Token request will need to be submitted to the Dev Team.

SCIM Provisioning Configuration 

  1. Change Provisioning Mode to Automatic.
  2. Enter Tenant URL as 
    https://myworkboard.com/wb/apis/scim
  3. Paste the Secret SCIM API Token you were provided by your WorkBoard team.
  4. Test Connection to ensure success, and enter your email to be notified if there's ever a problem.
  5. Set Mappings to make sure that your user's profile attributes are aligned to WorkBoard. These must include:
    • First Name
    • Last Name
    • Email
    • Title
    • Manager's Email Address. 

See WorkBoard's SCIM API Reference for more detail

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request