Workplace from Meta is going away. You will be able to continue using Workplace until August 31, 2025. Visit our Help Center to find out more.
English (US)
Log in
მთავარი
მთავარი
TECHNICAL RESOURCES CENTER
Get help with setting up Workplace, managing domains and other technical issues.
Mastering Workplace Features
Ready to become a Workplace pro? Learn all the ins-and-outs of our key features with in-depth guides, step-by-step user instructions and resource hubs.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
Help Center
Find step-by-step instructions and answers to frequently asked questions.
Support
Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
News Archive
Workplace innovations, feature announcements and product updates.
Set up Guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Authentication
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organization to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
Support
Still can't find what you're looking for? Get in touch with a team of experts for more hands-on support.
Get in touch
Need help with your Workplace account? Fill out this form to get all the answers you need from our customer support.
Security
Security
    Start Using Workplace
      Mastering Workplace Features
      Work Academy
        Podcasts
          English (US)

          Authentication: Single Sign-On (SSO)

          Learn about your options for allowing users access to Workplace.

          Overview

          Overview

          Single-Sign On (SSO) gives users access to Workplace through an Identity Provider (IdP) that you control. This offers some benefits for you and your team:

          • It's more secure: Provides an additional security and governance layer (no credentials are stored outside of your company’s controlled systems or transmitted over the network).
          • It's easier for end users: Sign into Workplace by using the same SSO credentials as other systems (e.g. laptop or internal applications), so your users can access Workplace without having to remember another password.

          Workplace is directly supported by several identity providers, including Azure AD, G Suite, Okta, OneLogin, Ping Identity which offer direct connectors to make setup easier.

          ?
          Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. It's an industry standard, so this translates in our capability to integrate easily with any Identity Provider that supports SAML 2.0, even if not listed in this page, or to even create your own SSO implementation.

          Turn on SSO for Workplace

          Once you have successfully completed the SSO configurations below, users provisioned in Workplace will be able to authenticate via your selected Identity Provider.

          Prerequisites

          Prerequisites

          In order to enable SSO authentication in Workplace you will need to:

          • Have access to your Identity Provider's configuration settings.
          • Have a System Administrator role assigned in Workplace.
          • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
          ?
          By default, Workplace supports one Identity Provider for SSO in each instance. This means in order to enable SSO for every user you should have a global Identity Provider in place for SSO. Alternatively we support a mixed authentication scenario where some users will authenticate by using SSO and others by using Workplace username and password credentials or we offer Multiple Identity Provider support in our Enterprise plan.

          High-level instructions

          Enabling SSO requires some changes in your Identity Provider and Workplace. There are three stages:

          1
          Configure your Identity Provider (IdP) to enable SSO for Workplace.

          2
          Configure Workplace to authenticate users via SSO.

          3
          Enable SSO for your users.

          Here is a detailed overview of each step:

          Configure your IdP for SSO with Workplace

          1. Configure your IdP to enable SSO for Workplace

          Follow the your Identity Provider's instructions below to configure SSO for Workplace. All of the cloud-based Identity Providers we support offer a pre-configured app to make Workplace setup easier:

          G-Suite
          Azure AD
          Okta
          OneLogin
          Ping
          Duo

          Workplace also supports ADFS as an SSO provider. Read more on How to configure ADFS as an SSO provider for Workplace.

          All of the configurations above will provide at least a SAML URL, SAML Issuer URL and a X.509 certificate we will use in the next steps to configure Workplace. Please note them down.

          ?
          For the X.509 certificate, you may need to open up the downloaded certificate in a text editor in order to use in the next steps.
          Configure Workplace to authenticate users via SSO

          2. Configure Workplace to authenticate users via SSO

          This ties in your SSO provider with Workplace:

          1
          In the Admin Panel, select Security.

          2
          Click on the Authentication tab.

          3
          Check the Single Sign-On (SSO) checkbox.

          4
          Click +Add New SSO Provider.

          5
          Type in the values provided by your Identity Provider into the relevant fields:
          • SAML URL
          • SAML Issuer URL
          • SAML Logout Redirect (Optional)
          • SAML Certificate

          ?
          Depending on your Identity Provider, you may need to copy the values for Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section and configure your Identity Provider accordingly.

          5
          Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.

          ?
          Troubleshooting: Ensure the email address being used to authenticate with your IdP is the same as the Workplace account you are logged in.

          6
          Once the test has been completed successfully, scroll to the bottom of the page and click Save button.

          7
          If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

          3. Enable SSO for your users

          Enable SSO for your users

          You can now enable SSO for your users in one of these ways:

          • Enable SSO for a user
          • Enable SSO in bulk for all or for a portion of your users

          Enable SSO for a user

          You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:

          1
          In the Admin Panel, select People.

          2
          Search for the user that you want to enable for SSO.

          3
          Click on the ... button and select Edit Person's Details.

          4
          Select SSO at Log in with.
          Enable SSO in bulk for all or for a portion of your users

          You can use different approaches to enable SSO for all or a subset of your users:

          • Use our Account Management API to update Login method field for a set of users automatically. Most Identity Providers that integrate with Workplace rely on such API to synchronize authentication settings for your all your users at scale. Read more at Account Management API.
          • Login method is among the fields we support for bulk editing. You can set Login method field to SSO for a set of users by using spreadsheet import feature. You can read more at Bulk Account Management.
          SAML Logout Redirect

          SAML Logout Redirect (Optional)

          You can choose to optionally configure a SAML Logout URL in the SSO configuration page which can be used to point at your Identity Provider's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.

          Reauthentication frequency

          Reauthentication frequency

          You can configure Workplace to prompt for a SAML check every day, 3 days, week, 2 weeks, month or never. You can also force a SAML reset for all users using the Force Reauthentication Now button.

          Workplace SSO Architecture

          Workplace SSO Architecture

          ?
          This section provides a more detailed overview of the SSO flow supported by Workplace. Custom SAML-based SSO solutions should follow the guidelines outlined above to integrate with Workplace for authentication.

          Workplace supports SAML 2.0 for SSO, by giving admins the option to manage access to the platform by using an Identity Provider (IdP) they control. Workplace receives and accepts SAML-based assertions from the IdP and plays the role of the SAML Service Provider (SP) in the following authentication flow:

          1
          SP-initiated SSO. A SSO-enabled user lands on Workplace sign-in page, then:
          • Fills out username and clicks on Continue button OR
          • Clicks on Login with SSO button.

          2
          Workplace does a HTTP Redirect binding from SP to IdP. The <samlp:AuthnRequest> object passed in the request has data, such as Issuer which contains the Workplace instance ID, and NameIDPolicy which has been agreed between IdP and SP beforehand that specifies constraints on the name identifier to be used to represent the requested subject. Workplace requires that the NameID contain the user's email address (nameid-format:emailAddress).

          3
          Workplace expects a HTTP Post binding from IdP to SP. A SAML token is returned containing user assertions including Authentication status. Workplace post-back URL (also called the Assertion Consumer Service URL) is configured at IDP-level and points to company's Workplace instance /work/saml.php endpoint.

          4
          Workplace, before letting a user in, checks if:
          • Response is signed with the certificate issued by the IdP;
          • emailAddress returned in the SAML assertions matches the one used to initiate the SSO flow;
          • Authentication was successful (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>).