Configuring SAML Single Sign-on

This article is for:

  • Organization Security Admins

Follow the steps below to configure SAML single sign-on settings for your organization. To configure SAML Single Sign-on settings you need to be an Organization Security Admin.

SAML-based single sign-on (SSO) gives members access to Wdesk through an identity provider (IdP). Before you configure settings, make sure you’ve reviewed Basics of SAML Single Sign-on.

Step 1: Enable SAML Single Sign-on

First, you need to enable SAML in your organization. To Enable SAML:

1
In Organization Admin, click Security.
2
Click Single Sign-on. Single Sign-on
3
Check the box to Enable Single Sign-On. Enable Single Sign-on
4
Click Save Changes to finish.

Step 2: Collect SSO URLs

After you enable single sign-on, you can collect the Login URL, Metadata URL, Consumer URL, and Logout Service URL. These URLs are unique to each organization and cannot be modified.

To access Service Provider Details:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
Click IdP Settings. IdP Settings
4
Scroll down to Service Provider Details. Service Provider Details

You can then save then copy and save values for Metadata URL and Consumer URL.

Step 3: Set SSO Attribute Requirements

When it comes to selecting the claim attributes to send, this is up to your company’s policy. We recommend matching your usernames. Typically, this is the email address, but this can be different based on company policy.

By default, NameIdentifier Settings are set to have the element in the Subject statement. You can change Name Identifier to use the Attribute Element.

To update NameIdentifier Settings:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
Click SAML Settings.
4
Scroll down to NameIdentifier Settings. NameIdentifier
5
Select an option and enter details. Enter Details
6
Click Save Changes to finish.

Step 4: Configure Identity Provider (IdP) Settings

For identity providers, please contact PlatformSupport@workiva.com for a specific guide for a provider. Here are guides to a few common identity providers:

You can upload provider metadata in a file or can manually enter details for Identity Provider URL, Issuer, and Certificate. To upload a metadata file:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
Click IdP Settings. IdP Settings
4
Click Browse to locate and choose your file. Browse for Files
5
Click Upload to finish.

If you need to enter IdP settings manually, follow the instructions above, but instead of uploading a file enter the appropriate details in the fields and then click Save Changes.

Browse for Files

After you upload your IdP Metadata XML file or manually enter the settings, your IdP configuration is complete. If you need to set an IdP Initiated Logout Service URL or Redirect URL, paste these in separately.

Step 5: Set User ID Options

The preferred setup is to match the Wdesk Username (case insensitive) to the SAML Subject ID. For example, this allows User.Name.Example to match against user.name.example. This username mapping can be controlled by the SAML identity provider.

To update SAML User ID Settings:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
Click SAML Settings.
4
Scroll down to SAML User ID Settings.
5
Check the boxes for SAML User ID is Wdesk Username and Case-insensitive SAML ID as needed.
6
Click Save Changes to finish.

If you are unable to configure this, you need to establish a SAML ID to Wdesk username mapping. Otherwise, users will be prompted on first SSO sign-in to enter their Wdesk username and password to establish mapping. There are two options for establishing a mapping:

  • Upload a SAML ID .csv
  • Manually set the SAML ID in each user’s profile. This will override the username match check.

To establish a user mapping:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
Click User Mapping Settings. Browse for Files
4
From here, you can either browse and upload a mapping file or add users individually.

Step 6: Update SAML Options

After you have configured SAML setup, you can then update SAML options to require SAML for users or administrators.

  • Enable SAML Single Sign-On: Users can sign in with SSO or continue to use their username and password.
  • Require SAML Single Sign-On for Users: Non-admin users are required to use SSO, while admins may continue to sign in using their username and password.
  • Require SAML Single Sign-On for Organization Security Admins: This requires single sign-on for Organization Security Admins. To enable this option, you need to require SAML Sign-on for users.

To update SAML Sign-on Options:

1
In Organization Admin, click Security.
2
Click Single Sign-on.
3
In SAML Settings, check the options you want to enable. Browse for Files
4
Click Save Changes to finish.

If you run into any issues or need assistance setting up SSO, you can reach out to PlatformSupport@workiva.com.