Single Sign On (SAML v2)

From your

Applies to

Overview

The Single Sign On (SSO) integration, based on SAML v2, allows your users to use your existing corporate authentication to access When I Work. This can help streamline authentication from internal portals, other applications, or even from your custom subdomain.

Considerations

  • SSO is available to Enterprise plans. For more information about Enterprise, contact us.
  • SSO is available on the web app only.

What is SSO?

SSO is an authentication process through centralized authentication servers or Identity Providers (IdP) that allows a user to access multiple applications with one set of login credentials. SSO also provides a single point of control for denying access to systems.

Benefits of SSO:

  • Mitigate risk for access to third-party sites (user passwords not stored or managed externally).
  • Reduce password fatigue from different username and password
    combinations.
  • Reduce time spent re-entering passwords for the same identity.
  • Reduce IT costs due to lower number of IT help desk calls about passwords.

Configure the integration

  1. Hover over Gear, then select Settings General Settings.

  2. Click SMAL SSO in the menu on the left.
  3. Enter the Identity Provider Settings.
    NOTE: When entering the Certificate Fingerprint be sure to use the SHA256 level value (The value should be a 64bitcharacter set.). OpenSSO utility can be used to extract the fingerprint from the certificate, and When I Work will show your email for authentication processing. 
  4. Use Service Provider Settings to set up your Identity Provider. The Consumer URL is also known as Assertion Service Consumer URL (ACS).
    The values shown here are samples and will update the Account ID value for your workplace. 
  5. Click Save in the top right corner.

Frequently asked questions

Can I choose to authenticate to a specific IdP such as a HR/Benefits/Payroll software?

Yes! You can link to AD, ADFS, Azure, OneLogin, Okta, and Shibboleth sourced SAML IdP as long as it is set up correctly in the account AND the email addresses match what is used in employee’s When I Work profile.

What if I run into issues locating the long key?

Have the user create a cert if they don’t have one yet. Then under download, select Metadata XML and open it with notepad. Locate <X509Data><X509Certificate>, and copy all the text after the first and next instance of that text. You can then paste it into the OneLoginSAMLTool to calculate the fingerprint using the SHA256 Algorithm.

How do users log in using SSO?

See Log in with Third-Party Connect for instructions on logging in using SSO.

Any suggestions for the configuration of Azure?

When using When I Work SSO authentication with Azure we recommend using a non-gallery app. This is an app that does not appear in Azure’s gallery.

When defining the SAML configuration, update the Unique User Identifier (Name ID). This value is required. The default value is “user.userprincipalname,” and it is needed to set the value to “user.mail.”

Updated on September 23, 2020

Was this article helpful?

Related Articles

Still Need Help?

Open a ticket with our customer care team.

Submit a Ticket