SSO

With SSO (single sign-on), users can access their Workleap products without memorizing another username and password. Give them the option to sign in using their credentials for the following products:

  •  Slack
  • Google
  • Microsoft 365

Activate SSO

Slack

To activate Slack SSO for your Workleap account:

  1. Open Settings and select SSO from the side menu.
  2. Select Connect next to Slack.
  3. Select Connect to your Slack workspace.

Slack SSO is activated per workspace. To connect additional workspaces, select Add another workspace. Select to disconnect a workspace. Select to reconnect or delete a previously connected workspace.

Note: To manage your Slack SSO settings in the future, go to Settings > SSO > View settings (next to Slack).

Google or Microsoft 365

To activate Google or Microsoft 365 SSO for your Workleap account:

  1. Open Settings and select SSO from the side menu.
  2. Toggle on the product you want to activate.

Enforce SSO

Select the toggle to enforce SSO. If activated, your user base can only log in to your Workleap products using the SSO options you've activated. That means users won't be able to log in with their username/password or by opening magic links.

Note: If a user not in your SSO directory tries to log in with this option enabled, we'll let them know to contact you.

SAML

SAML is a markup language used for SSO authentication. To request a SAML SSO setup in Workleap, follow the steps outlined in the sections below.

SAML Considerations

  • Workleap only supports SAML 2.0.
  • Workleap doesn't support Single Logout (SLO).
  • All authentication requests must be signed by an SHA-256 algorithm.

Enable SAML

To enable SAML SSO for your organization, you must submit a request to our support team. To complete your request, you must:

  • Create a SAML 2.0 application.
    • You'll need to provide your application's SAML metadata, including the issuer URL and SHA-256 algorithm certificate.
  • Ensure the NameID value is persistent.
  • Add the following attributes:
    • urn:oasis:names:tc:SAML:attribute:email
      • The value must be email.
    • urn:oasis:names:tc:SAML:attribute:subject-id

      • The value must be a unique identifier from your identity provider (IdP).

Tip: We'll give you a URL for your SAML setup once we receive your issuer URL and SHA-256 signature certificate. If you need a temporary URL to create your SAML 2.0 application, use https://www.placholder.com.

Note: Although we can enable identity provider (IdP)-initiated SAML setups upon request, we strongly encourage service provider (SP)-initiated setups for better security.

Share