SAML single sign-on (SSO) authentication allows users to securely authenticate with multiple applications and websites using one set of credentials.
Benefits and best practices
Implementing SSO leads to stronger security, reduced support costs, increased productivity, and flexible access.
Workiva strongly recommends implementing SSO as a best practice to simplify your login process and provide a better overall experience. There are two SSO authentication options available:
- Force users to sign in using SSO (Recommended): Non-admin users are forced to use SSO, while Org Security Admins may continue to sign in using their username and password. This option works best if your company wants to force SSO but still allow Org Security Admins to access the platform if SSO experiences any issues.
- Force Org Security Admins to sign in using SSO: Org Security Admins are forced to use SSO. This option works best if company security policies don’t want to exempt users from the SSO requirement. To enable this option, you’ll also need to check Force users to sign in using SSO.
Implementation process
The collaboration between Workiva and your teams allows for a seamless implementation process. Use the steps below to implement SSO in your organization:
|
|
Contact your internal teamContact someone from your Identity Access Management (IAM) or Information Technology (IT) team regarding the Single Sign-On integration process for Workiva application. |
|
|
Gather requirements and informationThe IAM or IT team member will gather SSO requirements and information. |
|
|
Request additional helpNext, submit a Workiva Support ticket and choose "SSO Implementation" under the "What type of account issue?" dropdown. This will direct your request to a Support team member who will provide additional information. |
|
|
Configure SSOAn Org Security Admin can configure SAML single sign-on and ensure all settings meet the company’s requirements. |
Frequently asked questions
What federation protocol is used?
SAML 2.0
Is SSO configured at the workspace or organization level?
SSO is only configured at the organization level above all associated workspaces. Once SSO is configured, all workspaces will use SSO, including newly acquired workspace solutions.
Who do we need to involve to implement SSO?
You’ll need to involve the assigned Organization Security Admin for Workiva or your SSO IT team.
What if we have a third party user that needs access to Workiva, but SSO is required?
Any third party user, such as legal counsel or auditors, will need to be placed on the SAML exceptions list. This will allow the team to enforce SSO for the users it can control, while allowing exception users to access with a Workiva password and two-factor authentication.
If SSO is required on an account, will Workiva support users, such as Customer Success Managers, need to be added to the Exception SAML list?
No, support users are automatically excluded from the SSO requirements and follow Workiva's security policies.
Do we have to enable SSO immediately after implementation?
No, users can continue to access Workiva using a password until the Org Security Admin is ready to enable SSO and set the SSO requirements.
Can we use SSO and two-factor authentication (or multi-factor authentication)?
To use both, your SSO team will need to configure two-factor or multi-factor authentication alongside your SSO integration on your identity provider. Workiva SSO will not work with Workiva two-factor authentication; this is reserved for non-SSO users on the exception list.
Who should we contact for assistance?
You can contact Workiva Support through email, chat, or phone.
Do you support multiple SSO identity providers?
Not at this time.