This article is for:
- Org Security Admins
Follow the steps below to configure SAML single sign-on settings for your organization. To configure SAML Single Sign-on settings you need to be an Org Security Admin.
SAML-based single sign-on (SSO) gives members access to Workiva through an identity provider (IdP). Before you configure settings, make sure you’ve reviewed Basics of SAML Single Sign-on.
Step 1: Enable SAML single sign-On
First, you need to enable SAML in your organization. To Enable SAML:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-on.
- 3
- Check the box to Enable Single Sign-On.
- 4
- Click Save Changes to finish.
Step 2: Collect SSO URLs
After you enable single sign-on, you can collect the Login URL, Metadata URL, Consumer URL, and Logout Service URL. These URLs are unique to each organization and cannot be modified.
To access Service Provider Details:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-on.
- 3
- Click IdP Settings.
- 4
- Scroll down to Service Provider Details.
You can then save then copy and save values for Metadata URL and Consumer URL.
Step 3: Set SSO attribute requirements (Optional)
When it comes to selecting the claim attributes to send, this is up to your company’s policy. We recommend matching your usernames. Typically, this is the email address, but this can be different based on company policy.
By default, NameIdentifier Settings are set to have the element in the Subject statement. You can change Name Identifier to use the Attribute Element.
Note: Most Org Security Admins will not alter the attribute requirements from their default setting. Before making changes to the default settings, you can reach out to Workiva Support for assistance.
To update NameIdentifier Settings:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-On.
- 3
- Click SAML Settings.
- 4
- Scroll down to NameIdentifier Settings.
- 5
- Select an option and enter details.
- 6
- Click Save Changes to finish.
Step 4: Configure identity provider (IdP) settings
You can configure identity provider (IdP) settings for SAML single sign-on. Here are few identity providers that are commonly used:
- Okta
- Microsoft Azure
- G Suite
You can upload provider metadata in a file or can manually enter details for Identity Provider URL, Issuer, and Certificate. To upload a metadata file:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-On.
- 3
- Click IdP Settings.
- 4
- Click Browse to locate and choose your file.
- 5
- Click Upload to finish.
If you need to enter IdP settings manually, follow the instructions above, but instead of uploading a file enter the appropriate details in the fields and then click Save Changes.
After you upload your IdP Metadata XML file or manually enter the settings, your IdP configuration is complete. If you need to set an IdP Initiated Logout Service URL or Redirect URL, paste these in separately.
Step 5: Set user ID options
The preferred setup is to match the Wdesk Username (case insensitive) to the SAML Subject ID. For example, this allows User.Name.Example
to match against user.name.example
. This username mapping can be controlled by the SAML identity provider.
To update SAML User ID Settings:
- 1
- In Organization Admin, click Security.
- 2
- Click Single Sign-On.
- 3
- Click SAML Settings.
- 4
- Scroll down to SAML User ID Settings.
- 5
- Check the boxes for SAML User ID is Wdesk Username and Case-insensitive SAML ID as needed.
- 6
- Click Save Changes to finish.
If you are unable to configure this, you need to establish a SAML ID to Wdesk username mapping. Otherwise, users will be prompted on first SSO sign-in to enter their Wdesk username and password to establish mapping. There are two options for establishing a mapping:
- Upload a SAML ID .csv
- Manually set the SAML ID in each user’s profile. This will override the username match check.
To establish a user mapping:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-On.
- 3
- Click User Mapping.
- 4
- From here, you can either browse and upload a mapping file or add users individually.
Step 6: Update SAML options
After you have configured SAML setup, you can then update SAML options to require SAML for users or administrators.
- Enable SAML Single Sign-On: Users can sign in with SSO or continue to use their username and password.
- Require SAML Single Sign-On for Users: Non-admin users are required to use SSO, while admins may continue to sign in using their username and password.
- Require SAML Single Sign-On for Org Security Admins: This requires single sign-on for Organization Security Admins. To enable this option, you need to require SAML Sign-on for users.
To update SAML Sign-on Options:
- 1
- In Organization Admin, click Security .
- 2
- Click Single Sign-On.
- 3
- In SAML Settings, check the options you want to enable.
- 4
- Click Save Changes to finish.
If you run into any issues or need assistance setting up SSO, you can reach out to support@workiva.com.