Search the user guide

Configuring Single Sign-on

By default, Workteam lets users authenticate with their email address and a password. This is referred to as “Workteam Password” authentication. Users choose their password when they click the link in the invitation email, which they receive when their account is created.

Workteam also supports user authentication via SAML single-sign on (SSO) through the various identity providers.

To configure single sign on, go to Organization settings and in the Authentication pane, you will see the Workteam Password pane turned on and the SAML pane turned off. To turn on SAML authentication, click the bottom of the SAML pane, on the word “OFF”. Workteam will show a dialog prompting you to enter SAML configuration information. For information specific to your identity provider see one of the following:

Configuring Workteam with Okta

Configuring Workteam with Auth0

Configuring Workteam with IBM Identity Connect

Configuring Workteam with Microsoft Azure Active Directory

Configuring Workteam with Google GSuite

Then, press OK to save the settings. This will turn SAML authentication on and the Workteam password authentication off. Clicking here again, will turn SAML authentication off and will turn Workteam password authentication back on.

The Workteam administrator that created the Workteam account will always be able to log into Workteam using Workteam password authentication. This is useful, particularly if a SAML configuration error is made in Workteam, which would otherwise prevent anyone from logging in to Workteam.

Configuring Workteam in Okta

When configuring Okta SAML authentication in Workteam, choose “Okta” from the SAML IdP dropdown. You will be prompted to enter three fields:

  1. The Single Sign On URL

  2. The Issuer

  3. The Certificate

To find the values for each of these fields, log into Okta as an administrator and go to the organization area. Click on Applications in the top menu. Then click on Add Application. In the Search for an application field, enter ‘‘Workteam’. You will see Workteam appear in the right hand list. Press the Add button next to the Workteam entry.

In the General Settings page, press Next. In the Sign-On Options page, click on View Setup Instructions. A new page will be shown, containing the values of the single sign-on, issuer and certificate that are needed within Workteam. Copy and paste each of these fields into the relevant fields in the Workteam SAML Settings dialog. Press OK on the dialog. Then press Done in the Sign-On Options page in Okta.

Once you have created appropriate user accounts in Okta, ensure that you assign the Workteam app to each user. You will be prompted to enter a user name for each user. By default, this will be the user’s email address. You should ensure that this email address matches the address defined for the user in Workteam.

After having assigned the Workteam application in Okta and after having configured Workteam to authenticate with SAML rather than Workteam password authentication, you are ready to create each user in Workteam. Doing so will send a Workteam invitation to the user. If you have already added users in bulk in Workteam then you can simply send the invitation. Do this from the Users tab of the Organisation Settings, select the check box next to each user that you wish to invite and choose the Actions menu at the top of the page and choose “Send Workteam Invitation”. When the user clicks on the link in the email invitation, they will be directed to Okta to authenticate with their Okta credentials. Once they have successfully authenticated, they will be directed back into Workteam.

Configuring Workteam in Auth0

When configuring Auth0 SAML authentication in Workteam, choose “Auth0” from the SAML IdP dropdown. You will be prompted to enter three fields:

  1. The Single Sign On URL

  2. The Issuer

  3. The Certificate

To find the values for each of these fields, log into Auth0 as an administrator and go to the Applications area, by clicking on Applications in the menu area. Press the CREATE APPLICATION button and choose “Regular Web Applications” and press the CREATE button. Select the AddOns tab and click on SAML2 Web App.

In the Application Callback URL field, enter https://app.workte.am/_saml/validate/auth0 and press the SAVE button at the bottom of the screen. Then at the top of the same screen, select the Usage tab. Copy the value of the Identity Provider Login URL and paste it into the Single Sign On URL in the SAML settings in Workteam.

Copy the value of the Issuer field and paste it into the Issuer field in the SAML settings in Workteam.

Click on download Auth0 certificate and open it into a text editor and copy the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the Certificate field in the SAML settings in Workteam. You can include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, but they will be removed when you save the settings.

Once you have created appropriate user accounts in Auth0, ensure that you authorize the Workteam app to each user.

After having assigned the Workteam application in Auth0 and after having configured Workteam to authenticate with SAML rather than Workteam password authentication, you are ready to create each user in Workteam. Doing so will send a Workteam invitation to the user. If you have already added users in bulk in Workteam then you can simply send the invitations. Do this from the Users tab of the Organisation Settings, select the check box next to each user that you wish to invite and choose the Actions menu at the top of the page and choose “Send Workteam Invitation”. When the user clicks on the link in the email invitation, they will be directed to Auth0 to authenticate with their Auth0 credentials. Once they have successfully authenticated, they will be directed back into Workteam.

Configuring Workteam in IBM Identity Connect

When configuring IBM Identity Connect SAML authentication in Workteam, choose “IBM Cloud Connect” from the SAML IdP dropdown. You will be prompted to enter three fields:

  1. The Single Sign On URL

  2. The Issuer

  3. The Certificate

To find the values for each of these fields, log into IBM Cloud Identity as an administrator and go to the Applications area, by clicking on Applications in the menu area. Press the Add button and choose “Custom Application” and press the OK button. Enter a name for the application, e.g. ‘Workteam’.

Click the Sign-on tab and ensure SAML 2.0 is selected in the Sign-on method dropdown. Leave the ‘Use Unique ID’ un-checked and enter https://workte.am/saml/sp into the Provider ID field. Then, enter https://app.workte.am/_saml/validate/ibm into the Assertion Consumer Service URL.

Check the Use identity provider initiated single sign-on check box and enter https://app.workte.am/_saml/validate/ibm into the Target URL field.

Enter https://app.workte.am/_saml/authorize into the Service Provider SSO field.

Ensure that the Sign authentication response check box is ticked and that the Validate SAML request signature is un-checked.

Press the SAVE button. Then from the right-hand pane, locate the value in the Provider ID field and paste it into the Issuer field in the SAML settings in the SAML settings in Workteam.

Then, in the right hand pane, locate the Login URL and copy the value and paste it into the Single Sign On URL field in the SAML settings in Workteam.

Then, locate the Signing certificate in the right hand pane and copy the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the Certificate field in the SAML settings in Workteam. You can include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, but they will be removed when you save the settings.

Once you have created appropriate user accounts in IBM Cloud Identity, ensure that you authorize the Workteam app to each user.

After having assigned the Workteam application to each relevant user in IBM Cloud Identity and after having configured Workteam to authenticate with SAML rather than Workteam password authentication, you are ready to create each user in Workteam. Doing so will send a Workteam invitation to the user. If you have already added users in bulk in Workteam then you can simply send the invitations. Do this from the Users tab of the Organisation Settings, select the check box next to each user that you wish to invite and choose the Actions menu at the top of the page and choose “Send Workteam Invitation”. When the user clicks on the link in the email invitation, they will be directed to IBM Cloud Identity to authenticate with their IBM Cloud Identity credentials. Once they have successfully authenticated, they will be directed back into Workteam.

Configuring Workteam in Microsoft Azure Active Directory

When configuring Microsoft Azure Active Directory SAML authentication in Workteam, choose “AD Azure” from the SAML IdP dropdown. You will then be prompted to enter three fields:

  1. The Single Sign On URL

  2. The Issuer

  3. The Certificate

To find the values for each of these fields, log into the Microsoft Azure portal and select Azure Active Directory in the left-hand list. In the Overview pane, select Enterprise applications Press the New application button in the pane that appears and choose “Non-gallery Application”. Enter a name for the application, e.g. ‘Workteam’ and press the Add button.

Click the Single sign-on entry in the left-hand menu and then from the Single sign-on mode drop down, choose SAML based-sign on.

Set the Identity (Entity ID) field to https://workte.am/saml/sp, enter https://app.workte.am/_saml/validate/azure into the Reply URL field.

Then, at the bottom of the pane, click on Configure Workteam. A new pane will appear to the right of the current pane.

Copy the SAML Entity ID value and paste it into the SAML Entity ID field in the SAML settings in Workteam.

Next, from the new pane, copy the value of the SAML Single Sign-On Service URL field and paste it into the “SAML Single Sign On URL” field in the SAML settings in Workteam.

Then in the new pane, click on the link “SAML Signing Certificate - Base64 encoded”. The certificate file will be downloaded to the Downloads folder. Open the file into a text editor and copy the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the SAML Signing Certificate field in the SAML settings in Workteam. You can include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, but they will be removed when you save the settings.

Once you have created appropriate user accounts in Microsoft Azure Active Directory and assigned the Workteam application to each user relevant user.

After having assigned the Workteam application to each relevant user in Microsoft Azure Active Directory and after having configured Workteam to authenticate with SAML rather than Workteam password authentication, you are ready to create each user in Workteam. Doing so will send a Workteam invitation to the user. If you have already added users in bulk in Workteam then you can simply send the invitations. Do this from the Users tab of the Organisation Settings, select the check box next to each user that you wish to invite and choose the Actions menu at the top of the page and choose “Send Workteam Invitation”. When the user clicks on the link in the email invitation, they will be directed to Microsoft Azure Active Directory to authenticate with their Microsoft credentials. Once they have successfully authenticated, they will be directed back into Workteam.

Configuring Workteam in GSuite

When configuring Google GSuite SAML authentication in Workteam, choose “Generic SAML” from the SAML IdP dropdown. You will be prompted to enter three fields:

  1. The Single Sign On URL

  2. The Issuer

  3. The Certificate

To find the values for each of these fields, log into the GSuite admin console and choose SAML apps from the Apps menu. Press the Add button (bottom right hand corner) and choose “Setup My Own Custom App”. From the page shown, make a note of the value of the SSO URL and the Entity ID. Also download the certificate and open it into a text editor, ready to copy later.

Press Next and enter a name for the application, e.g. ‘Workteam’, into the Application Name field. Press Next.

Enter https://app.workte.am/_saml/validate/saml into the ACS URL field and enter https://workte.am/saml/sp into the Entity ID field. Leave the Start URL blank and everything else in the page unchanged at the default settings.

Press the SAVE button. Then from the right-hand pane, locate the value in the Provider ID field and paste it into the Issuer field in the SAML settings in the SAML settings in Workteam. In the final page press the Finish button.

Now open the SAML settings in Workteam, by clicking on the settings button in the Single Sign On box in the Single Sign On and User Provisioning panel.

Choose Generic SAML from teh SAML IdP dropdown. Now paste the value of the SSO URL (that you noted earlier) into the the Single Sign-on URL field. Next, paste the value of the Entity ID (that you noted earlier) into the Issuer field.

Then, locate the Signing certificate text from the text editor (that you noted earlier) and copy the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the Certificate field in the SAML settings in Workteam. You can include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, but they will be removed when you save the settings.

Once you have created appropriate user accounts in GSuite, ensure that you authorize the Workteam app to each user.

After having assigned the Workteam application to each relevant user in GSuite and after having configured Workteam to authenticate with SAML rather than Workteam password authentication, you are ready to create each user in Workteam. Doing so will send a Workteam invitation to the user. If you have already added users in bulk in Workteam then you can simply send the invitations. Do this from the Users tab of the Organisation Settings, select the check box next to each user that you wish to invite and choose the Actions menu at the top of the page and choose “Send Workteam Invitation”. When the user clicks on the link in the email invitation, they will be directed to GSuite to authenticate with their GSuite credentials. Once they have successfully authenticated, they will be directed back into Workteam.