Step 1 - Get Service Provider (SP) information from Workstars
- Login to your Workstars Administrator account (must be the primary account or technical user)
- Click on System Settings at the top
- Click Sign On from the left-nav menu
- Click the Setup button next to the Single Sign On (SAML) option
- Select Generic
- From the Service Provider section, save a copy of the ACS URL and Entity ID as you will need these in Step 2
Step 2 - Add Workstars app to your Identity Provider
- Follow the process for adding an application (Service Provider) to your Identity Provider
- You will need to make a note of the the following values during the setup
- Identity Provider Single Sign On URL
- Identity Provider Entity ID
- Identity Provider x509 Certificate
- The signature algorithm must be SHA256
- We recommend adding a test user at this stage rather than activating it for all users
Step 3 - Configure sign on to use your Identity Provider
- Log back into your Workstars Administrator account
- In the top bar, select System Settings
- In the left-nav menu, select Sign On
- Click Setup next to the Single Sign On (SAML) option
- Select Generic
- In the SAML SSO URL box, enter the SSO URL you copied in Step 2
- In the Identity Provider Entity ID box, enter the Entity ID you copied in Step 2
- Open your x509 Certificate
- This is provided by your Identity Provider
- It may be provided in a file (if so, open the file in Notepad, then copy and paste it)
- It must be in PEM format, which looks like the following:
-
-----BEGIN CERTIFICATE----- MIIDjDCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCREUx DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI R7cmT3FA5HXEwO5rh7hvyV5mz7vnrXJouG39j0wfOqINQyUGuZLnIGyGFaDrf/cL mpldFIibAgMBAAGjggEOMIIBCjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUy1wZm+aKiv4O xP1e3/e/PagYfAgwga8GA1UdIwSBpzCBpIAUAbvGM771ml6wDF29Qel4bFStZo6h gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0 ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i dHDbnngZ2QyvGK0Td1Z9Pxlh2rp0MI7FUA7j6/+VzY3WfsMOq1s0lLwWD+/c3kC7 fbqiuF35dOcoWHWgZtKNhbo4gggQM+++KckxnWOp9+CZ6qfttrUzGxxKpAVAbkB7 -----END CERTIFICATE-----
-
- Copy and paste the file contents into the x509 Certificate box
- In the Remote Logout URL box, enter an appropriate URL where you would like the user to be redirected when they logout
- This may be provided by your Identity Provider
- A good choice is the landing/dashboard page of your Identity Provider
- It should NEVER be the same as our SAML SSO URL or the user will just be logged back in and can never logout
- Leave the NameID as the default Email (We also support EmployeeID, but configuring this is outside the scope of this document, please contact your Identity Provider support)
- Click Confirm to save the settings
Step 4 - Test & enable
The setup is now complete, but it is NOT yet visible for employees on the login page.
Note
Please ensure you have an account in your Identity Provider which has the new App assigned to it and you have an account in our system with the same email address
When you are ready, you must enable it:
- On the System Settings Sign On page, click the Enable button next to Single Sign On (SAML)
- Copy the test link
- Open an Incognito/InPrivate browser tab and paste in the link
- You should be redirected to the Identity Provider login page
- If you login, you should be redirected back to our system and automatically logged in
Note
If you haven’t already done so, we recommend that you log back into your Identity Provider and assign all your users and groups at this time
- If the test worked, go back to the other browser window and click the Enable button
- If you experience any errors please check the settings are correct; If you need further assistance, please capture any error message screens and contact support
You have now enabled Single Sign On (SAML) for all employees; Check the login is working:
- Visit your Workstars login URL (not the test one), it should be something like: https://<your-sub-domain>.workstars.com
- You should be redirected to your Identity Provider's login page and asked to login
- If you are already logged in, you should be redirected back and logged into our system
- Depending on your Identify Provider, your employees may be able to login directly from the Identify Provider portal
- To test this, login to your Identify Provider portal and click the app
- You should be redirected to our site and logged in
Troubleshooting
On our login page it says “Sorry we could not find your account, please contact your HR Team”
Strictly speaking this isn't an error. The reason is that you have tried to login via SAML but the account you have used does not have a matching account in our system. To resolve it simply create an account in our system with the same details. If you are not using email as the nameID please check that the alternative is the same in both systems (e.g. employeeID, extnernaID, etc.) and that it is being correctly sent in the SAML request.
On our login page it says “There is a problem with Single Sign On please contact your IT department”
This is a general error and means that there is something wrong with the setup. Please check it is setup as described above, if you have followed a different guide (some providers also have their own guides) please start again using this document as a guide. If you have checked everything and cannot find any issues please contact support and we will help you resolve the problem.
I can login from the Identity Providers portal but when I try and login from the Workstars login page it redirects me to a message that says “page not found” or another error
This is usually because you have entered an incorrect SAML SSO URL, please check it is correct. If you have checked and cannot find any issues please contact support and we will help you resolve the problem.
Comments (0 comments)