x
Reset Search
 
 

 

--> Text Article

Configure Workshare SSO

The Workshare single sign-on (SSO) solution uses Azure Active Directory (Azure AD) so that users can access their Workshare account using their Microsoft work account credentials.


Single sign-on (SSO) is a user authentication process that permits a user to enter one user name and password in order to access multiple applications. The Workshare SSO solution uses Azure Active Directory (Azure AD) so that users can access their Workshare account using their Microsoft work account credentials.

Note: A Microsoft work account is one that your company has registered for you with Microsoft. A further description is provided here: https://msdn.microsoft.com/en-us/subscriptions/dn531048.aspx

What do users see?

What the user sees depends on whether Workshare is provided with or remembers their email address. This is because Workshare identifies users by an email address. Each Workshare account is tied to a unique email domain and any user that shares the same domain is grouped into that Workshare account. With SSO set up, users sign into Workshare using their Microsoft work account credentials – a user name (UPN) and password. Workshare then retrieves the primary SMTP email address for that user name from Azure AD and uses it as the email address for their Workshare account. Therefore, the domain of the primary SMTP email address defined for each user must match the Workshare account domain.

New users, or existing users whose email is not remembered, will see the usual Workshare sign in page. They click Sign in with Microsoft work account and the Microsoft login page is displayed where they enter their Microsoft work account credentials (UPN and password). They are then signed into Workshare and their Home page is displayed.

Note: The first time users sign in to Workshare using their Microsoft work account credentials, they will need to give Workshare permission to access their Microsoft profile. This is done by clicking Accept in the dialog displayed.

There is no need for a new user to validate their Workshare account and no validation email is sent.

For existing users who have previously signed in to Workshare and their email address is remembered, or if a user enters their email address in the Workshare sign in page instead of clicking the Sign in with Microsoft work account button, Workshare recognizes the email address as having SSO set up and the user must sign in with Microsoft.

When SSO has been set up, users will experience the following flow:

Note: The flow may vary, for example, if the user has signed in before or if seamless SSO is configured in Azure.

User-added image

Note: The user name (UPN) may be the same as or different from the user’s email address. In the Workshare sign in page, users can enter their Microsoft UPN or their email address (as long as the domains match) and Workshare will recognize that SSO is set up. In the Microsoft login page, users must enter their UPN and password.

What you’ll need for the Workshare SSO solution

To configure SSO for Workshare, you’ll need the following:

  • A Workshare subscription with SSO enabled
  • An Azure AD subscription (with your users populated)
  • A primary SMTP email address defined for each user with a domain that matches the Workshare account domain 

Note: If you are using Azure with Office 365, you must turn on Integrated Apps in Office 365.

With these prerequisites in place, you perform a simple configuration on the Workshare Admin Console to set up SSO.

Workshare subscription

You will need SSO enabled on your Workshare account. You can find out if SSO is enabled on your account in the Workshare Admin Console.

To check SSO is enabled:

  1. Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
  2. Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed. If the following message is displayed, you need to contact Workshare Sales to enable SSO on your account.
The message says: "To unlock Single Sign-On, Contact Sales today to buy this add-on."

Azure AD subscription

The setup and configuration of Azure AD is not covered in this article as each environment can be different. For general information about SSO and Azure AD, refer here.

You need to ensure that your Azure AD implementation connects with your Windows Server Active Directory solution running on your local network. For information on integrating your on-premises identities with Azure AD, refer to this Microsoft article and this one on pass-through authentication.

You also need to confirm that a primary SMTP email address is defined for each user and that the domain of that email address matches the Workshare account domain.

You can find a user’s SMTP email address via the Office 365 admin center or via Active Directory Users and Computers. The process is described in the Which credentials does this work with? section of this Workshare knowledge base article.

Office 365

If you are using Azure with Office 365, you must turn on Integrated Apps.

To turn on integrated apps:
  1. Sign in to Office 365 using your work account.
  2. Go to the Office 365 admin center and click Dashboard > External Sharing > Sharing Overview.
  3. On the Sharing Overview page, under Integrated Apps, use the toggle to turn Integrated Apps on if it’s not toggled on already.
User-added image
  1. Click Save.

PingOne SSO

If you have previously set up SSO for Workshare with PingOne, you can switch to SSO using Azure AD. It is important to know whether SSO is enabled or enforced.

  • Enabled: This means that users can sign in to Workshare using their SSO credentials or they can sign in using their Workshare credentials.
  • Enforced: This means that users must sign in to Workshare using their SSO credentials. They will not be able to sign in using their Workshare credentials.

If SSO with PingOne is only enabled, you can configure SSO using Azure AD as described below. If SSO with PingOne is enforced, you must first make it enabled. Refer to Stop SSO with PingOne, further down in this article.

Configure SSO on the Workshare Admin Console

The configuration will require your users to sign in to Workshare using their Microsoft work account credentials. Without performing this configuration, it remains optional.

User-added image

Users can sign into Workshare using their email address and Workshare password or they can click Sign in with Microsoft work account and sign in with their Microsoft work account credentials.

To configure SSO on Workshare:

  1. Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
  2. Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed.
  3. Click SSO settings.
In the "Select domains" dialog, you'll see a list of the domains associated with your Workshare account. Each domain has a checkbox to the left so you can select one or more of them. If a domain is "PingOne Enforced" there will be a label to the right that says so and that domain will be grayed out. At the bottom of the dialog, there are two buttons: "Apply" and "Close".
  1. Select the domain (or domains) for which you want to enforce sign in with Microsoft.
Note: If PingOne is enforced for a domain, you will not be able to select it. You must first stop enforcing SSO using PingOne. Refer to Stop SSO with PingOne, further down in this article.
  1. Click Apply. The selected domains are now enforced – users who enter an email address with this domain will be required to sign in with Microsoft.
The domain names that are required to sign in with Microsoft are listed in the Admin Console under "Single Sign-On" > "Sign in with MIcrosoft".

To stop requiring users to sign in with their Microsoft credentials, click Stop enforcing.

Stop SSO with PingOne

When you have set up SSO with PingOne for your organization’s Workshare account, you will either have it enabled (optional for users) or enforced. You can enforce SSO using Microsoft if SSO with PingOne is only enabled. However, if SSO with PingOne is enforced, you must first change it to enabled or remove SSO with PingOne.

To change SSO with PingOne:

  1. Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
  2. Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed.
  3. Scroll to the Sign in with other providers section.
When you scroll down to the "Sign in with other providers" section, the first column is called "Email Domain" and the third column is called "All Users". If the "All Users" column says "Yes", PingOne has been enforced for that domain. If the column says "No", PingOne has not been enforced for that domain.
If All Users displays No, then SSO with PingOne is enabled for your account. In this case, you can still enforce SSO using Microsoft and require your users to sign in with their Workshare work account credentials. However, if All Users displays Yes, you must either remove SSO with PingOne for the domain or make it optional.
  1. To change PingOne from enforced to enabled, click the domain name displayed under Email Domain.
In the "Set up your email domain" dialog, there is the emai domain, the Idpid, and a checkbox called "Enforce SSO login for all email addresses in this domain". Below the checkbox is a button called "Update Email Domain".
  1. Deselect the Enforce SSO login for all email addresses in this domain checkbox and click Update Email Domain. The change will take effect immediately.
Note: You can remove the domain completely from any PingOne SSO configuration by clicking Delete to the right of the domain name.



Environments

Helpful?      

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255