Configure Workshare SSO
The Workshare single sign-on (SSO) solution uses Azure Active Directory (Azure AD) so that users can access their Workshare account using their Microsoft work account credentials.
Single sign-on (SSO) is a user authentication process that permits a user to enter one user name and password in order to access multiple applications. The Workshare SSO solution uses Azure Active Directory (Azure AD) so that users can access their Workshare account using their Microsoft work account credentials.
Note: A Microsoft work account is one that your company has registered for you with Microsoft. A further description is provided here: https://msdn.microsoft.com/en-us/subscriptions/dn531048.aspx
What do users see?
What the user sees depends on whether Workshare is provided with or remembers their email address. This is because Workshare identifies users by an email address. Each Workshare account is tied to a unique email domain and any user that shares the same domain is grouped into that Workshare account. With SSO set up, users sign into Workshare using their Microsoft work account credentials – a user name (UPN) and password. Workshare then retrieves the primary SMTP email address for that user name from Azure AD and uses it as the email address for their Workshare account. Therefore, the domain of the primary SMTP email address defined for each user must match the Workshare account domain.
New users, or existing users whose email is not remembered, will see the usual Workshare sign in page. They click Sign in with Microsoft work account and the Microsoft login page is displayed where they enter their Microsoft work account credentials (UPN and password). They are then signed into Workshare and their Home page is displayed.
Note: The first time users sign in to Workshare using their Microsoft work account credentials, they will need to give Workshare permission to access their Microsoft profile. This is done by clicking Accept in the dialog displayed.
There is no need for a new user to validate their Workshare account and no validation email is sent.
For existing users who have previously signed in to Workshare and their email address is remembered, or if a user enters their email address in the Workshare sign in page instead of clicking the Sign in with Microsoft work account button, Workshare recognizes the email address as having SSO set up and the user must sign in with Microsoft.
When SSO has been set up, users will experience the following flow:
Note: The flow may vary, for example, if the user has signed in before or if seamless SSO is configured in Azure.
Note: The user name (UPN) may be the same as or different from the user’s email address. In the Workshare sign in page, users can enter their Microsoft UPN or their email address (as long as the domains match) and Workshare will recognize that SSO is set up. In the Microsoft login page, users must enter their UPN and password.
What you’ll need for the Workshare SSO solution
To configure SSO for Workshare, you’ll need the following:
- A Workshare subscription with SSO enabled
- An Azure AD subscription (with your users populated)
- A primary SMTP email address defined for each user with a domain that matches the Workshare account domain
Note: If you are using Azure with Office 365, you must turn on Integrated Apps in Office 365.
With these prerequisites in place, you perform a simple configuration on the Workshare Admin Console to set up SSO.
Workshare subscription
You will need SSO enabled on your Workshare account. You can find out if SSO is enabled on your account in the Workshare Admin Console.
To check SSO is enabled:
- Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
- Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed. If the following message is displayed, you need to contact Workshare Sales to enable SSO on your account.
Azure AD subscription
The setup and configuration of Azure AD is not covered in this article as each environment can be different. For general information about SSO and Azure AD, refer here.
You need to ensure that your Azure AD implementation connects with your Windows Server Active Directory solution running on your local network. For information on integrating your on-premises identities with Azure AD, refer to this Microsoft article and this one on pass-through authentication.
You also need to confirm that a primary SMTP email address is defined for each user and that the domain of that email address matches the Workshare account domain.
You can find a user’s SMTP email address via the Office 365 admin center or via Active Directory Users and Computers. The process is described in the Which credentials does this work with? section of this Workshare knowledge base article.
Office 365
To turn on integrated apps:
- Sign in to Office 365 using your work account.
- Go to the Office 365 admin center and click Dashboard > External Sharing > Sharing Overview.
- On the Sharing Overview page, under Integrated Apps, use the toggle to turn Integrated Apps on if it’s not toggled on already.
- Click Save.
PingOne SSO
If you have previously set up SSO for Workshare with PingOne, you can switch to SSO using Azure AD. It is important to know whether SSO is enabled or enforced.
- Enabled: This means that users can sign in to Workshare using their SSO credentials or they can sign in using their Workshare credentials.
- Enforced: This means that users must sign in to Workshare using their SSO credentials. They will not be able to sign in using their Workshare credentials.
If SSO with PingOne is only enabled, you can configure SSO using Azure AD as described below. If SSO with PingOne is enforced, you must first make it enabled. Refer to Stop SSO with PingOne, further down in this article.
Configure SSO on the Workshare Admin Console
The configuration will require your users to sign in to Workshare using their Microsoft work account credentials. Without performing this configuration, it remains optional.
Users can sign into Workshare using their email address and Workshare password or they can click Sign in with Microsoft work account and sign in with their Microsoft work account credentials.
To configure SSO on Workshare:
- Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
- Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed.
- Click SSO settings.
- Select the domain (or domains) for which you want to enforce sign in with Microsoft.
- Click Apply. The selected domains are now enforced – users who enter an email address with this domain will be required to sign in with Microsoft.
To stop requiring users to sign in with their Microsoft credentials, click Stop enforcing.
Stop SSO with PingOne
To change SSO with PingOne:
- Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
- Select the Services tab and then select Single Sign-On in the left menu. The Single Sign On page is displayed.
- Scroll to the Sign in with other providers section.
- To change PingOne from enforced to enabled, click the domain name displayed under Email Domain.
- Deselect the Enforce SSO login for all email addresses in this domain checkbox and click Update Email Domain. The change will take effect immediately.