Table of content

What is single sign-on?

Single sign-on is a method of logging in to Optimal Workshop using existing credentials from another service or tool. This is ideal for organizations that use a number of software services in their work, as it takes out the hassle and security risks of managing many accounts for employees. Once implemented, SSO allows you to use a single source of truth for authentication for your organization.

This is how it will look for the users of your organization when they access Optimal Workshop:

Screenshot of Optimal Workshop's Log in portal using SSO

Using SSO with Optimal Workshop

There are a few different ways you can implement SSO with Optimal Workshop.

Google OAuth - Out of the box

We support Google sign-in as an option for anyone on any plan (free or paid), however, it cannot be enforced for an account.

SAML 2.0 - Self-serviced setup

We support the SAML 2.0 protocol, which can be used with a variety of Identity Providers (IdP), including (but not limited to) Azure, Okta, and OneLogin. SSO is an additional paid option for all accounts on a team plan (3+ users) and is free for accounts with 10+ users.

Everything else - upon request

If you’re an enterprise customer and not sure whether your existing IdP will work with SAML, or if you use a different protocol such as custom OAuth or Active Directory, get in touch with support@optimalworkshop.com.

Set up SAML SSO for your account

Get access to the SSO self-service portal

Contact support@optimalworkshop.com to start the process. Once you have been given access to the SSO self-service portal, you’ll be able to access the SSO tab in your account settings. This is where you can start the setup.

Screenshot of Optimal Workshop's in-app Settings tab

For security reasons, the SSO tab is only visible to the owner of the account.

Inviting others to make configurations on your behalf (e.g. your SSO administrator)

If you would like somebody else (e.g. your SSO administrator or any person who can make configurations for your identity provider) to make configurations on your behalf, they will need to create a user account by signing up at www.optimalworkshop.com/register (This user does not need to be associated with your team account or pay for the account). Send the email address of the person requiring access to support@optimalworkshop.com and we will give them permission.

Process overview

This is a high-level overview of the configuration process. It should take no more than 30 minutes for you and your SSO administrator to configure the steps.

Image of the high-level overview of a configuration process

Step 1: Load Optimal Workshop’s settings into your SAML provider

After having started your SAML SSO setup request, navigate to --> Set up --> Service Provider within the SAML-SSO Self-service portal:

Settings of the Service Provider

In the Service Provider tab, you find all settings that you need to configure your IdP.

There are two ways you can extract the settings from Optimal Workshop:

  • Setting by setting: You can manually extract Optimal Workshop’s settings and load them into your IdP by copy-pasting the provided information into the relevant fields. This is helpful if your IdP has corresponding entry fields (e.g. Okta).

  • Metadata XML: The XML option provides the same information in a scripted way. Some IdPs allow you to upload an XML file and automatically extract the metadata needed. Your SSO administrator will be able to interpret the given data if you need more information than is provided in the setting by setting format.

Are you using Okta? If you are using Okta as your IdP, we provide additional Okta specific information at the bottom of this article.

Optimal Workshop’s general SAML settings

You will need to load the following Optimal Workshop settings into your SSO provider:

Setting

Description

How the setting is often referred to on the side of the IdP

Single-sign-on URL

The location where your IdP needs to send the SAML assertion.

  • Single-sign-on URL

  • SAML Assertion Consumer Service (ACS) URL

  • Assertion Consumer URL (Recipient)

Service Provider Entity ID

The unique identifier of the receiver of the SAML assertion.

  • SP Entity ID

  • Audience

Name ID format

The Name ID is used to uniquely identify users. Optimal Workshop requires this to be the email address.

  • Name ID format

  • Name identifier

Optimal Workshop’s attribute statements

Optimal Workshop requires a first name and last name for user creation. For a seamless user experience, you need to map those fields within your SAML provider so that they are parsed through automatically. You can still submit your SSO request without having those fields mapped, but the user will need to provide their first name (mandatory) and last name manually when logging in for the first time. If you need to use custom attribute keys for first and last names, please reach out to support@optimalworkshop.com.

Step 2: Provide details of your IdP back to us

Most IdPs provide an XML file (also referred to as IdP metadata) that contains all the metadata needed for the service provider. Copy-paste the content of that file into the provided field in the SSO self-service portal in the Identity Provider tab:

Note:

When you capture the data from your IdP, it should start and end with the following:

---------------------

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="optimal-workshop">

</md:IDPSSODescriptor>

</md:EntityDescriptor>

------------------

This is how it might look:

Screenshot of an example of providing details of your IdP back to us

Are you using Okta? Learn exactly how to capture the IdP metadata at the bottom of this article.

Domains

Please also list all email domains that your users will be using when authenticating with SAML SSO. The domain is the part that follows the @ of all email addresses that users of your organization might use.

Example:

example.com, example.co.nz, example.it

Step 3: Test your setup and submit

Click "Verify setup" to run a test of your configuration. This will simulate a user (you) trying to log in with SSO. We display the information that we receive back from your IdP and run a few checks:

Screenshot of a display of the information status

Further down the page, you will also find the raw SAML response (also referred to as the "assertion" or "payload") that we receive from your IdP when the test sign-in was triggered. If there’s anything wrong, this will help your SSO administrator in the debugging process. If you get stuck, contact support@optimalworkshop.com, we are here to help.

Once every required status is green, you can submit your request. Don't forget to hit the submit button:

Once submitted, Optimal Workshop will be notified and we’ll run a couple of manual checks on our end before SSO is activated for your organization. We aim to get this done within 5 business days. Once SSO has been activated, the contacts you input during the setup process will be notified via email.

You might be interested in:

How to update the Security Certificate

The SAML signing certificate is used to establish a trust relationship between the IdP and the service provider to ensure that messages are coming from the expected identity and service provider.

When a security certificate is about to expire, your SAML configuration may become disabled.

If you need to update your Security Certificate, please get in touch with support@optimalworkshop.com well in advance so that we can set up a call to ensure the update happens at the same time on both sides. We do not yet offer an automated process to update the Security Certificate.

The IdP Certificate has the following format and needs to be sent to us by email before or during the call:

BEGIN CERTIFICATE

-------MIICpzCCAhACCQDuFX0Db5iljDANBgkqhkixbUQPoJOeNoE73-------

...

-------6lF5vYw6YKp8fJqPW0L2PLWe9qTn8hxpdnjo3k6r5gXyl8tk=-------

END CERTIFICATE

Frequently asked questions

What happens once Optimal Workshop activates SAML?

Once SAML is activated for your account, all members of your account will need to convert to SAML authentication after their next login. They will see the following modal to do so:

If there are active users when SAML is enabled, they will be interrupted and will need to connect with SAML.

How will existing users log in with SSO?

Once a user is converted to SAML-SSO, this is their regular log-in process:

1) Enter your work email address

The user can use the "Log in with SSO" link on the bottom of our login screen:

... or use directly this URL: https://app.optimalworkshop.com/auth/saml/login

Screenshot of Optimal Workshop's Log in portal using SSO

In case the user entered email (and password) directly on the login screen, they will be automatically redirected.

2) Use SSO!

Based on the domain of the email address the user will be asked to confirm to use SSO:

3) Login into SSO provider After clicking on "Log in with SSO", the user will get a login screen popping up from your SSO provider that usually contains the following elements:

========================

Bananacom

username:

Password:

[enter]

========================

4) Use Optimal Workshop!

After entering their company username and password the user lands on the dashboard and is ready to use Optimal Workshop!

How to create new users and add them to your team

We do not integrate with SCIM services yet, which would allow you to manage users and their access to Optimal Workshop directly within your Identity Provider software.

We can provide just-in-time provisioning (any user with an email address that contains your defined domain(s) will be forced to use SAML-SSO and be automatically added to your team) but offer this feature only for customers on an enterprise plan and a multi-team structure set up as it requires additional license management functionality which is not available for standalone team accounts.

Instead, this is how new users can be created and added to your Optimal Workshop team:

1) The account owner (or members if they have permission) has to invite a user using their work email address. This can be done in the account settings on the members tab:

2) The user will receive a notification email and will be invited to join your team at Optimal Workshop. They will need to accept the invite.

3) Your user will then be able to sign in with SAML-SSO to log into Optimal Workshop:

4) After clicking on "Log in with SSO and accept", the user will get a login screen popping up from your Identity Provider that usually looks somewhat like this:

========================

Bananacom

username:

Password:

[enter]

========================

5) After entering their company username and password the user lands on the dashboard of the team account at Optimal Workshop they have been invited to and are ready to go!

What if something goes wrong (Backdoor URL)?

We do not provide a backdoor URL. If anything goes wrong we can, on a case-by-case basis, allow existing SAML users to convert back to password authentication via a password reset email.

Reuse of an IdP across multiple accounts

The same IdP can be used across multiple accounts, but a single account can only use one IdP.

We support SP and IdP initiated sign-in flow

We support both flows. That means a user can log in to Optimal Workshop starting directly from your IdP or via our login screen.

Assertion Encryption

By default, we don’t require encrypted assertions although they can be set up upon your request. Please get in touch with support@optimalworkshop.com if so.

SAML single logout

We do not support this.

Relay state

We do not require a default relay state.

Configure Optimal Workshop SSO with Okta

Many organizations use Okta as their IdP. Below is how the setup process works if you use Okta. You will need to follow these steps, as well as the ones listed above in the article

.

OKTA Support docs:

Step 1: Load Optimal Workshop’s configurations into your SAML provider

After you have added Optimal Workshop as a new application to Okta follow these steps:

1a) Configure general settings in Okta:

Screenshot of Okta's general settings

Use our app logo to make it easier to identify us.

Image of Optimal Workshop's logo

1b) Configure SAML in Okta (General and Attribute statements):

Step 2: Provide details of your identity provider back Optimal Workshop

Once you have configured SAML for the Optimal Workshop application, Okta will provide you with the IdP XML metadata that you need to load back into the SSO self-service portal. Simply copy-paste the content into the Optimal Workshop portal.

Navigate to the sign-on setup instructions:

Screenshot of viewing setup instructions in Okta

Capture the IdP metadata:

Screenshot of what is needed to configure SSO with Optimal Workshop

Step 3: Test your setup

Before you test the Okta configuration in the Optimal Workshop portal, make sure you have assigned people or groups to Okta, in particular, your own account that you are testing with.

Did this answer your question?