Table of content
What is single sign-on?
Single sign-on is a method of logging in to Optimal Workshop using existing credentials from another service or tool. This is ideal for organizations that use a number of software services in their work, as it takes out the hassle and security risks of managing many accounts for employees. Once implemented, SSO allows you to use a single source of truth for authentication for your organization.
This is how it will look for the users of your organization when they access Optimal Workshop:
Using SSO with Optimal Workshop
There are a few different ways you can implement SSO with Optimal Workshop.
Google OAuth - Out of the box
SAML 2.0 - Self-serviced setup
We support the SAML 2.0 protocol, which can be used with a variety of Identity Providers (IdP), including (but not limited to) Azure, Okta, Active Directory and OneLogin. SSO is an additional paid option for all accounts on a team plan (3+ users) and is free for accounts with 10+ users.
Everything else - upon request
If you’re an enterprise customer and not sure whether your existing IdP will work with SAML, or if you use a different protocol such as custom OAuth get in touch with firstname.lastname@example.org.
Set up SAML SSO for your account
Get access to the SSO self-service portal
Contact email@example.com to start the process. Once you have been given access to the SSO self-service portal, you’ll be able to access the SSO tab in your account settings. This is where you can start the setup.
For security reasons, the SSO tab is only visible to the owner of the account.
Inviting others to make configurations on your behalf (e.g. your SSO administrator)
If you would like somebody else (e.g. your SSO administrator or any person who can make configurations for your identity provider) to make configurations on your behalf, they will need to create a user account by signing up at www.optimalworkshop.com/register (This user does not need to be associated with your team account or pay for the account). Send the email address of the person requiring access to firstname.lastname@example.org and we will give them permission.
This is a high-level overview of the configuration process. It should take no more than 30 minutes for you and your SSO administrator to configure the steps.
Step 1: Load Optimal Workshop’s settings into your SAML provider
After having started your SAML SSO setup request, navigate to --> Set up --> Service Provider within the SAML-SSO Self-service portal:
In the Service Provider tab, you find all settings that you need to configure your IdP.
There are two ways you can extract the settings from Optimal Workshop:
Setting by setting: You can manually extract Optimal Workshop’s settings and load them into your IdP by copy-pasting the provided information into the relevant fields. This is helpful if your IdP has corresponding entry fields (e.g. Okta).
Metadata XML: The XML option provides the same information in a scripted way. Some IdPs allow you to upload an XML file and automatically extract the metadata needed. Your SSO administrator will be able to interpret the given data if you need more information than is provided in the setting by setting format.
Are you using Okta? If you are using Okta as your IdP, we provide additional Okta specific information at the bottom of this article.
Optimal Workshop’s general SAML settings
You will need to load the following Optimal Workshop settings into your SSO provider:
How the setting is often referred to on the side of the IdP
The location where your IdP needs to send the SAML assertion.
Service Provider Entity ID
The unique identifier of the receiver of the SAML assertion.
Name ID format
The Name ID is used to uniquely identify users. Optimal Workshop requires this to be the email address.
Optimal Workshop’s attribute statements
Optimal Workshop requires a first name and last name for user creation. For a seamless user experience, you need to map those fields within your SAML provider so that they are parsed through automatically. You can still submit your SSO request without having those fields mapped, but the user will need to provide their first name (mandatory) and last name manually when logging in for the first time. If you need to use custom attribute keys for first and last names, please reach out to email@example.com.
Step 2: Provide details of your IdP back to us
Most IdPs provide an XML file (also referred to as IdP metadata) that contains all the metadata needed for the service provider. Copy-paste the content of that file into the provided field in the SSO self-service portal in the Identity Provider tab:
When you capture the data from your IdP, it should start and end with the following:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="optimal-workshop">
This is how it might look:
Are you using Okta? Learn exactly how to capture the IdP metadata at the bottom of this article.
Please also list all email domains that your users will be using when authenticating with SAML SSO. The domain is the part that follows the @ of all email addresses that users of your organization might use.
example.com, example.co.nz, example.it
Step 3: Test your setup and submit
Click "Verify setup" to run a test of your configuration. This will simulate a user (you) trying to log in with SSO. We display the information that we receive back from your IdP and run a few checks:
Further down the page, you will also find the raw SAML response (also referred to as the "assertion" or "payload") that we receive from your IdP when the test sign-in was triggered. If there’s anything wrong, this will help your SSO administrator in the debugging process. If you get stuck, contact firstname.lastname@example.org, we are here to help.
Once every required status is green, you can submit your request. Don't forget to hit the submit button:
Once submitted, Optimal Workshop will be notified and we’ll run a couple of manual checks on our end before SSO is activated for your organization. We aim to get this done within 5 business days. Once SSO has been activated, the contacts you input during the setup process will be notified via email.
You might be interested in:
How to update the Security Certificate
The SAML signing certificate is used to establish a trust relationship between the IdP and the service provider to ensure that messages are coming from the expected identity and service provider. Authentication can be disrupted if this certificate is left to expire, so it's worth starting the update process well in advance of the expiry date.
There are two ways to update your certificate:
This is the preferred option for customers that initially used the self-service portal to set up SAML SSO. You can self service the certificate update via the 'Certificate Replacement' tab inside the self-service portal.
At a high level:
You upload the new certificate
We approve and load up this certificate. Both the new and old certificates are valid at this time
We confirm with you via email the new certificate has been replaced
You confirm with us via email when the old certificate has been decommissioned so we can do the same on our end
Only available if you didn't use the self-service portal to set up SAML SSO. Please get in touch with email@example.com well in advance so that we can set up a call to ensure the update happens at the same time on both sides. The IdP Certificate has the following format and needs to be sent to us by email before or during the call:
Frequently asked questions
What happens once Optimal Workshop activates SAML?
Once SAML is activated for your account, all members of your account will need to convert to SAML authentication after their next login. They will see the following modal to do so:
If there are active users when SAML is enabled, they will be interrupted and will need to connect with SAML.
How will existing users log in with SSO?
Once a user is converted to SAML-SSO, this is their regular log-in process:
1) Enter your work email address
The user can use the "Log in with SSO" link on the bottom of our login screen:
... or use directly this URL: https://app.optimalworkshop.com/auth/saml/login
In case the user entered email (and password) directly on the login screen, they will be automatically redirected.
2) Use SSO!
Based on the domain of the email address the user will be asked to confirm to use SSO:
3) Login into SSO provider After clicking on "Log in with SSO", the user will get a login screen popping up from your SSO provider that usually contains the following elements:
4) Use Optimal Workshop!
After entering their company username and password the user lands on the dashboard and is ready to use Optimal Workshop!
How to create new users and add them to your team
We do not integrate with SCIM services yet, which would allow you to manage users and their access to Optimal Workshop directly within your Identity Provider software.
We can provide just-in-time provisioning (any user with an email address that contains your defined domain(s) will be forced to use SAML-SSO and be automatically added to your team) but offer this feature only for customers on an enterprise plan and a multi-team structure set up as it requires additional license management functionality which is not available for standalone team accounts.
Instead, this is how new users can be created and added to your Optimal Workshop team:
1) The account owner (or members if they have permission) has to invite a user using their work email address. This can be done in the account settings on the members tab:
2) The user will receive a notification email and will be invited to join your team at Optimal Workshop. They will need to accept the invite.
3) Your user will then be able to sign in with SAML-SSO to log into Optimal Workshop:
4) After clicking on "Log in with SSO and accept", the user will get a login screen popping up from your Identity Provider that usually looks somewhat like this:
5) After entering their company username and password the user lands on the dashboard of the team account at Optimal Workshop they have been invited to and are ready to go!
What if something goes wrong (Backdoor URL)?
We do not provide a backdoor URL. If anything goes wrong we can, on a case-by-case basis, allow existing SAML users to convert back to password authentication via a password reset email.
Reuse of an IdP across multiple accounts
The same IdP can be used across multiple accounts, but a single account can only use one IdP.
We support SP and IdP initiated sign-in flow
We support both flows. That means a user can log in to Optimal Workshop starting directly from your IdP or via our login screen.
By default, we don’t require encrypted assertions although they can be set up upon your request. Please get in touch with firstname.lastname@example.org if so.
SAML single logout
We do not support this.
We do not require a default relay state.
Configure Optimal Workshop SSO with Okta
Many organizations use Okta as their IdP. Below is how the setup process works if you use Okta. You will need to follow these steps, as well as the ones listed above in the article
OKTA Support docs:
Step 1: Load Optimal Workshop’s configurations into your SAML provider
After you have added Optimal Workshop as a new application to Okta follow these steps:
1a) Configure general settings in Okta:
Use our app logo to make it easier to identify us.
1b) Configure SAML in Okta (General and Attribute statements):
Step 2: Provide details of your identity provider back Optimal Workshop
Once you have configured SAML for the Optimal Workshop application, Okta will provide you with the IdP XML metadata that you need to load back into the SSO self-service portal. Simply copy-paste the content into the Optimal Workshop portal.
Navigate to the sign-on setup instructions:
Capture the IdP metadata:
Step 3: Test your setup
Before you test the Okta configuration in the Optimal Workshop portal, make sure you have assigned people or groups to Okta, in particular, your own account that you are testing with.