Single sign-on is a method of logging in to Optimal Workshop using existing credentials from another service or tool. This is ideal for organizations that use a number of software services in their work, as it takes out the hassle and security risks of managing many accounts for employees. Once implemented, SSO allows you to use a single source of truth for authentication for your organization.

This is how it will look for the users of your organization when they access Optimal Workshop:

There are a few different ways you can implement SSO with Optimal Workshop.

We support Google sign-in as an option for anyone on any plan (free or paid), however, it cannot be enforced for an account.

We support the SAML 2.0 protocol, which can be used with a variety of Identity Providers (IdP), including (but not limited to) Azure, Okta, Active Directory and OneLogin. SSO is an additional paid option for all accounts on a team plan (3+ users) and is free for accounts with 10+ users.

If you’re an enterprise customer and not sure whether your existing IdP will work with SAML, or if you use a different protocol such as custom OAuth get in touch with support@optimalworkshop.com.

Contact support@optimalworkshop.com to start the process. Once you have been given access to the SSO self-service portal, you’ll be able to access the SSO tab in your account settings. This is where you can start the setup.

For security reasons, the SSO tab is only visible to the owner of the account.

If you would like somebody else (e.g. your SSO administrator or any person who can make configurations for your identity provider) to make configurations on your behalf, they will need to create a user account by signing up at www.optimalworkshop.com/register (This user does not need to be associated with your team account or pay for the account). Send the email address of the person requiring access to support@optimalworkshop.com and we will give them permission.

This is a high-level overview of the configuration process. It should take no more than 30 minutes for you and your SSO administrator to configure the steps.

After having started your SAML SSO setup request, navigate to --> Set up --> Service Provider within the SAML-SSO Self-service portal:
​

In the Service Provider tab, you find all settings that you need to configure your IdP.

There are two ways you can extract the settings from Optimal Workshop:

Are you using Okta? If you are using Okta as your IdP, we provide additional Okta specific information at the bottom of this article.

Optimal Workshop’s general SAML settings

You will need to load the following Optimal Workshop settings into your SSO provider:

Optimal Workshop’s attribute statements

Optimal Workshop requires a first name and last name for user creation. For a seamless user experience, you need to map those fields within your SAML provider so that they are parsed through automatically. You can still submit your SSO request without having those fields mapped, but the user will need to provide their first name (mandatory) and last name manually when logging in for the first time. If you need to use custom attribute keys for first and last names, please reach out to support@optimalworkshop.com.

Most IdPs provide an XML file (also referred to as IdP metadata) that contains all the metadata needed for the service provider. Copy-paste the content of that file into the provided field in the SSO self-service portal in the Identity Provider tab:

Note:

When you capture the data from your IdP, it should start and end with the following:

---------------------

<?xml version="1.0"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="optimal-workshop">

…

…

…

</md:IDPSSODescriptor>

</md:EntityDescriptor>

------------------

This is how it might look:

Are you using Okta? Learn exactly how to capture the IdP metadata at the bottom of this article.

Domains

Please also list all email domains that your users will be using when authenticating with SAML SSO. The domain is the part that follows the @ of all email addresses that users of your organization might use.

Example:

Click "Verify setup" to run a test of your configuration. This will simulate a user (you) trying to log in with SSO. We display the information that we receive back from your IdP and run a few checks:

Further down the page, you will also find the raw SAML response (also referred to as the "assertion" or "payload") that we receive from your IdP when the test sign-in was triggered. If there’s anything wrong, this will help your SSO administrator in the debugging process. If you get stuck, contact support@optimalworkshop.com, we are here to help.

Once every required status is green, you can submit your request. Don't forget to hit the submit button:

Once submitted, Optimal Workshop will be notified and we’ll run a couple of manual checks on our end before SSO is activated for your organization. We aim to get this done within 5 business days. Once SSO has been activated, the contacts you input during the setup process will be notified via email.

You might be interested in:

The SAML signing certificate is used to establish a trust relationship between the IdP and the service provider to ensure that messages are coming from the expected identity and service provider. Authentication can be disrupted if this certificate is left to expire, so it's worth starting the update process well in advance of the expiry date.

There are two ways to update your certificate:

Once SAML is activated for your account, all members of your account will need to convert to SAML authentication after their next login. They will see the following modal to do so:

If there are active users when SAML is enabled, they will be interrupted and will need to connect with SAML.

Once a user is converted to SAML-SSO, this is their regular log-in process:

1) Enter your work email address

The user can use the "Log in with SSO" link on the bottom of our login screen:

... or use directly this URL: https://app.optimalworkshop.com/auth/saml/login

In case the user entered email (and password) directly on the login screen, they will be automatically redirected.

2) Use SSO!

Based on the domain of the email address the user will be asked to confirm to use SSO:

3) Login into SSO provider After clicking on "Log in with SSO", the user will get a login screen popping up from your SSO provider that usually contains the following elements:

========================

Bananacom

username:

Password:

[enter]

========================

4) Use Optimal Workshop!

After entering their company username and password the user lands on the dashboard and is ready to use Optimal Workshop!

We do not integrate with SCIM services yet, which would allow you to manage users and their access to Optimal Workshop directly within your Identity Provider software.

We can provide just-in-time provisioning (any user with an email address that contains your defined domain(s) will be forced to use SAML-SSO and be automatically added to your team) but offer this feature only for customers on an enterprise plan and a multi-team structure set up as it requires additional license management functionality which is not available for standalone team accounts.

Instead, this is how new users can be created and added to your Optimal Workshop team:

1) The account owner (or members if they have permission) has to invite a user using their work email address. This can be done in the account settings on the members tab:
​

2) The user will receive a notification email and will be invited to join your team at Optimal Workshop. They will need to accept the invite.

3) Your user will then be able to sign in with SAML-SSO to log into Optimal Workshop:

4) After clicking on "Log in with SSO and accept", the user will get a login screen popping up from your Identity Provider that usually looks somewhat like this:

========================

Bananacom

username:

Password:

[enter]

========================

5) After entering their company username and password the user lands on the dashboard of the team account at Optimal Workshop they have been invited to and are ready to go!
​

We do not provide a backdoor URL. If anything goes wrong we can, on a case-by-case basis, allow existing SAML users to convert back to password authentication via a password reset email.

The same IdP can be used across multiple accounts, but a single account can only use one IdP.

We support both flows. That means a user can log in to Optimal Workshop starting directly from your IdP or via our login screen.

By default, we don’t require encrypted assertions although they can be set up upon your request. Please get in touch with support@optimalworkshop.com if so.

SAML single logout

We do not support this.

Relay state

We do not require a default relay state.

Many organizations use Okta as their IdP. Below is how the setup process works if you use Okta. You will need to follow these steps, as well as the ones listed above in the article

.

After you have added Optimal Workshop as a new application to Okta follow these steps:

1a) Configure general settings in Okta:

Use our app logo to make it easier to identify us.

1b) Configure SAML in Okta (General and Attribute statements):

Once you have configured SAML for the Optimal Workshop application, Okta will provide you with the IdP XML metadata that you need to load back into the SSO self-service portal. Simply copy-paste the content into the Optimal Workshop portal.

Navigate to the sign-on setup instructions:

Capture the IdP metadata:

Before you test the Okta configuration in the Optimal Workshop portal, make sure you have assigned people or groups to Okta, in particular, your own account that you are testing with.