What is single sign-on?
Single sign-on is a method of logging in to Optimal Workshop using existing credentials from another service or tool. This is ideal for organizations that use multiple software services in their work, as it takes out the hassle and security risks of managing many accounts for employees. Once implemented, SSO allows you to use one source of truth for authentication for your organization.
Using SSO with Optimal Workshop
We support the SAML 2.0 protocol, which can be used with a variety of identity providers, including (but not limited to) Azure, Okta, OneLogin or Active Directory. If you’re not sure whether your existing identity provider will work with SAML, get in touch with our sales team.
Once set up, your team members will be able to log in to Optimal Workshop using their credentials from your identity provider.
What do I need to know before I set up SSO?
SSO is currently available only to paid accounts on an Enterprise plan. If you’re ready to start using SSO with Optimal Workshop, you’ll need to contact our sales team to get the process started.
We also support Google sign-in as an option for anyone on any plan — free or paid.
The minimum information you’ll need to provide to set up SSO:
A list of email domains to apply SSO to
Example: myorganization.com, myorg.com, my-organization.com
Login URL: The URL to redirect to in order to log in to the identity provider
Issuer URL: The URL of the issuer specified by the identity provider
IDP Certificate: The verification certificate provided by the identity provider
Email address for an account admin: An email address of someone that users can contact if they’re having trouble signing in
Additional available options:
Specify which users have access
You can specify which members of your organization have access to your Optimal Workshop account through your SAML configuration.
SAML response decryption
When enabled, a private key will be used to decrypt the response from the identity provider. Enable this option if your existing provider is configured to send encrypted responses.
Disable free teams
When members of your organization join Optimal Workshop, by default they’ll be able to join other teams outside of your organization. You can disable this so that members can only access teams specified by your organization
Attribute mappings for first name, last name, and email
In order for us to set up accounts for your team members, we’ll need a little bit of information from the authorizing user in the attributes of the SAML response, which are configurable from the IDP. By default, we look for the following values:
Email address: email
First name: firstName
Last name: lastName
Of these, only email is required. We’re also able to specify custom mappings in case an existing configuration passes these values with different names.
Custom email domain enforcement
We can enforce domains in 2 different ways:
- Domain: Anyone logging in with an email address using your specified domain will be required to authenticate against the identity provider. Existing users will be asked to switch over to SAML authentication before continuing.
- Team: Anyone attempting to access a specified team will be required to authenticate against the identity provider. Existing team members will be asked to switch over to SAML authentication before continuing.