Authentication
This article is only applicable to users of Workplace Advanced.
Users and admins can authenticate in 2 ways on Workplace:
Username and Password
  • The username will be in the form of an email address which has been provisioned in advance.
  • The password is set by the user upon confirming their identity through a unique link sent to the email address registered on Workplace.
Single Sign-On (SSO)
  • The username will be in the form of an email address which has been provisioned in advance.
  • Instead of a password, authentication credentials will be provided by an SSO provider.
Was this information helpful?

Username & Password Authentication

Yes, username and password credentials chosen by users in Workplace are unique to Workplace, and separate to any passwords they may use on Facebook.
Was this information helpful?
Users can only reset their own passwords if SSO isn't enabled.
As an administrator:
To reset a user's password, you need to be a System Administrator or Account Manager.
1. In the Admin Panel, open the People tab.
2. Find the user account whose password you'd like to reset.
3. Click to the right and select Force Password Reset.
4. Force Password Reset? popup should appear with Confirm and Cancel prompts.
5. Click Confirm. A password reset prompt should appear.
6. Click OK.
The user will have their credentials reset and a claim email will be sent to them to set up a new password.
As a user:
1. From your profile, click Settings.
2. Select Security and Login.
3. Select Edit in the Change Password subsection.
Was this information helpful?
Password Length
Passwords must be between 8 and 20 characters long.
Password format
Passwords must contain at least one character from three of the following character types:
  • Lower case characters (a-z)
  • Upper case characters (A-Z)
  • Digits (0-9)
  • Special characters including common punctuation and symbols
Password Retries
If users enter their password incorrectly more than 20 times, they'll be temporarily locked out of their account before they can retry.
Default Password
There's currently no way for admins to set a default password for Workplace accounts.
Was this information helpful?

Single Sign-On

This article is only applicable to users of Workplace Advanced and Workplace Enterprise.
Workplace can be integrated with identity providers (IdPs) for managing user authentication. This makes it easier for users to sign into Workplace using the same single sign-on (SSO) credentials they use with other systems.
You can also add multiple SSO providers to your Workplace which allows multiple IdPs to be used at the same time.
SSO for Workplace is directly supported by the following IdPs:
In addition to SSO for authentication, our partners above also support automated account provisioning and user management.
Note: Workplace supports SAML (Security Assertion Markup Language) 2.0 for SSO. You may find IdPs not listed above compatible as long as they use SAML 2.0 protocol.
Was this information helpful?
This article is only applicable to users of Workplace Advanced.
In order to enable single sign-on (SSO) authentication you'll need to:
    1. Have access to your IdP's configuration settings.
    2. Be assigned a System Administrator role in Workplace.
Learn more about single sign-on authentication.
Was this information helpful?
This article is only applicable to users of Workplace Advanced.
Configuring ADFS for Workplace requires the following:
  • SSO system using Windows Server 2016, Windows Server 2012 R2, Active Directory Domain Services (AD DS) or Windows Server 2008 R2.
  • Active Directory Federation Services (ADFS) 2016, v3 or v2.
  • Workplace System Administrator has the exact same email address as your corresponding Active Directory user.
Was this information helpful?
This article is only applicable to users of Workplace Advanced and Workplace Enterprise.
To configure SSO for Workplace from your desktop computer:
  1. From your Admin Panel, go to the Security tab and select Authentication at the top bar.
  2. Under Login, select Single-Sign On (SSO).
  3. Input the values from your IdP into the fields listed:
  • Name of the SSO Provider
  • SAML URL
  • SAML Issuer URL
  • SAML Logout URL Redirect (Optional)
  • SAML Certificate (You may need to open up the downloaded certificate in a text editor in order to copy/paste this into the field.)
  1. Depending on your IdP, you may need to enter the Audience URL, Recipient URL and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
  2. Scroll to the bottom of the section and click Test SSO. A popup window will appear with your IdP login page. Enter your credentials in as normal to authenticate.
    Ensure the email address being returned back from your IdP is the same as the Workplace account you're logged in with.
  3. Once the test has been completed successfully, scroll to the bottom of the page and click Save. All users using Workplace will now be presented with your IdP login page for authentication.
Adding multiple SSO providers is only available to users of Workplace Enterprise.
To add multiple SSO providers:
  1. Under your default SSO Provider, click Add New SSO Provider.
  2. Follow the steps to configure SSO listed above.
  3. Once completed, you'll see an Other section with the name of the provider you entered.
  4. You can now add employees to the IdP they belong to based on their domain by clicking Assign Email Domains.
SAML Logout Redirect (optional):
You can choose to configure an SAML Logout URL which can be used to point at your IdP's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the URL that was added in the SAML Logout Redirect setting.
Example with ADFS:
  1. Update the Workplace relying party trust to add a SAML Logout Endpoint to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  2. Update the settings in Workplace so that the SAML Logout Redirect is set to https://"adfs server"/adfs/ls/?wa=wsignout1.0
  3. Save the settings. When you now log out, you'll be logged out from both Workplace and ADFS.
Was this information helpful?
This article is only applicable to users of Workplace Advanced.
You can configure Workplace to prompt for an SAML check every day, 3 days, week, 2 weeks, month or never. The minimum duration for the SAML check on mobile applications is set to 1 day.
You can also force an SAML reset for all users using the button: Force Reauthentication Now.
Was this information helpful?
This article is only applicable to users of Workplace Essential and Workplace Advanced.
No, we do not take SAML attributes and provision users, however you can use self invite, or one of the provisioning methods outlined here.
To mimic partial behavior of Just-In-Time provisioning, you must ensure that single sign-on is enabled and Self Invite is on. Once you've made sure your community's settings are updated with those changes, you can create a SCIM-based user management/connector app.
Was this information helpful?
This article is only applicable to users of Workplace Essential and Workplace Advanced.
See the ADFS section on this page for more information on how configure log into Workplace via ADFS.
For additional information in English, you can also access this document.
Was this information helpful?