Intro:
Enabling Single Sign-On (SSO) for a SaaS platform makes logging in easier, faster, and more secure.
In simple terms:
SSO lets people use one username and password—usually their work login—to access many different systems. Instead of creating and remembering yet another password, users can just click “Sign in with [Company Login]” and they’re in.
Workflow Services can partner with your IT organization to set up SSO for any of the most common authenticators (e.g. MS365/Azure, Google, Okta, etc.).
Enabling SSO is not required for access to the Workflow Services platform, however if it is something your IT organization can support and would prefer, we're happy to partner with them on it to enable it.
Process Overview:
- Customer's IT administrator will need to log into your Microsoft EntraID site at https://entra.microsoft.com/
- Expand the left menu into Identity > Applications > App Registrations and create a new registration. Provide a name for this application and specify the Accounts in this organizational directory only option to limit user accounts to your AD tenant only. The redirect URI will be utilizing a Web type application and specify the Workflow Services tenant hostname followed by /v1/sso, such as: https://customer.workflowservices.com/v1/sso
- Once created, open the new registration, and open the Branding & properties page.
- Include any pertinent details we wish users to see on consent and account management screens. Our privacy statement is available here.
- Continue on to the Authentication screen. Ensure that under the Platform configurations section that the Web platform is there and that the correct URL above for /v1/sso is listed. Scroll down to the Implicit grant and hybrid flows section and ensure that the ID tokens is selected. Also verify the value for the Supported account types is selected and that Allow public client flows is set to No.
-
Skip down to API permissions and review the Configured permissions for the registration. Ensure that the following Microsoft Graph scopes are enabled:
- offline_access
- openid
- profile
- Move back up to the Certificates & secrets menu, and create a new Client secret for the Workflow Services app. Please collect the secret/value and the expiration date, these will need to be supplied to Workflow Services for configuring the tenant.
At this point, the application registration is complete. An Enterprise application registration is necessary, but the options depend on your security and identity policies for things like: who can use the app or providing consent. However, before we leave the standard App registrations menu, navigate back to the Overview screen. The Application (client) ID needs to be provided to the Workflow Services team. In addition, open the Endpoints globe option at the top of the screen, and copy the OpenID Connect metadata document URL for us as well.
Info Needed for Workflow Services to Complete SSO Setup:
Please provide us with these four pieces of data in order for a Workflow Services tenant to be configured for SSO.
- Application (client) ID
- Client secret
- Secret expiration date
- OpenID Connect metadata document URL
Please do not provide the application ID and the secret within the same e-mail and preferably provide the secret in a different medium/transport like through a live Zoom or Teams chat.
If possible, also provide a testing username and credentials that can be used to validate the configuration.
Once we've completed the setup on our end, we'll ask that you have a couple team members test their access, after which we can go live with your full team as needed.