English (US)
Log in
Need help with setting up Workplace, managing domains or other technical info? Look no further.
Getting Started
Just launched Workplace and not sure what to do next? We've got everything you need right here.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
In-depth hubs
Our resource hubs will help you master some of Workplace's most popular features and embrace new ways of working.
Help Center
Find step-by-step instructions and answers to frequently asked questions.
Set up Guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organization to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Live Video resources
Looking to use Live Video to transform your Town Halls? This is the place to get tips, guides and practical insights.
Knowledge Library resources
Wish your intranet was a little more inspiring? Use these Knowledge Library resources to get started.
Working from Home with Workplace
So you've embraced remote work - now what? Stay on top of your game with these guides, videos and customer stories.
New rules of engagement
Turn hybrid teams into high-performing teams by learning more about the new rules of employee engagement.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
      Interactive Demo
        Customer Stories
        Workplace for Good
          Pricing Plans
            ROI Calculator
              Events & Webinars
                Ebooks & Guides
                    Workplace One Partner Program
                      Service & Reseller Partners
                        Ways to Work
                          Workplace Toolkits
                            Workplace Academy
                                Customer Communities
                                  What's New in Workplace
                                    English (US)


                                    Learn about your options for allowing users access to Workplace.


                                    Active Directory Federation Services (ADFS) is a Windows Server component that allows organizations to use Single Sign-on (SSO) access with other applications. In this guide, we will detail the setup required within ADFS to successfully integrate your SSO with Workplace.

                                    Configure ADFS for SSO with Workplace


                                    In order to configure ADFS for Workplace you need to meet the following prerequisites:

                                    • Your SSO system uses Windows Server version 2019 or 2016, Active Directory Domain Services (ADDS), and Active Directory Federation Services (ADFS) v4 or v5.
                                    • You have been assigned System Admin role in your Workplace instance.
                                    • Your Workplace admin user has the exact same email address as your corresponding Active Directory user. If the email addresses are not a case sensitive match, you will not be able to complete this procedure successfully.
                                    These instructions are also applicable to the configuration of Windows Server version 2012 R2 or 2008 R2 with AD FS v2, but be aware there are some minor differences in the configuration flow. We recommend upgrading to more recent Window Server versions.

                                    Gather the parameters needed to configure ADFS

                                    Follow the steps below in Workplace to find the parameters you need to configure ADFS.

                                    Go to the Admin Panel and navigate to the Security section.

                                    Navigate to the Authentication tab.

                                    Check the Single sign-on (SSO) checkbox.

                                    Note down the values your Audience URL and Recipient URL, which you will need during the ADFS configuration step.

                                    Create the Relying Party Trust in ADFS

                                    Before ADFS will allow federated authentication (i.e., SSO) for an external system, you must set up a Relying Party Trust. This configuration identifies the external system along with the specific technology that is used for SSO. This procedure will create a Relying Party Trust that produces SAML 2.0 Assertions for Workplace.

                                    Open the ADFS Management snap-in. Click on Relying Party Trusts and choose Add Relying Party Trust.

                                    Choose the Claims aware radio button. Click Start.

                                    Select Enter data about the relying party manually and click Next.

                                    Set the DisplayName as Workplace. Click Next.

                                    Click Next to skip the optional step of selecting a token signing certificate.

                                    Click the checkbox Enable support for the SAML 2.0 WebSSO protocol. Enter your Workplace Recipient URL you have noted down into the text box Relying party SAML 2.0 SSO service URL and click Next.

                                    Enter your Workplace Audience URL in the text box RelyingPartyTrust Identifier, click Add and then click Next.

                                    Click Next to accept the default Access Control Policy.

                                    Review your settings and click Next to add the Relying Party Trust.

                                    Leave the checkbox selected to open the Edit Claim Rules dialog when the wizard closes and click Close.

                                    Create the Claim Rules

                                    After a user is authenticated, ADFS claim rules specify the data attributes (and those attributes’ format) that will be sent to Workplace in the SAML Response. Since Workplace requires a Name ID element that contains the user’s email address, this example shows a configuration with two rules:

                                    • The first rule extracts the user’s User Principal Name from Active Directory (i.e., the user’s Windows Account Name);
                                    • The second rule transforms the User Principal Name into a Name ID with Email format.

                                    Prepare to create your claim rules

                                    Setup ADFS to create the two claim rules to configure SSO for Workplace.

                                    The window Edit Claim Rules for Workplace should open automatically. If not, you can edit claim rules from the ADFS Management snap-in by selecting the Workplace relying party trust and in the right-hand window choose Edit Claim Rules.

                                    Within the Issuance Transform Rules tab, click Add Rule… to start a new rule.

                                    Create the first rule

                                    Create the first rule to retrieve email address field from Active Directory when the user is authenticated.

                                    For the Claim Rule template, select Send LDAP Attributes as Claims and click Next to continue.

                                    Set the Claim Rule Name to Get LDAP Attributes. Set the Attribute store to Active Directory. In the first row, set the LDAP Attribute to E-Mail-Addresses and set the Outgoing Claim Type to E-Mail Addresses.

                                    Click Finish to add the rule.

                                    Create the second rule

                                    Create the second rule to map email address field to Name Id assertion in SAML response.

                                    Click Create Rule… to start a second new rule.

                                    For Claim Rule Template, select Transform an Incoming Claim and click Next to continue.

                                    For Claim Rule Name, enter Transform Email Address. For Incoming Claim Type, select E-Mail Address. For Outgoing Claim Type, select NameID. For Outgoing name ID format, select Email. Finally, Accept the default radio button selection Pass through all claim values and Click Finish to add the rule.

                                    Click Apply to enact the claim rules.

                                    Gather ADFS parameters needed to configure Workplace

                                    In order to complete the setup we need to retrieve some parameters that have to be configured in Workplace.

                                    To finish this configuration and have ADFS produce a valid SAML Assertion, you must be able to authenticate to ADFS as the user that has the exact same email address as your Workplace admin (case sensitive).
                                    Open the ADFS Management snap-in.

                                    Navigate to ADFS > Service > Endpoints.

                                    Confirm the URL of your ADFS metadata under the heading Metadata.

                                    From a web browser, open your ADFS metadata file. This location will be something like: https://{your-fully-qualified-active-directory-domain}/FederationMetadata/2007-06/FederationMetadata.xml.

                                    Make a note of your SAML Issuer URL, which is contained in the entityID attribute of the EntityDescriptor element.

                                    You will also need to make a note of your SAML URL, which is contained in the Location attribute of the the AssertionConsumerService element that has Binding type set to urn::oasis::names::tc::SAML:2.0::bindings::HTTP-POST.

                                    Convert your certificate into X.509 format

                                    Once you've gone through your identity provider's setup:

                                    From the AD FS management console, choose ADFS > Service > Certificates. Right click on your Token-signing certificate and click View Certificate….

                                    Choose the Details tab and click the button Copy to File….

                                    Click Next to start the wizard. Choose Base-64 encoded X.509 (.CER).

                                    Choose a location on the file system to save the exported certificate file.

                                    Click Finish to complete the export.

                                    Complete Workplace SSO configuration

                                    You will need your SAML URL, SAML Issuer URL and exported certificate file to complete SSO configuration in Workplace. Please follow the guide in the section Configure Workplace for SSO.