SAML Setup Guide (Generic)

Step 1 - Get Service Provider (SP) information from Workstars

  • Login to your Workstars administrator account (must be the primary account or technical user)
  • Click on Settings at the top
  • Then click Sign On from the left-hand menu
  • Click the Setup button next to the Single Sign On (SAML) option
  • Select Generic
  • From the Service Provider section save a copy of the ACS URL and Entity ID as you will need these in the Step 2.

Step 2 - Setup your Identity Provider for use with Workstars

Follow the process for adding an application (Service Provider) to your Identity Provider. You will need to make a note of the Identity Provider Single Sign On URL, Identity Provider Entity ID and Identity Provider x509 Certificate that you should be provided with during the setup. We recommend adding a test user at this stage rather than activating it for all users.

Step 3 - Configure Sign On to use your Identity Provider

  • Log back in to your Workstars administrator account:

  • In the top bar select Settings

  • On the left hand navigation select Sign On

  • Click Setup next to the Single Sign On (SAML) option

  • Select Generic

  • Enter your SAML SSO URL. This is provided by your Identity Provider, it may also be called Single Sign On URL.

  • Enter your Identity Provider Entity ID. This is provided by your Identity Provider.

  • Paste in your x509 Certificate. This is provided by your Identity Provider, it may be provided in a file (if so open the file in notepad and copy and paste it). It must be in PEM format which looks like the following:

    -----BEGIN CERTIFICATE-----
    MIIDjDCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCREUx
    DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu
    bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW
    E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw
    ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl
    aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh
    dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ
    KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM
    gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI
    R7cmT3FA5HXEwO5rh7hvyV5mz7vnrXJouG39j0wfOqINQyUGuZLnIGyGFaDrf/cL
    mpldFIibAgMBAAGjggEOMIIBCjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
    cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUy1wZm+aKiv4O
    xP1e3/e/PagYfAgwga8GA1UdIwSBpzCBpIAUAbvGM771ml6wDF29Qel4bFStZo6h
    gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0
    ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD
    QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G
    CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i
    dHDbnngZ2QyvGK0Td1Z9Pxlh2rp0MI7FUA7j6/+VzY3WfsMOq1s0lLwWD+/c3kC7
    fbqiuF35dOcoWHWgZtKNhbo4gggQM+++KckxnWOp9+CZ6qfttrUzGxxKpAVAbkB7
    -----END CERTIFICATE-----
    
  • Enter your Remote Logout URL. This may be provided by your Identity Provider and is where you would like the employee to be redirected when they logout. A good choice is the landing/dashboard page of your Identity Provider. It should not be the same as the SAML SSO URL or the user will just be logged back in and can never logout.

  • Select the appropriate NameID, by default we use email. We also support EmployeeID but configuring your IDP is outside the scope of this document, please contact support.

  • Click Confirm to save the settings

Step 4 - Test & Enable

The setup is now complete but it is NOT yet visible for employees on the login page.

Note

Please ensure you have an account in your Identify Provider which has the new App assigned to it and you have an account in our system with the same email address.

When you are ready you must enable it:

  • On the Sign On page, click the Enable button next to Single Sign On (SAML)
  • Copy the test link
  • Open a Incognito/InPrivate browser tab and paste in the link
  • You should be redirected to your Identify Provider login page
  • If you login, you should be redirected back to our system and automatically logged in

Note

If you haven’t already done so, we recommend that you log back in to you Identify Provider and assign all your users and groups.

  • If the test worked, go back to the other browser window and click the Enable button
  • If you experience any errors please check the settings are correct. If you need further assistance please capture any error message screens and contact support

You have now enabled Single Sign On (SAML) for all employees, to check the login is working:

  • Visit your login URL (not the test one), it should be something like: https://<your-sub-domain>.workstars.com. You should be redirected to your Identify Provider login page and asked to login. If you are already logged in, you should be redirected back and logged into our system.
  • Depending on your Identify Provider, your employees may be able to login directly from the Identify Provider portal. To test this, login to your Identify Provider portal and click the app. You should be redirected to our site and logged in.

Troubleshooting

Below are a few possible errors and how to resolve them.

On our login page it says “Sorry we could not find your account, please contact your HR Team”

Strictly speaking this isnt an error. The reason is that you have tried to login via SAML but the account you have used does not have a matching account in our system. To resolve it simply create an account in our system with the same details. If you are not using email as the nameID please check that the alternative is the same in both systems (e.g. employeeID, extnernaID, etc.) and that it is being correctly sent in the SAML request.

On our login page it says “There is a problem with Single Sign On please contact your IT department.”

This is a general error and means that there is something wrong with the setup. Please check it is setup as described above, if you have followed a different guide (some providers also have their own guides) please start again using this document as a guide. If you have checked everything and cannot find any issues please contact support and we will help you resolve the problem.

I can login from the Identity Providers portal but when I try and login from the Workstars login page it redirects me to a message that says “page not found” or another error

This is usually because you have entered an incorrect SAML SSO URL, please check it is correct. If you have checked and cannot find any issues please contact support and we will help you resolve the problem.