What does it do?
This article explains how to configure Single Sign-On (SAML 2.0) for your betterworks instance. These instructions are general guidelines, and may change if your IDP updates its processes; as a best practice, confirm these procedures are accurate by reading your IDP’s documentation as well.
Note: Please refer to Single Sign-On Overview for more details on why SSO is useful and a summary of the types of SSO. Also, see instructions for setting up Google Apps SSO.
IDPs
This article explains general SAML configuration steps and has specific instructions on how to configure SAML SSO for the following IDPs:
- Okta
- PingOne (Ping Federate)
- One Login
- ADFS
- Bitium
- Microsoft Azure
Note for Microsoft Azure: We support both AD and FS. The FS configuration is almost exactly the same as the AD configuration so the MSFT support article can be used as a reference. Also, the Microsoft article says that the values for the Reply URL, Identifier, and the Sign-On URL are not real values and to contact betterworks. These are the real values and also please see the important note about the Sign-on URL if you wish to configure SP initiated mode. If you wish to enable IDP-initiated, please skip that step regarding the Sign-on URL.
General Configuration Steps
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com and notify us you'd like to enable SSO via SAML.
- Import the betterworks metadata/connection data to your IDP. Download the metadata file here. Note: If your IDP does not let you upload the metadata file directly, the configuration details you need to set up your IDP should be in the metadata file.
- Configure your IDP to pass the user’s primary email address as the SAML subject.
- Configure the IDP to pass the attributes listed in the table below. All attributes are case sensitive.
Attribute Description Dynamic or Literal givenName User's first name Dynamic sn User's last name Dynamic mail User's email address Dynamic saml_token Unique ID assigned by betterworks Literal employee_id (Optional) Employee's organization or user ID Dynamic
- Provide betterworks with the XML file containing your IDP’s SAML metadata. Your IDP’s documentation should tell you how to generate the metadata file.
- We'll work with you to coordinate a time to enable and test your SAML based SSO implementation.
Using SAML with Okta
If Okta is your IDP, follow these steps to configure your SAML SSO:
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com and tell them you want to enable SAML SSO.
- Log in to Okta as an administrator.
- Click on the Admin button, then click Add application.
- Find the betterworks Verified app.
- When prompted to provide the saml_token, enter the token provided by betterworks.
- Click Next and confirm that the “SAML 2.0” radio button is selected.
- Select View Setup Instructions additional configuration details.
- Download the Okta Metadata file by clicking on the Identity Provider Metadata link and send the metadata file to betterworks.
- Our team will work with you to coordinate a time to enable and test your SAML based SSO implementation.
Using SAML with PingOne
If PingOne is your IDP, follow these steps to configure your SAML SSO:
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com, your CSM, or your Program Architect and tell them you want to enable SAML SSO.
- Log into PingOne as an administrator.
- Go to the Applications tab and click Application Catalog.
- Select the betterworks App.
- Choose the SAML 2.0 configuration option.
- When prompted, upload the betterworks metadata file. Download the metadata file here.
- Make sure that you are sending the email as the SAML_SUBJECT.
- Configure the other attributes as follows:
Attribute Description Dynamic or Literal givenName User's first name Dynamic sn User's last name Dynamic mail User's email address Dynamic saml_token Unique ID assigned by betterworks Literal employee_id (Optional) Employee's organization or user ID Dynamic - Download the SAML Metadata file and email it to betterworks.
- Our team will work with you to coordinate a time to enable and test your SAML based SSO implementation.
Using SAML with One Login
If One Login is your IDP, follow these steps to configure your SAML SSO:
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com, your CSM, or your Program Architect and tell them you want to enable SAML SSO.
- Log in to OneLogin as an administrator.
- Hover over the Apps tab and click Add Apps.
- Search for the betterworks App.
- Choose the SAML 2.0 configuration option.
- In the Configuration tab, enter the saml_token provided by Betterworks.
- Leave the remaining configuration options on their default settings.
- Find the More Actions drop-down and select the SAML Metadata option to download the OneLogin metadata and email the file to betterworks.
- Our team will work with you to coordinate a time to enable and test your SAML based SSO implementation.
Using SAML with ADFS
If you are using ADFS you can follow these steps:
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com, your CSM, or your Program Architect and tell them you want to enable SAML SSO.
- Upload the betterworks metadata file. Download the metadata file here.
- In ADFS, create a new Claim Rule for “Email, Given Name, and Surname” and configure it according to these guidelines:
- Create a new Claim Rule for “Email to NameID Transient” and configure it according to these guidelines:
- Create a new Claim Rule for “saml_token” and configure it according to these guidelines: When prompted to provide the saml_token enter the token provided by betterworks.
- Download the ADFS SAML metadata file and email it to BetterWorks
- Our team will work with you to coordinate a time to enable and test your SAML based SSO implementation.
Using SAML with Bitium
Here are the steps to turn on SAML 2.0 for betterworks in Bitium:
- Create a Keybase account, here we will securely share your SAML Token. Keybase is a free message encryption service that is easy to use.
- Contact support@betterworks.com, your CSM, or your Program Architect and tell them you want to enable SAML SSO.
- In Bitium, go to “Manage Apps."
- Select betterworks from the list of installed apps.
- Click the “Single Sign-On” tab.
- Click the drop-down menu and select SAML authentication.
- Copy the Metadata XML from Bitium.
- When prompted to provide the saml_token, enter the token provided by betterworks.
- Click Save Changes.
- Send over the Metadata XML you copied in Step 5 to betterworks and ask them to set up the SAML connection on your account. JIT provisioning is also available upon request.
- Our team will work with you to coordinate a time to enable and test your SAML based SSO implementation.