integration guide - force.com
TRANSCRIPT
May 2016
Workshare Single Sign-On
Integration Guide
Workshare Single Sign-On Integration Guide
2
Company InformationWorkshare Single Sign-On Integration Guide
Workshare Ltd. (UK)20 Fashion StreetLondonE1 6PXUK
Workshare Inc. (USA)625 Market Street, 15th FloorSan FranciscoCA 94105USA
Workshare Website: www.workshare.com
Trademarks
Trademarked names may appear throughout this guide. Instead of listing these here or inserting numerous trademark symbols, Workshare wishes to state categorically that no infringement of intellectual or other copyright is intended and that trademarks are used only for editorial purposes.
Disclaimers
The authors/publishers of this guide and any associated Help material have used their best efforts to ensure accuracy and effectiveness. Due to the continuing nature of software development, it may be necessary to distribute updated Help from time to time. The authors would like to assure users of their continued best efforts in supplying the most effective Help material possible.
The authors/publishers, however, make no warranty of any kind, expressed or implied, with regard to Workshare programs or Help material associated with them, including this guide. The authors/publishers shall not be liable in the event of incidental or consequential damages in connection with, or arising out of, the programs or associated Help instructions.
Copyright
© 2016. Workshare Ltd. All rights reserved. Workshare Professional and Workshare DeltaView are registered trademarks of Workshare Ltd. Workshare Compare, Workshare Protect, Workshare 3, Workshare DeltaServer, SafetyGain, and the Workshare logo are trademarks of Workshare Ltd. All other trademarks are those of their respective holders.
Workshare Single Sign-On Integration Guide
3
Table of ContentsIntroduction ................................................................................................................4
What is PingOne? ...................................................................................................4
How SSO works ......................................................................................................5
Common terminology...........................................................................................5
Considerations ...........................................................................................................6
Skills required .........................................................................................................6
Prerequisites ..............................................................................................................6
Integration Process ....................................................................................................7
Configure SSO for Workshare ....................................................................................8
Step 1: Submit your domain details .........................................................................8
Step 2: Enable SSO .............................................................................................. 10
Step 3: Create PingOne account........................................................................... 11
Step 4: Configure connection between PingOne and IdP ...................................... 13
Step 5: Install and configure AD Connect .............................................................. 14
Step 6: Complete connection to Workshare in PingOne........................................ 15
Step 7: Complete the SSO integration................................................................... 16
Step 8: Test the SSO integration........................................................................... 17
FAQs........................................................................................................................ 17
What is the federation protocol used? ................................................................ 17
What are common IdPs?.................................................................................... 17
Further Reading ....................................................................................................... 18
Workshare Single Sign-On Integration Guide
4
IntroductionThis guide provides an overview of the Workshare single sign-on (SSO) integration and guides you through the setup process.
SSO is a user authentication process that permits a user to enter one name and password in order to access multiple applications.
The integration of Workshare with SSO provides a secure, convenient and faster way for signing in, enabling users to log in to Workshare using their company credentials –their company email address and login details.
Workshare uses PingOne to give customers secure SSO to my.workshare.com.
What is PingOne?
PingOne is a cloud-based identity-as-a-service (IDaaS) framework for secure identity access management. Workshare uses PingOne to provide SSO to the Workshare cloud application. You therefore need a PingOne account in order to use the Workshare SSO solution.
Once you have a PingOne account, you need to set up a connection to your user identity repository using federated SSO. Federated SSO uses the industry-standard SAML 2.0 protocol to establish a secure connection (an identity bridge) to your user repositories. User credentials are authenticated through the identity bridge and a token is generated for the credentials. The tokens are then used for SSO to the Workshare cloud application. The use of tokens implements the Tier 1 SSO standard, the highest level of security.
To enable the Workshare SSO solution, you therefore need a SAML-compatible Identity Provider (IdP) which typically provides the identity bridge described above. However, if you do not have a SAML-compatible IdP, you can use AD Connect to provide theidentity bridge. AD Connect is a Ping proprietary product which you can download from PingOne once you have created your account.
Workshare Single Sign-On Integration Guide
5
How SSO works
Once SSO has been configured in the PingOne and Workshare accounts, the flow is as follows:
1. The end user logs in to Workshare using their corporate email address.
2. Workshare recognizes their domain as having SSO enabled for Workshare and offers the end user the option to sign in using their company credentials.
3. End users log in using their company credentials and gain access to Workshare.
In the background, in order to authenticate the user, Workshare issues a token to PingOne and PingOne takes the token and federates with an IdP. The IdP gets its information on the user from an authentication service/application, typically Microsoft Active Directory.
Common terminology
The following are common SSO terms used.
Identity repository: Stores the user credentials necessary to validate a user's local or network access to their organization (their company credentials). For example Active Directory.
Identity Provider (IdP): Stores identity profiles and verifies that a user is an authorized user. For example, PingFederate, Okta, SiteMinder.
Identity bridge: Connects PingOne to the identity repository. The IdP typically provides the identity bridge. AD Connect is a standalone identity bridge.
Note: For more information, see https://documentation.pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml#identityBridges.html
Workshare Single Sign-On Integration Guide
6
ConsiderationsThis section provides a list of questions it is useful to ask before configuring theWorkshare SSO add-on. The answers will influence the steps required to configure and set up SSO for Workshare.
1. Do you currently have SSO set up for other applications?
2. Do you have an IdP? If so, which one?
3. What identity repository do you use?
4. Do you have an ADFS (Active Directory Federation Services) solution in place?
5. Do you have a PingOne account?
Skills required
During the course of the SSO enablement, you may need to engage members of yourteam who have skills/expertise in the following areas:
IT security
Active Directory
Network infrastructure
SSO owner/manager (if you already have an SSO solution in place for other applications)
These roles could be fulfilled by one or several people.
PrerequisitesIn order to integrate the Workshare SSO add-on, you will need the following:
A PingOne account for Cloud Access Services
If you do not already have a PingOne account, Workshare will help you create one during the integration process.
A SAML 2.0-compatible Identity Provider (IdP). For example, PingFederate,Google Apps for Work, Okta, SiteMinder
If you do not have this, you can use AD Connect to link PingOne to your identity repository. AD Connect is downloaded from PingOne once your account is set up.
Workshare Single Sign-On Integration Guide
7
If you require AD Connect, use the links below to check the install requirements:
Install AD Connect Install AD Connect with IIS
Note: AD Connect must be installed on a different server to AD; the Windows Server host must reside in an Active Directory domain.
Integration ProcessThe integration process will vary according to your requirements and your existing infrastructure.
This guide will go through all the possible configuration required. So, for example:
If you do not have an existing PingOne account and need AD Connect to connect to your identity repository, you will need to follow all the steps.
If you already have a PingOne account, you can skip steps or vary steps as explained throughout the process.
The process includes the configuration required in your Workshare account, the creation of a PingOne account and the connection (identity bridge) from PingOne to your IdP. It includes the following steps:
Step 1: Submit the domain details
Step 2: Enable SSO
Step 3: Create PingOne account
Step 4: Configure connection between PingOne and IdP
Step 5: Install and configure AD Connect
Step 6: Complete connection to Workshare in PingOne
Step 7: Complete the SSO integration
Step 8: Test the SSO integration
SSO must be enabled for your Workshare account in order for you to configure SSO. If you need more information, or guidance through any of the process, contact [email protected], your assigned Customer Success Manager or [email protected].
Note: You will need to be an Account Admin user on your Workshare account.
Workshare Single Sign-On Integration Guide
8
Configure SSO for Workshare
Step 1: Submit your domain details
1. Access the Admin Console by clicking your user name in the Workshare topbar and selecting Admin Console.
2. Select the Services tab and then select Single Sign-On in the left menu. The Single Sign-On page is displayed.
3. Click Add Email Domain.
4. In the Email domain field, enter the email domain to be used with SSO.
5. In the idpid field, enter your idpid. This is a PingOne parameter that uniquely identifies your organization and can be found on your Dashboard in PingOne.
Your idpid is the last part of your PingOne dock URL.
Workshare Single Sign-On Integration Guide
9
If you do not yet have a PingOne account, you should enter something relevant, for example, if you work for law firm Minton Dresden Stafford, you could enter MDSlaw, and this will be used as your idpid when you create your PingOne account a few steps from now.
6. Select the Enforce SSO login for all email addresses in this domaincheckbox if you want all email addresses in the specified domain to use SSO.
Note: You should only select this checkbox if you want all users with email addresses in this domain will be able to sign in using SSO. If your identity server cannot log in all email users in this domain or if you intend to restrict SSO access to specific users or groups, you should not select this checkbox since that would prevent users who do not have SSO access from collaborating using free personal accounts.
7. Click Request Email Domain.
It may take up to 3 working days for the request to be approved. During this period, Workshare needs to confirm your ownership of the email domain that you have applied for. You may need to provide evidence of ownership. Once the request is approved, you will receive an email confirmation.
Note: When your email domain request is approved, its status in the Single Sign-On page will change to Ready to Enable.
Workshare Single Sign-On Integration Guide
10
Step 2: Enable SSO
8. In the Single Sign-On page of the Admin Console, select the Enable single sign-on checkbox.
9. Choose how to continue:
If you already have a PingOne account, click the link below the checkboxand log in to PingOne. You can now go to Step 4.
If you do not have a PingOne account, go to this URL to create one: https://admin.pingone.com/web-portal/register and follow Step 3 below.
Note: If you do not have a PingOne account, do not use the link in Workshare.You must create an Enterprise account in PingOne and this link only takes you to the standard PingOne account registration page.
Workshare Single Sign-On Integration Guide
11
Step 3: Create PingOne account
10. When you click the link in 9, the PingOne Register screen is displayed.
11. Select PingOne for Enterprise as the account type.
12. In the Profile setup area, enter your name and contact details.
13. For the Registration key, enter your registration key. This will be provided to you by Workshare. If you haven’t got this key, contact [email protected], your assigned Customer Success Manager or [email protected].
14. In the Password area, enter a chosen password for your PingOne account.
15. Click Register.
Workshare Single Sign-On Integration Guide
12
16. Click Agree & Proceed on the legal notice. You will receive an activation email from PingOne that looks something like this:
17. Click Activate PingOne and enter your password. You are logged in to yourPingOne account and your PingOne Dashboard is displayed.
Workshare Single Sign-On Integration Guide
13
Step 4: Configure connection between PingOne and IdP
18. In your PingOne Dashboard, click Finish your Setup.
Note: You can also access this page by logging in to your PingOne account and navigating to the Setup > Identity Repository page.
19. Click Connect to an Identity Repository.
20. If you have a SAML-compatible IdP, select it from the list and click Next. Use the relevant PingOne documentation (linked below) to complete the connection then go to Step 6.
Connect to PingFederate
Connect to Google Apps for Work
Connect to Third Party SAML Services
If you do not have a SAML-compatible IdP, select AD Connect and continue following Step 5.
Workshare Single Sign-On Integration Guide
14
Step 5: Install and configure AD Connect
21. Click Next.
22. Click Download AD Connect.
23. Enter a product key. You create your own product key, like a password, following the instructions in the UI. The product key must be at least 8 characters, including at least 1 upper case letter, one lower case letter and one digit.
24. Click Next.
25. Make a note of your product key and organization ID.
26. Unzip the adconnect-installer.zip that you downloaded.
27. Run the Run-as-administrator.cmd file.
28. Follow the steps in the installer and enter the product key and organization ID when requested.
29. Click Activate.
30. Once activated, click Next.
31. Select Default Web Site and click Next.
32. Click Next.
33. Click Install.
34. Once installation is complete, click Finish. A web page is displayed confirming the installation has completed.
35. Click Verify Installation.
Workshare Single Sign-On Integration Guide
15
Step 6: Complete connection to Workshare in PingOne
36. In PingOne, select the Applications tab.
37. Check that Workshare has been listed in your applications.
38. Click the Workshare application to select it and scroll to the Attributes area.
39. Map the Workshare attributes (Application Attribute) to your identity bridge attributes. When using AD Connect as your identity bridge, you must configure the following attributes:
Workshare attribute AD Connect attribute
subject mail
email mail
name cn
groups memberOf
40. Select Save & Publish.
Workshare Single Sign-On Integration Guide
16
Step 7: Complete the SSO integration
41. Return to the Single Sign-On page in the Workshare Admin Console. The status of your domain should now be Ready to Enable.
42. Click the email domain with the status of Ready to Enable. The Single Sign-On page is displayed as follows:
43. Click Enable Email Domain at the bottom of the page.
Workshare Single Sign-On Integration Guide
17
The status of your email domain changes to SSO Enabled.
Users with email addresses within this domain can now sign into Workshare using their company credentials.
Note: You may be able to limit SSO access to particular users or groups of users –this can be configured in your PingOne account pages.
Step 8: Test the SSO integration
To confirm your SSO integration was successful, log into Workshare using corporate credentials from a machine within the network and also one from outside your network.
FAQsThis section provides answers to some common questions.
What is the federation protocol used?
SAML 2.0
What are common IdPs?
PingFederate is the Ping Identity multiservice, standalone identity bridge for the enterprise. PingFederate can connect to a large variety of user repositories, and supports connections to multiple PingOne accounts.
Google OpenID Connect is an identity bridge for Google Apps for Work. If customers are already using Google Apps for mail and calendar, there are just a few extra steps to use Google OpenID Connect as their identity bridge.
Third Party SAML: There are many federation tools that support the SAML protocol. Examples of third party SAML products that can operate as identity bridges are Microsoft ADFS, Shibboleth, CA Siteminder, Oracle Identity Federation, and others. PingOne can interoperate with all providers supporting SAML 2.0.
Workshare Single Sign-On Integration Guide
18
Further ReadingOverview of SSO: https://www.pingidentity.com/en/ultimate-guides/ultimate-guide-to-sso.html
Overview of PingOne: https://www.pingone.com/#how-it-works
General PingOne resources: https://www.pingone.com/#resources
AD Connect datasheet: https://www.pingone.com/upload/AD-Connect-Datasheet-3-12.pdf
Configuring AD Connect video: http://bcove.me/4ya3iw7z
AD Connect FAQ: https://www.pingone.com/upload/AD-Connect-FAQ-3-12.pdf