Currently, SSO implementation on the side of Workplace Management (and Experience) is always done by the Spacewell Integration team.

Azure AD Configuration Guide

Below you will find the necessary steps to create a Single sign on application inside the Azure AD portal.

Creating Azure application

1. In Azure AD, navigate to Enterprise applications

   

   
   

2. Press on “New Application”

   

   
   

3. Press on “Create your own application”

   

   
   

4. Fill in a suitable name and select the option “ Integrate any other application you don't find in the gallery (Non-gallery)“. After that, click on “Create”. It might take some time for the application to be created. Azure will provide you will the following message until it is ready.

Setting up single sign on

Once the application is created and you are navigated to the application properties screen.

1. Click on “Set up single sign on” or do this in the menu on the left with “Single sign-on”

   

2. Select the “SAML” option

Automatic using metadata file

The easiest way to fill in the single sign on settings is through the metadata file. This can be acquired in two ways:

• Through your Spacewell contact which has provided you with the URL. If so, you can skip to uploading the metadata file

• By collecting it yourself. To do this, you need to retrieve the server instance of your Workplace Management system. View the section below for this https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

1. Once you have the URL, make sure to save the XML to your computer.

2. If you would like to manually setup the necessary settings, you can retrieve these values from the metadata. We will not provide documentation for a manual setup, as we suspect the necessary knowledge is available to you if you decide to select this option.

Uploading the metadata

1. In Azure, click on “Upload metadata file”

   

2. Select the XML that you have just saved to your computer and press on “Add”

   

3. As a result, you should be presented with a “Basic SAML Configuration” page. In this you can find the pre-filled values from the metadata file. One value that you can add is the “Sign on URL (Optional)”. Using this value will allow Service Provider Initiated Single Sign On. This is not necessary, but is advised to fill in. In most cases, this URL should be the following: https://client.axxerion.com/axxerion/sso
   Where you replace “client” with your client specific URL that you should already be familiar with. Be aware that Workplace Management supports multiple SSO connections within one client environment. If that is the case, this URL will be different and should be discussed with your Spacewell contact.

4. Once you have entered the necessary values, press “Save”.

5. Once saved successfully, close the configuration screen. Azure might prompt you to test the connection. Decline this offer, as several settings still need to be set (both in Azure as well as on the Workplace Management end).

Setting additional claims (optional)

If you intend to use the SSO connection in combination with Just In Time Provisioning, you might want to add additional claims. To do this, navigate to “Attributes & Claims” and press “Edit”

In the resulting screen, you can add any (group) claims if preferred. If you need further assistance adding these, please consult with your Azure administrator on how to add these.

Adding users

1. In the menu on the left, click on “Users and groups”

   

   
   

2. Press on “Add user/group”

   

   
   

3. Press on “None selected” and search for either the users or a specific group that you would like to give access to the Single sign on application.

4. Press on “Select” to add the users and/or groups

   

   
   

5. Press on “Assign” to assign the users to the application

   

6. Any other changes to the users and/or groups should be done by the Azure administrator from your end.

Sharing the necessary information

If you are done with all the above steps, you can share the metadata file from the application with your Spacewell contact. On the SAML-based Sign-on page, navigate to section 3 “SAML Certificates” and share the “App Federation Metadata Url” with your Spacewell contact. They will take the necessary steps on their end to allow the SSO connection to work.

Certificate renewals

• Every year, Workplace Management will update the certificate that is used for the SSO connection. Currently, Azure will accept this certificate without any necessary steps from your end being necessary.

• In case the certificate is renewed on the Azure end, Spacewell should be notified of this as soon as possible through the necessary support channels. Having provided Spacewell with the Federation Metadata URL will allow a Spacewell contact to easily update the necessary settings on the Workplace Management end. Should Spacewell not be notified, the SSO connection will cease to function once the certificate on the end of Azure expires.

Okta Configuration Guide

Below you will find the necessary steps to create a Single sign on application inside the Okta portal.

Creating Okta SSO application

1. In Okta, navigate to “Applications > Applications” and press on “Create App Integration”

   

   
   

2. In the modal, please select “SAML 2.0” and click on “Next”

   

3. Fill in an “App name” and press on “Next”. You are free to check any of the “App visibility” options if they apply to you. Also, you do not need to add anything for the App logo as this application will not be used to be presented to your users (more on this in the “Creating Okta Bookmark application” section)

Metadata information

The easiest way to retrieve the information necessary for the SAML 2.0 connection is through the metadata file. This can be acquired in two ways:

• Through your Spacewell contact which has provided you with the URL. If so, you can skip to uploading the metadata file

• By collecting it yourself. To do this, you need to retrieve the server instance of your Workplace Management system. View the section below for this https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

1. Once you have the URL, you can open this in your browser. If so inclined, you can also download the file and open it in your favorite text editor.

2. In the below table, you can find the mapping with in the first column the field in the Okta application and in the second column the tag name in the XML from the Workplace Management Federation Metadata.
   

3. Scroll down to the “Attribute Statements (optional)” and add the attributes that should be shared. As a minimal, you should add “user.email”, “user.firstName” and “user.lastName”. Take note of the values in the column “Name”, as those need to be shared with your Spacewell contact. Use the “Add Another” button to add additional attributes if you need those.

4. Press on “Next”

5. In the next screen, set the value to “I’m an Okta customer adding an internal app” and “This is an internal app that we have created”.

6. Click “Finish”

7. In the resulting screen, navigate to the section “SAML Signing Certificates”.
8. Click on the active certificate and press “Actions”, followed with “View IdP metadata”.
9. A tab should open with the necessary Metadata URL. Make note of the URL and share this with your Spacewell contact.

Creating Okta Bookmark application (optional)

If you would like users to login from Okta into Workplace Management, you will need to make a bookmark application. The SSO application in Okta does not allow a URL to be specified with which a user can login. Adding a bookmark application does make this possible.

In Okta, click on “Applications > Applications” followed by “Browse App Catalog”

1. Search for “Bookmark” in the search bar and select the “Bookmark App”

   

   
   

2. Click on “Add Integration”

   

   
   

3. Fill in an “Application Label” and the “URL”. In most cases, the URL value should be the following: https://client.axxerion.com/axxerion/sso
   Where you replace “client” with your client specific URL that you should already be familiar with. Be aware that Workplace Management supports multiple SSO connections within one client environment. If that is the case, this URL will be different and should be discussed with your Spacewell contact.

4. Press on “Done” when you are ready

Assign users

Assigning users applies to at least the SSO application and optionally the bookmark application.

1. Open the application and go to the “Assignments” tab. Click on “Assign” and select if you would like to add People or Groups

   

   
   

2. In the below example, we will add one specific user. Select the users that you would like to add and press “Assign”. Once assigned, press “Done”

   

   
   

3. Your users should be visible in the application

Add application logo (optional)

1. If you would like to add a logo to either application, you can download the Workplace Management logo below.

2. Click on the logo and the image should be enlarged.

3. You can download it by pressing the “Download” icon on the top right.

   

   
   

4. Open the application and press on the “pen” icon near the existing logo (most likely the cog)

   

5. Then select the downloaded image and press on “Update Logo”

Certificate renewals

• Every year, Workplace Management will update the certificate that is used for the SSO connection. Currently, Okta will accept this certificate without any necessary steps from your end being necessary.

• In case the certificate is renewed on the Okta end, Spacewell should be notified of this as soon as possible through the necessary support channels. Having provided Spacewell with the Federation Metadata URL will allow a Spacewell contact to easily update the necessary settings on the Workplace Management end. Should Spacewell not be notified, the SSO connection will cease to function once the certificate on the end of Okta expires.

ADFS Configuration Guide

Below you can find the settings that, if used, will lead to a successful SAML connection with Workplace Management. These settings have lead to the most successful connections with clients. Deviating from the below settings might cause billable hours by your Spacewell contact.

Settings in ADFS

Throughout the images below, you will find references to the server “axpr05”. This should be replaced with your Workplace Management server. You can find this information in thew section below https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

Setup the necessary claims

Custom claim

The custom claim that is used above is setup as follows:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "!!!REPLACE!!!entityId of the ADFS on your end!!!REPLACE!!!", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "!!!REPLACE!!!url of Axxerion server!!!REPLACE!!!");

Custom claims in case the above does not work

In the rare case that the above instruction is not sufficient for a working connection, the following custom claims might need to be implemented. All the other claims should be removed.

Custom claim 1

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Custom claim 2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "!!!REPLACE!!!entityId of the ADFS on your end!!!REPLACE!!!", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "!!!REPLACE!!!url of Workplace management server!!!REPLACE!!!");

Retrieving Federation Metadata URL for WPM

Anchor
Retrieving-Federation-Metadata-URL-for-Workplace-Management Retrieving-Federation-Metadata-URL-for-Workplace-Management

Inside Workplace Management, navigate to the environment setup by clicking on the “Setup” dashboard button or in the menu on “Admin > Setup”.

Take note of the server number

The metadata URL can be found by using the following URL:

https://axpr00.axxerion.com/axxerion/saml/metadata

In this URL, you should replace the 00 with your server number. Be aware: if you are on a server with a single digit 'x', it should be axpr0x.

• Use the provided configuration guides to set up SSO on the clients end.