Currently, SSO implementation on the side of Workplace Management (and Experience) is always done by the Spacewell Integration team.

Image Added

Azure AD Configuration Guide

Below you will find the necessary steps to create a Single sign on application inside the Azure AD portal.

Creating Azure application

1. In Azure AD, navigate to Enterprise applications

   Image Modified

   
   

2. Press on “New Application”

   Image Modified

   
   

3. Press on “Create your own application”

   Image Modified

   
   

4. Fill in a suitable name and select the option “ Integrate any other application you don't find in the gallery (Non-gallery)“. After that, click on “Create”. It might take some time for the application to be created. Azure will provide you will the following message until it is ready.

Image Modified

Setting up single sign on

Once the application is created and you are navigated to the application properties screen.

1. Click on “Set up single sign on” or do this in the menu on the left with “Single sign-on”

   Image Modified

2. Select the “SAML” option

Image Modified

Automatic using metadata file

The easiest way to fill in the single sign on settings is through the metadata file. This can be acquired in two ways:

• Through your Spacewell contact which has provided you with the URL. If so, you can skip to uploading the metadata file

• By collecting it yourself. To do this, you need to retrieve the server instance of your Workplace Management system. View the section below for this https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

1. Once you have the URL, make sure to save the XML to your computer.

2. If you would like to manually setup the necessary settings, you can retrieve these values from the metadata. We will not provide documentation for a manual setup, as we suspect the necessary knowledge is available to you if you decide to select this option.

Uploading the metadata

1. In Azure, click on “Upload metadata file”

   Image Modified

2. Select the XML that you have just saved to your computer and press on “Add”

   Image Modified

3. As a result, you should be presented with a “Basic SAML Configuration” page. In this you can find the pre-filled values from the metadata file. One value that you can add is the “Sign on URL (Optional)”. Using this value will allow Service Provider Initiated Single Sign On. This is not necessary, but is advised to fill in. In most cases, this URL should be the following: https://client.axxerion.com/axxerion/sso
   Where you replace “client” with your client specific URL that you should already be familiar with. Be aware that Workplace Management supports multiple SSO connections within one client environment. If that is the case, this URL will be different and should be discussed with your Spacewell contact.

4. Once you have entered the necessary values, press “Save”.

5. Once saved successfully, close the configuration screen. Azure might prompt you to test the connection. Decline this offer, as several settings still need to be set (both in Azure as well as on the Workplace Management end).

Image Modified

Setting additional claims (optional)

If you intend to use the SSO connection in combination with Just In Time Provisioning, you might want to add additional claims. To do this, navigate to “Attributes & Claims” and press “Edit”

Image Modified

In the resulting screen, you can add any (group) claims if preferred. If you need further assistance adding these, please consult with your Azure administrator on how to add these.

Image Modified

Adding users

1. In the menu on the left, click on “Users and groups”

   Image Modified

   
   

2. Press on “Add user/group”

   Image Modified

   
   

3. Press on “None selected” and search for either the users or a specific group that you would like to give access to the Single sign on application.

4. Press on “Select” to add the users and/or groups

   Image Modified

   
   

5. Press on “Assign” to assign the users to the application

   Image Modified

6. Any other changes to the users and/or groups should be done by the Azure administrator from your end.

Sharing the necessary information

If you are done with all the above steps, you can share the metadata file from the application with your Spacewell contact. On the SAML-based Sign-on page, navigate to section 3 “SAML Certificates” and share the “App Federation Metadata Url” with your Spacewell contact. They will take the necessary steps on their end to allow the SSO connection to work.

Image Modified

Certificate renewals

• Every year, Workplace Management will update the certificate that is used for the SSO connection. Currently, Azure will accept this certificate without any necessary steps from your end being necessary.

• In case the certificate is renewed on the Azure end, Spacewell should be notified of this as soon as possible through the necessary support channels. Having provided Spacewell with the Federation Metadata URL will allow a Spacewell contact to easily update the necessary settings on the Workplace Management end. Should Spacewell not be notified, the SSO connection will cease to function once the certificate on the end of Azure expires.

Image Added

Okta Configuration Guide

Below you will find the necessary steps to create a Single sign on application inside the Okta portal.

Creating Okta SSO application

1. In Okta, navigate to “Applications > Applications” and press on “Create App Integration”

   Image Modified

   
   

2. In the modal, please select “SAML 2.0” and click on “Next”

   Image Modified

3. Fill in an “App name” and press on “Next”. You are free to check any of the “App visibility” options if they apply to you. Also, you do not need to add anything for the App logo as this application will not be used to be presented to your users (more on this in the “Creating Okta Bookmark application” section)

Image Modified

Metadata information

The easiest way to retrieve the information necessary for the SAML 2.0 connection is through the metadata file. This can be acquired in two ways:

• Through your Spacewell contact which has provided you with the URL. If so, you can skip to uploading the metadata file

• By collecting it yourself. To do this, you need to retrieve the server instance of your Workplace Management system. View the section below for this https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

1. Once you have the URL, you can open this in your browser. If so inclined, you can also download the file and open it in your favorite text editor.

2. In the below table, you can find the mapping with in the first column the field in the Okta application and in the second column the tag name in the XML from the Workplace Management Federation Metadata.
   

Image Modified

Image Modified

Image Modified

3. Scroll down to the “Attribute Statements (optional)” and add the attributes that should be shared. As a minimal, you should add “user.email”, “user.firstName” and “user.lastName”. Take note of the values in the column “Name”, as those need to be shared with your Spacewell contact. Use the “Add Another” button to add additional attributes if you need those.

Image Modified

4. Press on “Next”

Image Modified

5. In the next screen, set the value to “I’m an Okta customer adding an internal app” and “This is an internal app that we have created”.

6. Click “Finish”

Image Modified

7. In the resulting screen, navigate to the section “SAML Signing Certificates”.
8. Click on the active certificate and press “Actions”, followed with “View IdP metadata”.
9. A tab should open with the necessary Metadata URL. Make note of the URL and share this with your Spacewell contact.

Image Modified

Creating Okta Bookmark application (optional)

If you would like users to login from Okta into Workplace Management, you will need to make a bookmark application. The SSO application in Okta does not allow a URL to be specified with which a user can login. Adding a bookmark application does make this possible.

In Okta, click on “Applications > Applications” followed by “Browse App Catalog”

Image Modified

1. Search for “Bookmark” in the search bar and select the “Bookmark App”

   Image Modified

   
   

2. Click on “Add Integration”

   Image Modified

   
   

3. Fill in an “Application Label” and the “URL”. In most cases, the URL value should be the following: https://client.axxerion.com/axxerion/sso
   Where you replace “client” with your client specific URL that you should already be familiar with. Be aware that Workplace Management supports multiple SSO connections within one client environment. If that is the case, this URL will be different and should be discussed with your Spacewell contact.

4. Press on “Done” when you are ready

Image Modified

Assign users

Assigning users applies to at least the SSO application and optionally the bookmark application.

1. Open the application and go to the “Assignments” tab. Click on “Assign” and select if you would like to add People or Groups

   Image Modified

   
   

2. In the below example, we will add one specific user. Select the users that you would like to add and press “Assign”. Once assigned, press “Done”

   Image Modified

   
   

3. Your users should be visible in the application

Image Modified

Add application logo (optional)

1. If you would like to add a logo to either application, you can download the Workplace Management logo below.

2. Click on the logo and the image should be enlarged.

3. You can download it by pressing the “Download” icon on the top right.

   Image Modified

   
   

4. Open the application and press on the “pen” icon near the existing logo (most likely the cog)

   Image Modified

5. Then select the downloaded image and press on “Update Logo”

Image Modified

Certificate renewals

• Every year, Workplace Management will update the certificate that is used for the SSO connection. Currently, Okta will accept this certificate without any necessary steps from your end being necessary.

• In case the certificate is renewed on the Okta end, Spacewell should be notified of this as soon as possible through the necessary support channels. Having provided Spacewell with the Federation Metadata URL will allow a Spacewell contact to easily update the necessary settings on the Workplace Management end. Should Spacewell not be notified, the SSO connection will cease to function once the certificate on the end of Okta expires.

Image Added

ADFS Configuration Guide

Below you can find the settings that, if used, will lead to a successful SAML connection with Workplace Management. These settings have lead to the most successful connections with clients. Deviating from the below settings might cause billable hours by your Spacewell contact.

Settings in ADFS

Throughout the images below, you will find references to the server “axpr05”. This should be replaced with your Workplace Management server. You can find this information in thew section below https://spacewell.atlassian.net/wiki/spaces/~62e256719974783acc356c63/pages/128024601.

Setup the necessary claims

Image Modified

Image Modified

Image Modified

Image Modified

Image Modified

Image Modified

Image Modified

Custom claim

The custom claim that is used above is setup as follows:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "!!!REPLACE!!!entityId of the ADFS on your end!!!REPLACE!!!", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "!!!REPLACE!!!url of Axxerion server!!!REPLACE!!!");

Custom claims in case the above does not work

In the rare case that the above instruction is not sufficient for a working connection, the following custom claims might need to be implemented. All the other claims should be removed.

Custom claim 1

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);

Custom claim 2

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "!!!REPLACE!!!entityId of the ADFS on your end!!!REPLACE!!!", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "!!!REPLACE!!!url of Workplace management server!!!REPLACE!!!");

Retrieving Federation Metadata URL for WPM

Anchor
Retrieving-Federation-Metadata-URL-for-Workplace-Management Retrieving-Federation-Metadata-URL-for-Workplace-Management

Inside Workplace Management, navigate to the environment setup by clicking on the “Setup” dashboard button or in the menu on “Admin > Setup”.

Image Modified

Take note of the server number

Image Modified

The metadata URL can be found by using the following URL:

https://axpr00.axxerion.com/axxerion/saml/metadata

In this URL, you should replace the 00 with your server number. Be aware: if you are on a server with a single digit 'x', it should be axpr0x.