Difficulty: expert

Content

1 Prerequisites
2 How is it set up?
3 How does it work?
4 Automatic creation & update of Workplace users
5 Role Mapping

Learning Objectives

After reading this article, you’ll be able to:

set-up your Active Directory for communication with Workplace
understand how Workplace SSO works

Workplace Smart Buildings Single Sign-On (SSO) is available for all Workplace Experience touchpoints.

Prerequisites

Identity Provider Mapping (receiving following attributes from the identity provider: "IWMS login ID", "First Name", "Last Name" and "E-Mail“)
- In case the “IWMS login ID” attribute is not correctly provided, no mapping to an IWMS user is possible and the user will not be able to use any IWMS-dependant features like making reservations.)
(optional) Mapping between Active Directory account groups with Workplace roles
IWMS account for user must exist (unless you enable the “auto-creation of Workplace users” feature)
- Ideally, an HR interface takes care of automatic creation of IWMS users
- In case the logged in user doesn’t exist in IWMS, no mapping to an IWMS user is possible and the user will not be able to use any IWMS-dependant features like making reservations.

It should be possible to identify the IDP based on the User’s email ID:

A specific email domain name (ex: @spacewell.com) can only be mapped with one IDP in the whole Spacewell system.

How is it set up?

Workplace supports SAML 2.0 protocol which is the industry standard among all up-to-date integrations.

The SSO configuration from IWMS cannot be re-used on Workplace. These are 2 separated apps from the Identity Provider perspective, and each requires an independent SSO federation setup.

It is possible to set up multiple IDP providers for the same environment, see Workplace SSO FAQ & Troubleshooting | Is it possible to set up multiple IDP providers in 1 tenant?

IDP Metadata

The customer has to provide the customer IDP metadata.

Upload an XML file or provide a URL in the SSO Configuration screen.

SP (Spacewell) Metadata

In SSO Configuration screen, you can generate the Spacewell metadata file.

Contact your Spacewell Account Manager to have Workplace SSO set up.

How does it work?

Workplace Single Sign-On (SSO) is available for all Workplace Experience touchpoints.

Spacewell employees can find more information on https://spacewell.atlassian.net/wiki/spaces/SUM/pages/178159642/Cobundu+SSO#How-it-works

First time login

Workplace will evaluate the account ID prefix, and know this login attempt needs to happen via SSO.
The user is redirected to the external identity provider login page .
After entering the credentials, if the Identity Provider approves, SSO connection returns the above mentioned attributes (see Prerequisites) to Workplace.
(if enabled) Workplace will automatically create a Workplace account (and link to the IWMS account).
The user will be able to use all relevant Workplace functionalities.

Add the relevant e-mail address provider (eg @spacewell.com or @mcs.be) to the Workplace SSO configuration to whitelist the e-mail provider. To whitelist an e-mail domain, add it to Workplace back-end Studio Settings > SAML SSO > "Allowed email domains (comma separated)" (underneath "Auto-Create user").

Workplace will evaluate the domain, and know this login attempt needs to happen via SSO.
The user is redirected to the external SSO login screen.
After entering the credentials, if the Identity Provider approves, SSO connection returns the above mentioned attributes (see Prerequisites) to Workplace.
(if enabled) Workplace will automatically create a Workplace account (and link to the IWMS account).
The user will be able to use all relevant Workplace functionalities.

Subsequent logins

Workplace will check when (on IDP side) the user has been authenticated for the last time by providing username and password.

<AuthnStatement AuthnInstant="2024-03-18T10:55:40.225Z"...
(now - 120 seconds - maxAuthLifeTime) < AuthnInstant < (now + 120 seconds)

by default, there is a 120 seconds tolerance (there can always be a glitch or slight misalignment in time stamp)
maxAuthLifeTime = setting on Workplace in months/years. This setting can be used to extend the tolerance time frame

The authentication lifetime setting in Workplace should be configured to align with your identity provider's authentication lifetime timeout value.

"Maximum Authentication Lifetime“ setting can be specified in hours, days, months, years. The value needs to be higher than 0, and will be set to 2 years per default.

What happens if Maximum Authentication Lifetime is exceeded?

User will see SSO error page (no disabling of the user on Cobundu side). User needs to login out of the SSO session on IDP side and perform a fresh login.

Login without SSO

If SSO is configured for your environment and you do not have a login within the Identity Provider, you need to follow a work-around:

add /no-sso to the URL (eg https://go.cobundu.com/no-sso)
select "Log in with your Cobundu credentials"
proceed to log in with your Workplace ID and password

enter your Workplace ID or e-mail address
you are forwarded to the SSO log-in page
in the top left corner, select “done”
if you’re already logged in on GO, you don’t need to provide your credentials again. On the app, select “Login with QR Code”, then scan the QR code in your GO setting (see GO - Profile Settings | Connected Devices)
if you do want to provide your Cobundu credentials, tap the key-icon a couple of times until the button “Login with your Cobundu Credentials” appears. Proceed to log in with your Workplace ID and password

SSO issues

If a user is experiencing SSO issues, he will be brought a Cobundu page indicating an error occurred. From here, the user can relaunch the SSO workflow.

See Workplace SSO FAQ & Troubleshooting

Automatic creation & update of Workplace users

see Automatic creation, update & deletion of Workplace users

Role Mapping

see Workplace SSO Role Mapping

Don’t forget to check out our Workplace SSO FAQ & Troubleshooting page

Search

How to set up Workplace SSO