Workplace SSO FAQ & Troubleshooting
- Julie Isebaert
Difficulty: expert
Content
Learning Objectives
After reading this article, you’ll be able to:
query Workplace SSO issues
FAQ
For which touch points can Workplace SSO be configured?
Once configured, Workplace SSO is available on following touch points:
How to test Workplace SSO setup?
On any of the above-mentioned touch points:
User to provide Workplace user ID (or e-mail address, depending on set-up)
(Workplace will evaluate the account ID prefix, and know this login attempt needs to happen via SSO) The user is redirected to the external SSO login screen.
After entering the credentials (assuming the Identity Provider approves): Workplace will automatically create a Workplace account (and link to the IWMS account).
The user will be able to use all relevant Workplace functionalities.
What happens if there is an SSO issue?
If a user is experiencing SSO issues, he will be brought a Cobundu page indicating an error occurred. From here, the user can relaunch the SSO workflow.
How does SSO treat Leavers in the company?
SSO is a Sign-on tool. It does not make any no updates on users nor does it handle deletion or deactivation. If a user is set to disabled in the IWMS, the linked Workplace user is still active, but does not have any IWMS rights anymore: the user can login to Workplace touchpoints and browse reservable rooms, floorplans etc, but as soon as they want to make a reservation, this will not be possible (because they don't have the correct IWMS rights anymore).
Is it possible to set up multiple IDP providers in 1 tenant?
IDP resolution is the mechanism of redirecting the user to the correct SSO provider when there are multiple providers configured for the same tenant. This happens based on the email domain of the user.
If there are multiple allowed email domains (linked to different providers) set up for the same tenant, and users try to log in to Workplace Experience:
some of will be redirected to the Azure Cloud of IDP1 based on the email domain
similarly, others will be redirected to the Azure Cloud of IDP2 based on the email domain
A specific email domain name (ex: @spacewell.com) can only be mapped with one IDP in the whole Spacewell system.
Troubleshooting
Check if the IWMS user is set up correctly
Does the user have the necessary rights?
Is the user enabled?
Check if the Workplace user is set up correctly
Is the Workplace user linked to the IWMS user?
Are any Roles assigned?
Is the user enabled?
Is “Local Attribute mapping of IWMS User ID” correct?
If you’re testing the access of the user in Workplace, does the SSO page open?
If yes, then please check SSO with your IT department
If no, please contact Spacewell Support and indicate if there is Spacewell-branding or 3rd party branding (to indicate on which side the issue is occuring)
What if the Auto-Create User field “Allowed email domains (comma separated)” is not editable (grey)?
“Allowed email domains” is a cross-tenant setting, and can only be managed with global super-accounts by Spacewell.
In some cases, it can even be greyed out for global super-accounts. This happens for example in special cases of custom setup with CMEK. This list then needs to be manually managed from the back-end.
Spacewell employees can find some SSO process infographics on https://spacewell.atlassian.net/wiki/spaces/KB/pages/833191947.
Search