SAML

Worklytics supports the Security Assertion Markup Language (SAML) for user authentication. You can integrate any Identity Provider (IdP) your company already uses if it supports SAML.

Background

The Worklytics platform collects and analyzes workplace data at the instruction of Customer Organizations on their behalf, in accordance with our Privacy Policy, Terms of Service, and any customer agreement / laws / regulations which may supersede those terms. The Customer Organization remains the controller of this data and may instruct Worklytics to halt processing and destroy it at any time.

Prerequisites

In order to set up a SAML integration, you have to be an administrator of your Worklytics account to configure the integration. If you don't have a Worklytics account, you can sign up here or contact our support team to get information on how to proceed.

Supported Features

The current version of the Worklytics SAML support, provides the following features:

  • Service Provider Initiated (SP-initiated) login flow. This option gives your end-users the ability to log into the Worklytics Login page using their email addresses.

  • Identity Provider Initiated (IdP-initiated) login flow. This option allows your end-users to sign in to Worklytics from your Identity Provider's website or application.

  • Worklytics SAML implementation requires the NAMEID email address format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. So, we will treat "name identifiers" as email addresses for the subjects of the assertions.

  • The ability to assign user roles based on the value of a SAML attribute sent by the IdP in the assertions. The configuration of this feature depends on the IdP of your choice. If you use One Login, go to you SAML connector configuration, add a custom parameter with the name groups and MemberOf as the value (this will send the groups membership of the user who is logging in, as they're configured in their OneLogin user profile).

How to enable SAML Authentication

Follow these steps to configure a SAML integration:

  1. Log in to Worklytics as an Administrator (SecurityAdmin role).

  2. Go to he "Settings" page and choose the Single Sign-On tab.

  3. Click on Add Identity Provider in the "Identity Providers" section.

  4. You will be prompted with different options, choose SAML.

  5. Copy the Service Provider (SP) settings from the form you'll get (these values are specific to your Worklytics account):

    • Worklytics Single Sign On URL: this is the Assertion Consumer Service (ACS) value.

    • Worklytics Entity ID: this is also known as the Audience URI (per SAML standard).

  1. Leave this page open, and log in to the Identity Provider of your choice (such as One Login, Okta, or Centrify).

  2. Now follow the steps your Identity Provider requires to set up a SAML integration. The configuration may vary depending on the IdP you use. Examples:

  3. At some point, you'll have to provide your IdP with the settings you've got in step #5, and grab the following settings to complete the configuration on our side:

    • IdP Single Sign On URL: this is where Worklytics will send the authentication requests.

    • IdP Issuer: identifies your organization in the IdP.

    • IdP X.509 certificate: authentication requests are signed using this value. Currently, Worklytics supports the SHA256 algorithm.

  4. Once you have all the settings, fill the form (step #5) and click on Save settings.

  5. If everything went OK, a confirmation message will appear.

(*) If you choose to use Microsoft Entra ID, and you plan to use "groups", you should configure the claims as follows: claim configuration. The http://schemas.microsoft.com/ws/2008/06/identity/claims/groups claim should have as source attribute Cloud-only group display names. And if you are using on-premises AAD synchronized with the Entra ID tenant, you will need to use sAMAccountName as source attribute.

If any doubts, contact our support team.

Set up SAML on Worklytics using OneLogin as IdP

Assuming you're on the 7th step of the previous section, after logging-in to OneLogin as an administrator, you have to follow the next steps:

  1. Go to Administration > Applications, and click on "Add App".

  2. Search for "SAML Custom Connector (Advanced)", select it, fill up the "Display Name" with something that identifies it as to be used for Worklytics SP, and click "Save".

  3. Now, in the configuration section, enter the SP settings you've got before:

    1. Field RelayState: here you can specify any valid path (and params) of our Web App (e.g. /analytics/org). Users logging-in via IdP-initiated login flow will be redirected to that path after authentication.

    2. Field Audience (EntityID) it's our Worklytics Entity ID field (i.e. https://app.worklytics.co).

    3. Field Recipient it's our Worklytics Single Sign On URL field (i.e. https://app.worklytics.co/saml/sso/acme where "acme" it's your Worklytics' organization identifier).

    4. Field ACS (Consumer URL) it's also our Worklytics Single Sign On URL field.

    5. Field SAML nameID format: select Email.

  1. Now, go to the SSO section where you'll find all the values needed to complete the settings form in our site:

    1. Field X.509 Certificate

    2. Field Issuer URL is our IdP Issuer field.

    3. Field SAML 2.0 Endpoint (HTTP) is our Identity Provider Single Sign-On URL

  1. Then, go to the Users section to manage the users who have to have access to Worklytics.

  2. Go back to Worklytics and finish the configuration.

Last updated