WorkEQ can be integrated with most cloud authentication providers enabling employees to log in with their company credentials. This article gives an overview of capabilities and describes the general process for SSO setup.
WorkEQ has authentication connectors for most modern-day cloud identity providers which many of our customers use to facilitate thousands of secure employee check-ins daily.
These services are built on top of protocols like SAML, OIDC, OAuth, etc. which give us the ability to seamlessly connect and authenticate against popular systems like Azure Active Directory, OKTA, Ping Identity, OneLogin, etc.
We recommend using SAML (Security Assertion Markup Language), if available, as the standard of choice to exchange authentication and authorization data between your corporate system (the identity provider) and WorkEQ (the service provider). We support both SAML 1.1 and SAML 2.0.
Our connectors also offer the ability to retrieve user attributes through claims. These are used for our contact tracing & logbook features and are also displayed on reports in the Command Center.
SSO Setup Process
For customers licensed for integration, our customer onboarding process includes steps for the auth setup. If you would like to integrate with SSO, but do not have a license type that supports it, please contact your WorkEQ Account Executive or sales@WorkEQ.com.
The WorkEQ team will review requirements for SSO including optional user attributes and document them.
Steps to getting set up Single Sign-On with WorkEQ using SAML
- Create a new SAML app on the Identity Provider (IDP).
- Use the following URLs for the Entity ID and Assertion Consumer Service URL (ACS) in the SAML app configuration. Alternatively, your team can use the Metadata XML file. To obtain this contact support@WorkEQ.com.
- Some attributes are required in the SAML claims. These are also case-sensitive so the names should be exactly as shown in the list below. Other attributes are optional.
- The WorkEQ SSO connector relies on the Name ID value to create users. To avoid duplicate accounts, we strongly recommend that you set the value of this claim to a unique identifier in the SAML app configuration.
- email (required), firstName (required),lastName (required), department (optional), office (optional), location(optional), phone (optional), managerEmail (optional)
- If phone (optional) is not available coming in from SSO then "SMS" notifications from Case Manager are not possible unless it comes through your People import
- To add more attributes that are not part of the list above, please add them to the SAML claims and share the name with WorkEQ.
- WorkEQ will set up the service using the information shared and notify the customer on completion.
- One or more users will be required to test the application. These should be added to the SAML app on the Identity Provider system.
- Please use https://app.workeq.com/code/<workspace code> to test the app. Your workspace code is defined in your initial onboarding.
- Note: We do not currently support the IDP initiated SAML log-in flow due to security reasons. If this is a requirement, a possible workaround is to create a bookmark application in the IDP (if supported) using the app URL shared above and hiding the SAML app.