This topic describes how to configure OneLogin to provide SSO for Workplace by Facebook using SAML.
To get a free OneLogin account for Workplace by Facebook, go to www.onelogin.com/workplace
To configure OneLogin to enable SAML SSO for Workplace by Facebook:
Log in to OneLogin as an admin and go to Apps > Add Apps.
Search for Workplace by Facebook and select it.
You should see the initial Configuration tab.
Click Save to add the app to your Company Apps and display additional setup tabs.
On the Configuration tab, enter the Subdomain that you use with Workplace.
Your Workplace subdomain is mycompany in the address
The remaining fields are used to configure user provisioning from OneLogin to Workplace. For more information, see Provision Users to Workplace by Facebook.
On to the Parameters tab, map Workplace attributes to OneLogin attributes.
Typically, you should keep the default Configured by admin setting. For more information, see Setting Credential Configuration Options. The only required parameter for SSO is Name Identifier, while the other parameters are used when OneLogin provisions users to Workplace using the API. For an SSO-only implementation, you should accept the defaults. If you want to provision users and their attributes from OneLogin to Workplace, see Provision Users to Workplace by Facebook.
Go to the SSO tab to view the values that you'll copy into your Workplace instance to set up SAML SSO.
Return to your Workplace account in a new browser tab or window and enter OneLogin's SAML SSO values.
Follow the instructions in Single Sign On Authentication in the Workplace documentation to copy the OneLogin SAML SSO values to Workplace:
Copy this OneLogin SSO field value: To this Workplace SSO settings field:
SAML Issuer URL
SAML 2.0 Endpoint (HTTP)
X.509 Certificate & SAML Signature Algorithm
To get the X.509 certificate, click the View Details link under the X.509 Certificate field. Copy the complete string from in the X.509 Certificate field.
SAML Signature Algorithm is the type of Cert the admin configures.
Test the SAML flow, using the instructions in Single Sign On Authentication in the Workplace documentation.
- Save your changes in Workplace.
For example you can attach a policy to the app to require multi-factor authentication.
You can also go to Users > All Users to add the app to individual user accounts.
Note. If you are going to use OneLogin to provision users to Facebook, you might want to wait until you have tested provisioning before you assign users to the Workplace app in OneLogin.
Test the SAML connection by using SSO to access Workplace from OneLogin.
Make sure you are logged out of Workplace.
Give yourself or a test user a Workplace account that uses the same email address as their OneLogin account.
Give yourself or a test user access to the Workplace app in OneLogin (see step 9, above).
Log in to OneLogin as yourself or a test user.
Click the Workplace icon on your OneLogin dashboard.
If you are able to access Workplace, then SAML works.