This topic describes how to configure OneLogin to provide SSO for Workplace by Facebook using SAML. For a quick overview, check out this video:
To get a free OneLogin account for Workplace by Facebook, go to www.onelogin.com/workplace
To configure OneLogin to enable SAML SSO for Workplace by Facebook:
Log in to your Workplace by Facebook account to get the Numerical SCIM ID that you will copy to OneLogin in a later step.
You must log into Workplace as a System Administrator.
In the upper right corner, click the edit account icon () and select Company Dashboard.
On the Company Dashboard page, click Settings.
In the Basic Settings section, copy the Numerical ID in the SCIM URL.
This is the numerical value in the SCIM URL that precedes
Log in to OneLogin as an admin and go to Apps > Add Apps.
Search for Workplace by Facebook and select it.
You should see the initial Configuration tab.
Click Save to add the app to your Company Apps and display additional setup tabs.
On the Configuration tab, enter the Subdomain that you use with Workplace and the Numerical ID in SCIM URL that you copied in step 1.
Your Workplace subdomain is mycompany in the address
The remaining fields are used to configure user provisioning from OneLogin to Workplace. For more information, see Provisioning Users to Workplace by Facebook.
On to the Parameters tab, map Workplace attributes to OneLogin attributes.
Typically, you should keep the default Configured by admin setting. For more information, see Setting Credential Configuration Options.
Some parameters are included in the SAML assertion during SSO, others are used when OneLogin provisions users to Workplace using the API. For an SSO-only implementation, you should accept the defaults. If you want to provision users and their attributes from OneLogin to Workplace, see Provisioning Users to Workplace by Facebook.
Default OneLogin Value
SAML or Provisioning?
Closed Groups - No default - Provisioning Department - No default - Provisioning Provisioning Manager - User Manager - Provisioning Name Identifier (Subject) SAML and Provisioning Open Groups - No default - Provisioning Photo - No default - Provisioning Secret Groups - No default - Provisioning Start Date - No default - Provisioning Title - No default - Provisioning
Go to the SSO tab to view the values that you'll copy into your Workplace instance to set up SAML SSO.
Return to your Workplace account in a new browser tab or window and enter OneLogin's SAML SSO values.
Follow the instructions in Single Sign On Authentication in the Workplace documentation to copy the OneLogin SAML SSO values to Workplace:
Copy this OneLogin SSO field value: To this Workplace SSO settings field:
SAML Issuer URL
SAML 2.0 Endpoint (HTTP)
To get the X.509 certificate, click the View Details link under the X.509 Certificate field. Copy the complete string from in the X.509 Certificate field.
Test the SAML flow, using the instructions in Single Sign On Authentication in the Workplace documentation.
- Save your changes in Workplace.
For example you can attach a policy to the app to require multi-factor authentication.
You can also go to Users > All Users to add the app to individual user accounts.
Note. If you are going to use OneLogin to provision users to Facebook, you might want to wait until you have tested provisioning before you assign users to the Workplace app in OneLogin.
Test the SAML connection by using SSO to access Workplace from OneLogin.
Make sure you are logged out of Workplace.
Give yourself or a test user a Workplace account that uses the same email address as their OneLogin account.
Give yourself or a test user access to the Workplace app in OneLogin (see step 9, above).
Log in to OneLogin as yourself or a test user.
Click the Workplace icon on your OneLogin dashboard.
If you are able to access Workplace, then SAML works.