Single Sign-On for Workplace from Facebook with WSO2 Identity Server

Image source: https://www.workplace.com

Workplace from Facebook (aka Workplace by Facebook) is a collaboration platform that connects everyone in your company, even if they’re working remotely as it has become the new normal. It comes with familiar features like Groups, News Feed and Live video broadcasting to get people talking and working together.

As the workspace specially develop for the corporate sector, enabling Single Sign-On (SSO) would be a great value addition considering both security and the user experience.

You should be already having an Identity and Access management solution in your organization which enables single sign on for various applications that you use day to day. If you still don’t have a proper IAM solution for your organization, you can try WSO2 Identity Server for free.

In this tutorial I will discuss how to setup single sign-on (SSO) for Workplace with WSO2 Identity Server.

Prerequisites

In order to enable SSO authentication in Workplace you will need to:

• Have access to your Identity Provider’s configuration settings.
• Have a System Administrator role assigned in Workplace.
• Have a corresponding account in the WSO2 Identity Server with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly. Refer the documentation for more details.

Configure WSO2 Identity Server

• Sign in to the WSO2 Identity Server Management Console.
• On the Main menu, click Identity > Service Providers > Add.
• Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field and you can use Workplace as the name for this example.

• Expand Claim Configuration and Select Use Local Claim Dialect.
• Set Subject Claim URI to https://wso2.org/claims/emailaddress.

• Expand the Inbound Authentication Configuration > SAML2 Web SSO Configuration section and click Configure. In the form that appears, fill out the following configuration details required for single sign-on. For more details on these attributes, refer SAML2 Web SSO Configuration.

1. For the value of Issuer, provide the Audience URL defined in the SAML configurations section in the Workplace. (You may need to login to Workplace in order to extract these information)
2. For the value of Assertion Consumer URL, provide the ACS URL defined in the SAML configurations section in the Workplace.
3. Uncheck Enable Signature Validation in Authentication Requests and Logout Requests as the SAML authentication request sent by Workplace is not signed.
4. Check Enable Attribute Profile and Include Attributes in the Response Always.
5. Check Enable Audience Restriction, Enable Recipient Validation and add the respective Audience and Recipient values defined in the SAML configurations section in the Workplace.
6. After configuring the above details, click on Download IDP Metadata button which is available in the bottom of the page. This will download a xml file with the SAML IDP metadata. Store this file as we will be using this in a later step to extract the x.509 certificate.
7. Save the configuration.

Configure Workplace to authenticate users via SSO

Login to the Workplace as a system administrator and do the following steps:

• In the Admin Panel, select Security.
• Click on the Authentication tab.
• Under Log in, select Single sign-on (SSO).
• Click +Add New SSO Provider.
• Configure the below values related to the WSO2 Identity Server:

1. Name of the SSO provider: WSO2
2. SAML URL: https://<IS_HOSTNAME>:<IS_PORT>/samlsso (localhost is not accepting from the Workplace. Therefore you can use the local IP address when trying out. ex: https://127.0.0.1:9443/samlsso)
3. SAML Issuer URL: localhost (If required, this can be changed from the IdP Entity ID Alias configuration in the service provider)
4. SAML logout URL (Optional): https://127.0.0.1:9443/samlsso
5. SAML Certificate: You can extract the x.509 certificate from the IDP metadata file download previously. Open the downloaded metadata.xml file and copy and paste the content inside the <X509Certificate> tag.

• Scroll to the bottom of the section and click the Test SSO button. This will redirect to the WSO2 Identity Server login page. Enter your credentials to authenticate as below.

• Once the test has been completed successfully, scroll to the bottom of the page and click Save Changes button.

Enable SSO for users

You can enable SSO for a user by logging in as an Administrator who has the permission to add and remove accounts:

• In the Admin Panel, select People.
• Search for the user that you want to enable for SSO.
• Click on the … button and select Edit Person’s Details.
• Select SSO at Log in with.

Let’s try it out 🎉

• Go to your Workplace URL and type the email address. (ex: https://<your-domain>.workplace.com)
• Then you will be redirected to the WSO2 Identity Server login page to enter the credentials.
• After entering the credentials you will be authenticated successfully via the WSO2 Identity server and redirect to the Workplace as below.

Note: If you are already signed in to another SSO application in the same browser, you don’t need to re-enter the credentials. It will sign in to Workplace automatically as we have configured SSO for Workplace.

I hope you can try it out and see how it works. We used the SAML 2.0 authentication protocol to configure SSO for Workplace with WSO2 Identity Server. If you are interested in more technical details, please refer to the official documentation.

You can enable more advanced Identity and Access Management features for this integration with the WSO2 Identity Server. Download the product from here and try it. If you have any questions regarding this, you can use our Slack channel and Stack Overflow forum to reach us.