Workzoom supports Federated Authentication using the SAML 2.0 protocol. This allows you to manage how your users authenticate and sign in to Workzoom including employing a single-sign-on (SSO) solution and the enforcement of multi-factor authentication (MFA).
Cloud-Based Identity and Access Management Providers
The following list is not exhaustive but includes the most common cloud-based suppliers of identity and access management services that support the SAML 2.0 protocol.
The following are required to add Workzoom to your identify and access management solution:
- Metadata Authorization URL (Federation Metadata Document)
- IDP ID/Entity ID
- Login URL
- Application Identifier URI
- Redirect URI (your Workzoom application URL with “?mode=sso” appended to the end)
Note: The XML file accessed from the Metadata Authorization URL will contain the IDP ID/Entity ID and Login URL.
To begin the Federated Authentication process, Workzoom will provide you with your unique Redirect URI (sometimes referred to as Assertion Consumer Service URL).
Create an application registration with your federated authentication provider using the Redirect URI provided in step 1 (if prompted for the platform, select “Web”). Once the application registration has been completed, you should have the Metadata Authorization URL generated by your federated authentication provider.
Your provider should also have generated an Application ID URI (Azure AD will require you to either generate one or set one with your own domain). Please provide these URLs to Workzoom.
Please provide the URLs by uploading them in a document attached to a support case within your Workzoom instance. Once you have provided the required information, it will be securely entered into the Workzoom Secrets Vault.
You can load employee data into your Workzoom instance including the user’s Name ID (email address) to facilitate Federated Authentication between your provider and Workzoom.
Users can experience Federated Authentication with Workzoom by accessing the provided Redirect URI and signing in with their Name ID (email address). MFA can also be enforced by enabling the feature in your authentication provider.