Configure SAML authentication

Security Assertion Markup Language (SAML) authentication allows you to use common external identity providers (IdP) to authenticate usernames and passwords for Workforce Optimization, the service provider (SP). This method of user authentication and password management is commonly referred to as single sign-on (SSO).

After SAML authentication is configured through your external IdP, the metadata needs to be downloaded, exported, and configured in Workforce Optimization. See Set up IAM authentication for information on configuring your IdP in Workforce Optimization.

IMPORTANT   If the user’s email address is not mapped to the “mail” attribute on your external IdP, then you need to contact Provider Professional Services and tell the Provider representative the name of the attribute that contains the user email.

NOTE   If your IdP X.509 certificate is changed, for reasons such as a new expiration date, you need to provide the new X.509 certificate or the new SAML metadata file to Provider Professional Services. Otherwise, users cannot login.

NOTE   Tenant administrators who have been added by a system administrator can always log in using their Workforce Optimization credentials. This is true even if Workforce Optimization authentication is disabled and another form of authentication (SAML or Active Directory) is enabled.

The login page you use is determined by your region.

Workforce Optimization integrates with IdPs that support SAML 2.0 authentication (see Set up IAM authentication for the list of supported IdPs). The following general parameters apply when configuring the SAML assertion in an IdP.

Assertion Component Configuration

Attributes

The IdP must send an assertion containing your users’ email address as an attribute. This email address must match the address used for Workforce Optimization authentication. Attribute names are case sensitive.

EXAMPLE   

The specific name of the email attribute depends on the IdP that you use. The following are examples:

  • emailAddress
  • email
  • mail
  • user.email

Signatures

The SAML assertion must be signed. The signing key is provided in the XML data. The SAML assertion signature algorithms are listed below.

  • rsa-sha256
  • rsa-sha1
  • rsa-md5
  • rsa-ripemd160
  • rsa-sha384
  • rsa-sha512
  • dsa-sha1

Key sizes

Encrypted assertions are supported only with a maximum key size of 128 bits.

Prerequisites

You need to set up an application for Provider IAM (identity and access management) in your IdP. The following list contains values required to setup this application.

  1. Assertion Consumer Service URL. After successful authentication of your IdP the user is redirected to this URL with the SAML response. The URL varies depending on the domain name of your environment. Use the domain for your region.

    IAM Domain Names

    Australia

    https://id-aus.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    Canada

    https://id-ca.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    European Union

    		 https://id-eu.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    United Kingdom

    https://id-uk.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    United States https://id.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    Singapore

    https://id-sgp.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

  2. Service Provider Entity ID: calabriosp
  3. The email address must be passed in an attribute named "mail".

  4. If the SAML request needs to be signed, the signing certificate for it can be found in the Provider Identity and Access Management (IAM) Service Provider metadata for your region that’s detailed below.

    IAM Service Provider Metadata

    Australia

    https://id-aus.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

    Canada

    https://id-ca.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

    European Union https://id-eu.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

    United Kingdom

    https://id-uk.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

    United States https://id.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

    Singapore

    https://id-sgp.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo

  5. (Optional) Service Provider initiated Sign-on URL. When a user opens this URL, the service provider, Provider, redirects to your IdP to authenticate and sign on the user. This is not required for most IdPs. Use the Provider IAM Service for your region.

    IAM Service

    Australia

    https://id-aus.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    Canada

    https://id-ca.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    European Union https://id-eu.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    United Kingdom

    https://id-uk.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    United States https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    Singapore

    https://id-sgp.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    EXAMPLE   In this example for the United States IAM service, <https://www.example.com/123> is the IDP entity ID that becomes <https%3A%2F%2Fwww.example.com%2F123> when the URL is encoded.

    https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=https%3A%2F%2Fwww.example.com%2F123

  6. You need to assign users or groups who need access to Workforce Optimization to this application.

The following is an overview of how to configure Okta as your IdP:

  1. Create an Okta app.
  2. Configure the Okta app.

After you configure Okta, you have to download a metadata file and save the metadata file (see Export SAML Metadata). Afterward, follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Create an app in Okta

  1. Log in to Okta.

    NOTE   You must be a Super Administrator in Okta to create and configure an app.

  2. Navigate to Applications > Applications.
  3. Click Add Application.
  4. Click Create New App.

  5. In the Create New Application Integration dialog box, configure the fields as follows.

    Field Configuration

    Platform

    Select Web.

    Sign on method

    Select SAML 2.0.

Configure the Okta app

  1. In the General Settings tab, configure the fields as follows.

    Field Configuration

    App name

    Enter a unique name for Workforce Optimization.

    App logo

    (Optional) Upload an image to identify Workforce Optimization in Okta.

    App visibility

    (Optional) Limit who can see the image in Okta.
  2. Click Next.

  3. On the Configure SAML tab, configure the fields as follows.

    NOTE   If Advanced Settings is hidden, click Show Advanced Settings.

    Field Configuration

    General

    Single sign on URL

    Copy and paste the Assertion Consumer Service URL that was listed as a prerequisite.

    Leave the Use this for Recipient URL and Destination URL check box selected (default).

    Audience URI (SP Entity ID)

    Copy and paste calabriosp as the Service Provider Entity ID that was listed as a prerequisite.

    Name ID format

    Select EmailAddress.

    Application username

    Select Email.

    Response

    Select Signed.

    Assertion Signature

    Select Signed.

    Encryption

    Select Unencrypted.

    Enable Single Logout

    Leave the Allow application to initiate Single Logout check box cleared (default).

    Authentication context class

    Select PasswordProtectedTransport.

    Honor Force Authentication

    Select Yes.

    SAML Issuer ID

    Leave blank.

    Attribute Statements

    Name

    Enter mail.

    NOTE   This allows a user’s email address to be properly mapped for SAML assertion. If you do not do this attribute mapping for your external IdP then a Provider representative must map the attribute to the user’s email address on your behalf. Contact Provider Professional Services for assistance.

    Name format

    Select Unspecified.

    Value

    Select user.email.

    NOTE   You do not need to configure any attributes in the Group Attribute Statements section.

  4. Click Next.

  5. In the Feedback tab, select the Feedback option that is appropriate to your company’s use of Okta.

    NOTE   Your choice does not affect the ability of Workforce Optimization to use Okta as an IdP.

  6. In the Assignments tab, assign the groups and users that will have access to Workforce Optimization.
  7. Click Finish.

The following procedure details how to integrate your OneLogin IdP for Workforce Optimization Identity and Access Management (IAM) Service Provider (SP).

Configure OneLogin

  1. Log in to OneLogin as an administrator.
  2. From the menu bar, go to Applications > Applications. Click Add App in the top right corner.
  3. Search for test connector on the Find Applications page. From the filter list, pick SAML Test Connector (Advanced) for SAML 2.0.
  4. Enter a name such as "CalabrioOne" as the Display Name of the new app. Enable Visible in portal if you want to let users select the CalabrioOne app from OneLogin.
  5. Click Save.
  6. On the new left side navigation menu that appears, click Configuration.
  7. In the Audience field, type calabriosp.
  8. In the Recipient and ACS (Consumer) URL fields, enter the IAM Domain Name for the CalabrioOne region your tenant is in.

  9. In the ACS (Consumer) URL Validator field, enter the following.

    Copy 
    [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
  10. Click Save.
  11. Click Parameters in the left navigation menu, and then click the + button to add a new field.
  12. Type mail as the Name in the pop-up.
  13. Select Email in the value drop-down list.
  14. Click Save.
  15. Add the individual users, Roles, or Groups to the CalabrioOne application to ensure they have access to the CalabrioOne application.

This section details how to integrate your Active Directory Federation Services (AD FS) IdP for Workforce Optimization Identity and Access Management (IAM) Service Provider (SP).

The following is an overview of how to configure single sign-on for Active Directory Federation Services (AD FS):

  1. Configure a Global Authentication Policy.
  2. Configure Relying Party Trust for your identity provider.
  3. Configure the LDAP email claim rule for the Workforce Optimization trust.
  4. Configure the incoming claim transform email address custom rule for the Workforce Optimization trust.
  5. Configure the incoming claim add mail attribute custom rule for the Workforce Optimization trust.
  6. Extract your Workforce Optimization service provider certificate.
  7. Configure the secure hash algorithm and import your Workforce Optimization service provider certificate.
  8. Assign users and/or groups to Active Directory for the AD FS.
  9. Save your AD FS Federation Metadata XML file.
  10. Follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Configure Global Authentication Policy

  1. Open the Windows Server AD FS Management Console.
  2. Select the Authentication Policies folder.
  3. Under Global Settings in Primary Authentication, click Edit. The Edit Global Authentication Policy window appears.
  4. Under the Intranet section in the Primary tab, select the Forms Authentication check box and the Windows Authentication check box. If the check boxes are already selected, click Cancel.

Configure Relying Party Trust for your identity provider

Configuring Relying Party Trust for your identity provider is a multistep procedure.

First, begin the Add Relying Party Trust Wizard.

  1. Open the Windows Server AD FS Management Console.
  2. Expand the Trust Relationships folder.
  3. Right-click the Relying Party Trusts folder, and then click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
  4. Click Start.

Next, configure Relying Party Trust with the Add Relying Party Trust Wizard.

  1. Choose Enter data about the relying party manually, and then click Next.
  2. Enter “Workforce Optimization” in the Display name field, and then click Next.
  3. Choose AD FS profile, and then click Next.
  4. Click Next on the “Configure Certificate” step. You do not need to specify an optional token encryption certificate.
  5. On the “Configure URL” step, click the Enable support for the SAML 2.0 WebSSO protocol check box.
  6. Under Relying party SAML 2.0 SSO service URL, enter the Assertion Consumer Service URL (listed as a prerequisite) in the text field, and then click Next.
  7. On the “Configure Identifiers” step, enter the Entity ID (listed as a prerequisite) in the Relying party trust identifier text field, click Add, and then click Next.
  8. On the “Configure Multi-factor Authentication Now?” step, click the I do not want to configure multi-factor authentication settings for this relying party trust at this time check box, and then click Next.
  9. On the “Choose Issuance Authorization Rules” step, click Permit all users to access this relying party check box, and then click Next.
  10. On the “Ready to Add Trust” step, click Next.
  11. On the “Finish” step, click the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box.
  12. Click Close. The Edit Claim Rules for Calabrio ONE window appears.

Configure the LDAP email claim rule for the Workforce Optimization trust

  1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
  2. Select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and then click Next.
  3. Enter “LDAP Email Address” in the Claim rule name field.
  4. Select Active Directory from the Attribute store drop-down list.
  5. Select E-Mail Addresses from the LDAP Attribute drop-down list.
  6. Select E-Mail Address from the Outgoing Claim Type drop-down list.
  7. Click Finish to complete configuration of this claim rule and add the incoming claim transform rule.

Configure the incoming claim transform email address custom rule for the Workforce Optimization trust

  1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
  2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
  3. Enter “Transform Email Address” in the Claim rule name field.

  4. Enter the following in the Custom rule field.

    Copy 
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "calabriosp");
  5. Click Finish to complete configuration of this claim rule.

Configure the incoming claim add mail attribute custom rule for the Workforce Optimization trust

  1. Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
  2. Select Send Claims Using a Custom Rule from the Claim rule template drop-down list, and then click Next.
  3. Enter “Add mail Attribute” in the Claim rule name field.

  4. Enter the following in Custom rule field.

    Copy 
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
    => issue(Type = "mail", Value = c.Value);
  5. Click Finish to complete configuration of this claim rule.
  6. Click OK to finish editing claim rules and close the Edit Claim Rules window.

Extract Workforce Optimization service provider certificate

  1. In an internet browser, navigate to the IAM Service Provider Metadata URL for your region (listed as a prerequisite).

  2. Copy the contents of “X509Certificate” from under SPSSODescriptor > KeyDescriptor use=”signing”> to a file with .cer extension such as EUSigningCert.cer on the AD FS server.

Configure the secure hash algorithm and import Workforce Optimization service provider certificate

  1. Open the Windows Server AD FS Management Console.
  2. Open the Workforce Optimization trust you created in one of the previous procedures to open the Calabrio ONE Properties window.
  3. Click the Advanced tab and select SHA-1 from the Secure hash algorithm drop-down list.

  4. Click the Signature tab, and then click Add.... Select the Workforce Optimization service provider certificate created in the previous procedure.

    NOTE   If the Workforce Optimization service provider certificate is not listed, you might need to select All files (*.*) in the file-type filter in the lower right corner of the window next to the File name text field.

  5. Click OK to finish editing the trust properties and close the Calabrio ONE Properties window.

Assign users and groups to Active Directory used for AD FS

Add desired user(s) and group(s) to the Active Directory used for AD FS to grant them access to Workforce Optimization via AD FS. A user’s email address must match the email address configured for the user in Workforce Optimization exactly.

Save your AD FS Federation Metadata XML file

Where in the below URL, <ADFS Hostname> is your ADFS hostname.

https://<ADFS Hostname>/FederationMetadata/2007-06/FederationMetadata.xml

AD FS Identity Provider-Initiated Single Sign-On

  1. Navigate to the following unique URL in an internet browser.

    https://<ADFS Hostname>/adfs/ls/idpinitiatedsignon.aspx
    Where in the above URL, <ADFS Hostname> is your ADFS hostname.

  2. Click Sign in to one of the following sites, and select Calabrio ONE from the drop-down list.
  3. Enter your user credentials in the text fields, and then click Sign in. You are redirected and logged in to the Workforce Optimization site.

NOTE   You can follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Troubleshooting procedures

AD FS event errors

The Event Viewer window displays logs of AD FS authentication issues. You can check past events to investigate errors.

  1. Navigate to Event Viewer > Applications and Services Logs > AD FS > Admin.
  2. Click the desired event in the Admin list for more details.

NameId Format in SAMLRequest issue

The NameId Format in SAMLRequest is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

If issues occur, update the Name ID Format field on the IAM Authentication page. See Set up IAM authentication for more information.

Copy 
Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
calabriosp 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified SPNameQualifier: calabriosp. Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier:  SPNameQualifier: , SPProvidedId: .
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Missing SPNameQualifier of calabriosp

If you see the following error message, attempt the Configure the incoming claim transform email address custom rule for the Workforce Optimization trust procedure again.

Copy 
Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
calabriosp 

Exception details: 
Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException: MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: calabriosp. Actual NameID properties: Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, NameQualifier:  SPNameQualifier: , SPProvidedId: .
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Follow these procedures to integrate your Azure AD IdP with Workforce Optimization Identity and Access Management (IAM) Service Provider (SP).

Setup Azure AD IDP

  1. Sign into your Azure portal.
  2. On the left navigation panel, click on Azure Active Directory.
  3. In the Azure Active Directory pane, click on Enterprise applications.
  4. In the Enterprise applications pane, click on New application.
  5. Click Non-gallery application.
  6. Enter a name for the Workforce Optimization application and click Add. The name you enter for Workforce Optimization is referred to as Workforce Optimization <Application Name> in these procedures.
  7. After the application is saved and loaded, click Single sign-on in the left-hand menu and then click SAML.
  8. In the setup screen, click the pencil icon in the Basic SAML Configuration box.

  9. Enter the following values into the fields.

    • Identifier (Entity ID): calabriosp
    • Reply URL (Assertion Consumer Service URL). Copy and paste the Assertion Consumer Service URL that was listed as a prerequisite.

    Do not enter any data into any other fields.

  10. If the Sign on URL is marked as a required field, instead of an optional field, then copy and paste the Service Provider initiated Sign-on URL that was listed as a prerequisite.

    • The Azure AD Identifier for the Workforce Optimization application in Azure AD is in the Set up <Calabrio ONE Application Name> box in the setup screen. You can use a URL encoder to decode it.

      EXAMPLE   In this example for United States IAM, https://www.example.com/123 is the Azure AD Identifier that becomes https%3A%2F%2Fwww.example.com%2F123 when the URL is encoded.

      NOTE   For IdP-Initiated SAML, the Sign on URL field in the app in Azure AD must be empty.

  11. Click Save.
  12. Navigate to the setup screen.
  13. Click the pencil icon in the User Attributes & Claims box.
  14. Click ... the (ellipsis symbol) to edit the claim for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress under Additional claims.
  15. Enter mail in the Name field.
  16. Delete the pre-populated text in the Namespace field.
  17. Ensure the Attribute button is selected as the Source (default).
  18. Ensure user.mail is selected from the Source attribute drop-down list (default).
  19. Click Save.
  20. In the left-hand menu click Users and groups.
  21. Click Add user.
  22. In the Add Assignment pane, click Users and groups.
  23. Select the user or group you want to assign to the application for access to Workforce Optimization. Click Select.
  24. Click Assign to assign the user or group.
  25. In the setup screen, click the pencil icon in the SAML Signing Certificate box.
  26. Enter a notification email in Notification Email field for the certificate expiry reminders.
  27. Click Save.
  28. Click Download for Federation Metadata XML.
  29. Save the metadata file. Then follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Troubleshoot single sign-on

After Workforce Optimization IAM has been configured to use the application for Workforce Optimization in Azure AD, you can test the settings to see if single sign-on works for your account. This can be done using the Workforce Optimization URL provided by Provider Professional Services Account Representative.

You can test single sign-on from Azure AD.

  1. Sign into your Azure portal.
  2. In the left navigation panel, click Azure Active Directory.
  3. In the Azure Active Directory pane, click Enterprise applications.
  4. In the Enterprise applications pane, click on the Workforce Optimization application.
  5. Click Single sign-on in the left-hand menu.
  6. Click the Test button in the Test Single Sign-on with <Workforce Optimization Application Name> box to check if single sign-on is working. You can test using the user who is currently signed in or another user.

Troubleshoot error messages

If an error message appears follow the steps below.

  1. Copy and paste the specifics from the error message into the What does the error look like? box.
  2. Click Get resolution guidance.
  3. Read the guidance to fix the issue.

Related Content

For more information on Microsoft Azure AD see the reference material linked below.

After SAML authentication is configured for your IdP, the metadata needs to be downloaded and exported. Then follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Download Okta SAML Metadata

  1. Navigate to Applications > Sign On tab.
  2. Click Identity Provider metadata to start the metadata download.

Download SAML Metadata for other IdPs

Most identity providers allow users to download metadata. To do so, follow the steps detailed below.

  1. Navigate to your identity provider’s page.

  2. Find the button that allows you to download your IdP’s metadata.

    NOTE   The name of the IdP metadata download button may vary depending on your IdP.

  3. Save the metadata file then follow the procedure detailed in Set up IAM authentication to connect your IdP to Workforce Optimization.

Not all IdPs or IdP configurations require service provider certificates.

IdP Certificate Required

ADFS

Yes

Okta

No

Other IdPs

Varies by configuration.

Azure AD

No

If your IdP or IdP configuration requires a service provider certificate to integrate with Workforce Optimization, use the signing certificate listed in the prerequisite.

Related topics