Set up IAM authentication

Use the IAM (identity and access management) Authentication page to enable an external identity provider (IdP) to authenticate Workforce Optimization sessions, enable direct login using Workforce Optimization's IAM service, or enable multi-factor authentication.

The IAM Authentication page is only available for Cloud deployments of Workforce Optimization.

If you are using an external identity provider, see Configure SAML authentication to learn how to configure your organization’s IdP prior to using this page to enable your IdP connection to Workforce Optimization.

Multi-factor authentication is a method in which a user is granted access to a website after successfully proving their identity using at least two means of verification. Workforce Optimization multi-factor authentication uses a login password and an email of a one-time password to verify a user's identity and grant them access to Workforce Optimization. The following workflow details what happens when a user attempts to login once multi-factor authentication is configured.

  1. The user successfully enters their email and password on the login page.

  2. The user receives an email from Workforce Optimization that contains their one-time password.

  3. The user enters their one-time password on the login page and is successfully authenticated.

Prerequisites

  • You need the Administer Tenant permission to access this page. See Manage roles and permissions for QM and Analytics for more information.

  • Your external IdP must be configured for Workforce Optimization. Follow the procedures detailed in Configure SAML authentication to set up your IdP.

  • Follow the "Configure identity providers" and "Export SAML Metadata" procedures in Configure SAML authentication if your IdP is not on the list below. If you are not able to successfully configure your IdP, please contact Provider Support.

    Identity Provider
    AD FS
    Azure AD
    Ping Federate
    OKTA
    Cisco Duo
    OneLogin

Page location

Application Management > Global > System Administration > IAM Authentication

Procedure

Configure an external IDP

  1. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) box to allow authentication using an external identity provider.
  2. Enter the required information in the available fields. See Field descriptions for more information.
  3. Click Save.

Configure direct login

  1. Under Enable Authentication select Enable IAM Authentication (Direct Login) to authenticate using Workforce Optimization's IAM service.
  2. Click Save.

Configure multi-factor authentication

  1. Under Enable Authentication, select Enable IAM Authentication (Direct Login) to authenticate using Workforce Optimization's IAM service.
  2. Under IAM Authentication Settings, select Enable One-Time Password via Email.
  3. Click Save.

NOTE   If users do not receive their one-time password emails within one minute, instruct them to check their spam folders or work with their IT administrator to ensure the one-time password email from "supportservices_noreply@calabriocloud.com" is not blocked.

Field descriptions

Field Description

Enable Authentication

At least one of the two check boxes must be selected.

Enable IAM Authentication (Direct Login) — Enables authentication through the Workforce Optimization IAM Service or multi-factor authentication.
Enable IAM External Authentication Entity (Company Login) — Enables authentication using an external IdP.

IAM Authentication Settings

Multi-factor Authentication -

Enable One-Time Password via Email

When configured, all tenant users receive an email from Provider that contains a one-time password whenever they attempt to log into Workforce Optimization. The one-time password email is delivered to the email address linked to an individual's Workforce Optimization user account.

The password expires after five minutes.

IAM External Authentication Settings
Entity ID

The entity ID information from the customer’s configured IdP.

EXAMPLE   http://www.okta.com/mxkgk2l57kJrrPAeo0h7TEST

IDP X.509 Certificate

Import, export, or view an SP X.509 certificate. Acceptable file formats are CER, CRT, and CERT.

IMPORTANT   The certificate must be Base64 encoded.

Authorization Requests Signed -

Require signed SAML request

 Select if SAML requests need to be signed.
Name ID Format

The default is as follows.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)

The value provided for a Single Sign On Service Endpoint (HTTP-Redirect). Include http or https in the url.

EXAMPLE   https://dev-111111.oktapreview.com/app/dev-111111_exampletest20220608_1/mpkznqqbkzvTHE3Nc0h7/sso/saml

SAML Binding

Select if SAML bonding is required to post or redirect.

NOTE   Check if your identity provider requires post or redirect. Azure AD, AD FS, and Ping Federate IdPS require post.

Related topics

  • Configure SAML authentication — Learn how to configure your organization’s external IdP for Workforce Optimization before using the IAM Authentication page to connect your organization’s IdP and Workforce Optimization‘s IAM service.

  • Log in to Workforce Optimization — Learn how to log into Workforce Optimization after configuring an authentication method.