WorkTango SAML Authentication

Identity Provider Information

In order to proceed with setup, WorkTango requires the metadata file from your IdentityProvider. We can accept it as either a URL or file. From this file, WorkTango will be able to collect the following fields:

• SignOnUrl: URL of the authentication endpoint for your IdentityProvider
• LogOutUrl: URL of the sign-out endpoint for your IdentityProvider
• Base64 Certificate: The Base64 encoded public key from your IdentityProvider’s certificate.

Configuring Your Identity Provider

You will need to configure your IdentityProvider with the following information from WorkTango’s ServiceProvider. Information from our ServiceProvider will be unique to your subdomain. The following instructions use worktango.youearnedit.com as an example for the access point for the organization. You should substitute your domain in the place of the “worktango” subdomain below.*

• EntityId: WorkTango’s ServiceProvider will identify itself with an EntityID constructed from your subdomain in the following form:
  <your_worktango_ subdomain>.youearnedit.com
  (Example: worktango.youearnedit.com).

This is case sensitive and does not include https:// at the beginning.

• AssertionConsumerService URL: 

https://<your_account_subdomain>.youearnedit.com/saml/acs
(Example: https://worktango.youearnedit.com/saml/acs).

• SingleLogoutService URL: https://<your_account_subdomain>.youearnedit.com/users/sign_in
  (Example: https://worktango.youearnedit.com/users/sign_in).

Our service provider still identifies us by our former youearnedit.com domain only, which is owned by WorkTango. Due to this, you must use youearnedit.com after your subdomain for your EntityID, ACS, and SLS when configuring your IdentityProvider.

NameID Format

Our ServiceProvider will expect the IdentityProvider to supply an EmailAddress or UserName in the NameID attribute. Authentication will fail if a corresponding UserName or EmailAddress is not found within our database or does not match exactly. This will require that accounts be imported into the WorkTango system before our ServiceProvider will accept them (typically via CSV import).

FAQs

Q: Can SSO authentication be used for a select group of employees?

A: No. Once enabled, SSO authentication will apply to all user accounts on the WorkTango platform and email/password will no longer be available as a login option.

Q: Can SSO be disabled in order to go back to individual email/password authentication? 

A:While not recommended as email/password is much less secure, it is possible to disable SSO on a platform to return to that format. However, please note that doing so will require all users to use the forgot password link to set a new password for their account.