Overview | SAML vs Single Sign-On (SSO) | Supported Identity Providers (IdP) | Locally Hosted Workamajig Server | DNS Subdomain | Logging Into Workamajig | Client / Vendor Users | General Setup Steps | Limitations And Notes
Security Assertion Markup Language (SAML) Workamajig End User Guide
- This feature requires your IT staff for set up and proper implementation.
- Please note that once SAML is enabled in Workamajig, all outbound emails will be generated using the SAML URL prefix.
- If you need further help with this feature, please contact email@example.com.
SAML vs Single Sign-On (SSO)
While SAML and SSO provide a similar function and are sometimes conflated together. We should make a distinction. As far as Workamajig is concerned SSO means LDAP Authentication directly against the LDAP server. LDAP Authentication is only available to on-premise clients and is the recommended way to enable SSO for on-premise clients. If your LDAP server offers a SAML service and you wish to setup SAML contact Workamajig support.
Supported Identity Providers (IdP)
The following Supported Identity Providers have been successfully configured and are in use with Workamajig.
- GSuite (google)
- Okta - https://www.okta.com/
- Active Directory
Locally Hosted Workamajig Server
If you host your own Workamajig sever. Then you can refer those guide for steps on that specific setup.
Workamajig uses subdomains to delineate between Workamajig authentication and SAML authentication. Clients wishing to use SAML authentication will access Workamajig using a custom subdomain. A client may choose the subdomain. Subdomains for hosted clients will be set up and managed by Workamajig. Sub-domains for on-prem clients will be created and managed by the client.
If the user normally accesses Workamajig using:
To trigger SAML authentication, they would use:
Typically the IdP will provide a dashboard of some sort with a link to the Workamajig “app”. The “app” link will use the URL with your custom subdomain.
Logging Into Workamajig
Users are still able to access Workamajig using their Workamajig credentials via the original Workamajig URL. For example https://app.workamajig.com/platinum
Accessing the custom subdomain will trigger the SAML authentication and users will be redirected to your Identity Provider before accessing Workamajig Platinum.
Client / Vendor Users
Client / Vendor users will access Workamajig using the non-SAML URL. For example https://app.workamajig.com/platinum
General Setup Steps
- Decide on the Subdomain. This is typically the company name or initials or short name. This will be used to define the URL used to access Workamajig. Ex. mycompany.workamajig.com
- Configure your identity provider.
- Your IdP will require a couple of pieces of information,
- An Entity ID. https://www.workamajig.com
- An Access URL. https://YOUR_SUBDOMAIN.workamajig.com/platinum/sso/SAMLService.aspx
- Export the metadata file and send it to Workamajig Support
- Once the Workamajig server has been configured you will need to enable SAML in Workamajig > System Setup.
- Navigate to System Setup -> Connections -> Single Sign-On and enter the subdomain into the URL Prefix field. This field acts as a flag to enable/disable SAML.
- Enter the SAML Configuration Identifier. This will be provided to you by Workamajig after the Workamajig server has been configured.
- Enter in redirect URLs for logout/invalid login
- Save and Exit the Admin screen.
If Auto Create Client/Vendor Logins, additional fields will be visible
First Name: enter in the field name from your system that Workamajig will pull data from. Ex. givenName
Last Name: enter in the field name from your system that Workamajig will pull data from. Ex. surName
Email: enter in the field name from your system that Workamajig will pull data from. Ex. email
Phone: enter in field name from your system that Workamajig will pull data from. Ex. phone
Company ID: (optional) enter in a Company Name in Workamajig to place the contact record in. Once added to the system you can move them to a different Company. Many will create a "Holding Pen" for the contacts initial login. Your team can then move the new contact into a proper company and edit security group if needed.
Security Group: enter the Security Group name from Workamajig that the new contact will be placed in.
Limitations And Notes
- SAML Support is a Platinum only feature.
- Any changes to existing and/or expiring connections should be planned ahead of time. Feel free to contact firstname.lastname@example.org with any questions around this.
- Emails sent out of the system containing links
- Once SAML is enabled, ALL links contained in outbound email will use the SAML URL Prefix defined via Admin > Connections > Single Sign-On screen. NOTE: Client/Vendor Contacts MUST be defined in your SAML/LDAP IdP for the links to work.