SSO allows your users to log in with an existing account at one of our supported Identity Providers without having to set a new password in awork. Click on your provider below to navigate to the setup guide.
The list of supported identity providers includes:
If you can' t find your identity provider in this list, please contact us directly, and we' ll check if we can provide a connection.
☝️Note: SSO is only available in the awork Enterprise plan.
SAML 2.0 is not supported by awork, as we have opted for the more modern OpenID-Connect Standard based on OAuth 2.0.
Supported identity providers
Below you can find links to the websites of the supported identity providers:
Setup in awork
Navigate to Settings > Integrations
Open the Integration library and select your provider
Now you need to enter the subdomain, client ID and client secret of the provider in the window. Instructions on how to register awork as an SSO application with your provider can be found below.
Important notes for the setup
The following redirect URLs must be enabled:
https://app.awork.io/enterprise-login
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.io/api/v1/accounts/external/{name of login provider}
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/{name of login provider}
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize
For login via web interface, e.g. via https://app.awork.com, you'll need:
https://app.awork.io/enterprise-login
https://app.awork.com/enterprise-login
For authorization from Slack you need:
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/authorize-slack
For Microsoft Teams authorization you need:
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/msteams/authorize
For Zapier integrations, you'll need the following redirect URL:
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/api/v1/accounts/authorize
Below you'll find an overview of specific configurations per Identity Provider.
Okta
Open the Okta configuration at YOUR-SUBDOMAIN.okta.com/admin
Go to the Applications section in the menu
Add a new application and name it e.g. awork
In the details of the application you get Client-ID, Client-Secret, and Subdomain. Enter them in the awork configuration window and finish the configuration by clicking the Save button
☝️Hint: Note here that the login redirect URIs must be set correctly. Otherwise, Okta won't be able to redirect your users properly. In addition, the Implicit (Hybrid) flow, including the ID Token grant type, must be enabled. User consent is not needed as awork only accesses the user's name and email at login.
In the Login section of the Okta application, set the following URIs:
Initiate login URI:
AWORK_SUBDOMAIN.awork.com/login
Login redirect URIs
https://app.awork.io/enterprise-login
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.io/api/v1/accounts/external/okta
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/okta
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize
Auth0
Open the Auth0 configuration
Go to the Applications section in the menu.
Add a new application with the type Regular Web Applications and name it e.g. awork.
In the details of the application you'll find the Client-ID, Client-Secret and Subdomain. Enter them in the awork configuration window and save.
Set the following URIs in the Application URIs section of the Auth0 configuration
Application login url:
AWORK_SUBDOMAIN.awork.com/login
Allowed callback URIs
https://app.awork.io/enterprise-login,
https://app.awork.io/api/v1/accounts/authorize-slack,
https://app.awork.io/api/v1/accounts/external/auth0,
https://app.awork.io/api/v1/accounts/msteams/authorize,
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login,
https://app.awork.com/api/v1/accounts/authorize-slack,
https://app.awork.com/api/v1/accounts/external/auth0,
https://app.awork.com/api/v1/accounts/msteams/authorize,
https://app.awork.com/api/v1/accounts/authorizeAllowed web origins:
AWORK_SUBDOMAIN.awork.io
app.awork.io
AWORK_SUBDOMAIN.awork.com
app.awork.com
☝️Hint: All other settings are already set correctly by default.
OneLogin
Open the OneLogin configuration under SUBDOMAIN.onelogin.com
Go to the Applications section in the menu.
Add a new application by clicking the Add App button in the upper right corner and name it e.g. awork.
Select OpenID Connect (OIDC) as type and set the name to e.g. awork and save.
In the SSO section of the app you get client ID and client secret. You can find the subdomain in the URL of your OneLogin account: {subdomain}.onelogin.com. Enter this information in the awork configuration window and save.
The following URIs have to be enabled in the Configuration section, so that the forwarding of your employees works without problems:
Login url:
AWORK_SUBDOMAIN.awork.com/login
Redirect URIs
https://app.awork.io/enterprise-login
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.io/api/v1/accounts/external/onelogin
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/onelogin
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize
Azure
Open the Azure AD configuration at portal.azure.com.
Go to the Azure Services section and then Azure Active Directory.
In the Manage section of the menu, click App Registries.
Add a new registry and name it awork, for example.
In the Certificates and Secrets section of the new registry, you'll be able to create a new application ID (client), whose ID (client ID) and value (client secret) you can enter in the awork configuration window.
In the Authentication section, check ID tokens in Azure configuration and set the following redirection URIs for a web platform:
Redirect URIs
https://app.awork.io/enterprise-login
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.io/api/v1/accounts/external/azure
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/azure
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize
The subdomain you need to put in awork is either:
your Azure active directory tenant-ID:
your fallback domain: <client>.onmicrosoft.com
GSuite
To set up SSO with GSuite, you need to follow these instructions:
Go to https://console.cloud.google.com/apis/credentials and first select your project for which you want to use SSO
Then click on Create Credentials and select OAuth Client ID from the list
Select Web Application as the type
As a name you'll be able to choose e.g. awork.
In the URIs section you need to add the following URIs:
Redirect URIs:
https://app.awork.io/enterprise-login
https://app.awork.io/api/v1/accounts/authorize-slack
https://app.awork.io/api/v1/accounts/external/azure
https://app.awork.io/api/v1/accounts/msteams/authorize
https://app.awork.io/api/v1/accounts/authorize
https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/azure
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize
After that you save your data via the button Create.
On the right side you will find the client ID and the client key (client secret), which you have to enter in awork
More information about SSO with GSuite can be found here.
Keycloak
Please contact our support if you want to setup Keycloak SSO, as this option is not available via the Web Interface yet!
To setup Keycloak SSO via OpenID Connect, you need to follow the following steps:
Login into your Keycloak Admin Console
Go to the Clients
Download this client configuration file: Keycloak awork Client Configuration
Drag the file into the Resource file field. This pre-fills all the settings you need.
Save the new client
In the Client Details
Go to the Realms Settings and find the .well-known/openid-configuration URL at the bottom of the General settings called OpenID Endpoint Configuration
With the Client Id and Secret and the .well-known/openid-configuration URL, please contact our support so we can configure the integration.
☝️ Important: The well-known/openid-configuration URL needs to be available 24/7 to prevent errors while trying to login via SSO!
After the setup
If the configuration was successful, the SSO sign-in is now available in the login area.
☝️Hint: Rights, users, or groups are currently not controlled via the identity provider. Only the login for existing user accounts is enabled. A user must, therefore, already exist in awork. User matching is done via the user's email address.
Disable other login options
If SSO is configured, it is possible to disable and hide the other login options (email & password as well as social login via Google & Apple). You can set this up in Settings > General.
This is only advisable if no external users, who are not managed via Identity Management, are working in the workspace.
☝️Hint: If you remove the SSO settings in awork, the login with email and password will be automatically enabled again, so you'll be able to always login with your admin account.
Log in via SSO via app.awork.io
To login via SSO using the global login page app.awork.com, select the option Sign in via SSO.
Here you have to enter the subdomain of your workspace first. After entering the subdomain you will be automatically redirected to the SSO login screen or, if you are already logged in here, directly to your awork dashboard.
If you have disabled the options to login via email & password and/or social login (Google & Apple), they will still be displayed on the global page.
They will just be hidden under the specific workspace page YOUR-WORKSPACE-SUBDOMAIN.awork.com
.
However, login will not be possible from the global page either.
Log in via SSO using YOUR-WORKSPACE-SUBDOMAIN.awork.com
.
If SSO is configured, there is now another selection button Sign in via SSO.
You will now be automatically redirected to the SSO login screen or, if you are already logged in here, directly to your awork dashboard.