SAML (Security Assertion Markup Language) is a standard commonly used to enable Single Sign-On (SSO). It allows you to configure WorkBook to authenticate users via an Identity Provider (IdP), so they can log in using their existing organisation credentials.

Some of these identity providers are:

Azure AD / Office 365
Okta
OneLogin
AD FS
Generic SAML 2.0 Identity Providers

WorkBook expects the SAML assertion to include the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, which must match the user's LoginName in WorkBook.

Note: that SAML authentication is used solely for validating user credentials; user accounts must still be created, managed, and deactivated manually within WorkBook.

Important: It is not currently possible to disable regular password authentication. As a workaround, you can enable LDAP authentication for the user—even if LDAP is not fully configured—to prevent login via password.

ON THIS PAGE YOU WILL FIND:

ON THIS PAGE YOU WILL FIND:
1.1 CONFIGURATION OF THE IDENTITY PROVIDER 1.2 CONFIGURATION IN WORKBOOK (SERVICE PROVIDER) 1.3 SAML CONFIGURATION 1.3.1 Google SAML Terminology 1.3.2 Additional Options and Configurations 1.4 DISABLING WORKBOOK USERNAME & PASSWORD 1.4.1 Workaround: Use LDAP Authentication 2 TROUBLESHOOTING

CONFIGURATION OF THE IDENTITY PROVIDER

The following information is required to configure your Identity Provider (IdP) for SAML-based authentication with WorkBook.

SAML Binding Endpoint:
<schema>://<customer domain>/API/Auth/SAML
(Replace <schema> with https and <customer domain> with your actual WorkBook domain.)
Supported SAML Bindings:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

CONFIGURATION IN WORKBOOK (SERVICE PROVIDER)

SAML configuration in WorkBook is managed via system variables. To access these settings, navigate to:

Settings module > global system settings sub menu > system variables
Search for “SAML” in the search field

You will find the following key configuration variables:

SYSTEM VARIABLE	DETAILS

SYSTEM VARIABLE	DETAILS
1002 – SAML Configuration	Contains the main SAML configuration for the Service Provider (WorkBook). See below for configuration details.
1004 - SAML ServiceProvider Certificate	The certificate that WorkBook should use for signing all requests (Optional)
1005 - SAML ServiceProvider Certificate Password	The password for the Service Provider certificate
1006 - SAML IdentityProvider Certificate	The public certificate for the IdentityProvider, used to validate all requests from the Identity Provider (REQUIRED). The certificate should be base64 encoded and start with “—–BEGIN CERTIFICATE—–” and end with “—–END CERTIFICATE—–“
1060 - SAML Error Response Redirect Address	The URL that WorkBook should redirect to if SAML login fails. You can use #ErrorMessage# as a replacement token to display the specific error
1178 - SAML Use User Login	Must be enabled (checked). This ensures WorkBook uses the user's LoginName when matching the SAML assertion

SAML CONFIGURATION

A typical SAML Configuration resembles the XML snippet below. This defines the Assertion Consumer Service (ACS) URL.

If your Identity Provider requires a different configuration or does not support these options, please contact us — we’re happy to help you adjust the settings to meet your requirements.

Sample SAML Configuration XML

<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
   <ServiceProvider Name="workbook://app" />
   <PartnerIdentityProviders>
       <PartnerIdentityProvider Name="!!ServiceProvider Id!!"
                               Description="IdentityProvider"
                               UseEmbeddedCertificate="true"
                               SingleSignOnServiceUrl="!!URL used for SAML!!"
                               SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                               WantAssertionSigned="true" />
   </PartnerIdentityProviders>
</SAMLConfiguration>

Replace the placeholders: !!ServiceProvider Id!! and !!Url used for SAML!!
If a SAML ServiceProvider Certificate has been specified, change “UseEmbeddedCertificate” to false

Google SAML Terminology

If you're configuring WorkBook with Google Workspace as the IdP, note the terminology mapping:

ServiceProvider ID - is known as ‘Entity ID’
SingleSignOnServiceUrl - is known as ‘SSO URL’

Under Service Provider Details:

ACS URL: Should be set to ‘https://[THE_URL_FOR_YOUR_WORKBOOK]/api/auth/saml’
Entity ID: Always ‘workbook://app’

Additional Options and Configurations

SAMLConfiguration schema

DISABLING WORKBOOK USERNAME & PASSWORD

Currently, there is no dedicated feature to completely disable WorkBook username and passwords. However, there is a workaround using LDAP settings to prevent users from logging in with their WorkBook credentials.

Workaround: Use LDAP Authentication

Enable system variable: 844 - Allow the usage of Lightweight Directory Access Protocol for authentication of users
For each user you want to restrict:
1. Open the employee card > login settings
2. Check the “Is LDAP User” option

This prevents the user from using WorkBook’s standard username/password mechanism, and forces them to use the Identity Provider.

TROUBLESHOOTING

ISSUE	SOLUTION

ISSUE	SOLUTION
The audience restriction * doesn’t match the expected audience restriction *	This is caused because the identity of the application on the IdentityProvider does not match the ServiceProvider. We recommend that you change the identity on the IdentityProvider to match a non-existing address, the default sample is “workbook://app”
Login failed for the username: *	This error is issued by WorkBook when no username in WorkBook matches the username sent by the IdentityProvider. On most IdentityProvider you can change what it sends as username, and alternatively you can “just” change the username of the individual users in WorkBook. If the username displayed is a number, GUID or similar it is most likely because the system is not sending the claim “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” as expected by WorkBook.
The SAML message doesn’t contain an InResponseTo attribute.	Some IdentityProvider will not send an “InReposenTo” when the login has been initiated by the IdentityService. If you are unable to, enable this behavior on the IdentityProvider, you can disable it in WorkBook by adding DisableInResponseToCheck=”True” in the PartnerIdentityProvider section of the WorkBook configuration.

Related articles

Page:
WorkBook API > API Overview (Deltek WorkBook)
Page:
WorkBook API > User Permissions (Deltek WorkBook)
Page:
WorkBook API > Authentication (Deltek WorkBook)
Page:
Storage Providers > Google Drive (Deltek WorkBook)
Page:
Storage Providers > OneDrive for Business (Old MS OAuth) (Deltek WorkBook)
Page:
Storage Providers > Azure Storage (Deltek WorkBook)
Page:
Implementation > Storage Providers (Deltek WorkBook)
Page:
Single Sign On > OKTA (Deltek WorkBook)
Page:
Storage Providers > OneDrive for Business (MS OAuth 2.0) (Deltek WorkBook)
Page:
Implementation > SAML Authentication (Deltek WorkBook)

Implementation > SAML Authentication