This document provides guidelines on how to configure Workvivo to authenticate via Single Sign On (SSO) using Microsoft Entra ID as the identity provider (IdP) solution in a SAML2 SSO configuration. The information contained in this document is intended as a guideline only – there may be significant differences in any given Entra ID configuration that require a different approach to be taken.
1. Adding Workvivo as an Enterprise Application in Entra ID
The first step to configuring Workvivo in Entra ID is to add it as an Enterprise application in your Entra ID directory. In the Entra ID portal, select “Enterprise applications” from the main navigation in your Entra ID directory.
Next, click “New application” to create a new enterprise application.
In the Microsoft Entra gallery screen, select "Create your own application" - Name your application and then select the “Non-gallery” option.
2. Setting up SSO with SAML
When the application is created, select the “Single sign-on” navigation item to set up SSO. From the “Select a single sign-on method” screen, select the “SAML” option.
You’ll now be taken to the “Set up Single Sign-On with SAML” screen.
There are four main sections in this configuration. It may look like there’s a lot of options here, but there’s very little that needs to be changed. Click on the “Edit” icon to the top right of section 1 “Basic SAML Configuration”.
In this screen, add the relevant value for your company’s Workvivo installation in the “Identifier” and “Reply URL” fields. These are as follows, replacing the domain name as appropriate with the domain for your Workvivo environment. Leave the additional URLs empty.
Identifier (Entity ID): https://[companyname].workvivo[.com][.us][.me]/saml/metadata
Reply URL (ACS URL): https://[companyname].workvivo[.com][.us][.me]/saml/acs
*Note - Depending on whether your Workvivo instance is hosted on our EU, US, or UAE data center, make sure you enter the correct domain. It will either be workvivo.com, workvivo.us, or workvivo.me. The format may also differ if your organisation has configured a custom domain name for Workvivo. If you do not know your Workvivo domain name, please contact our Support team at support@workvivo.com for assistance. Press the “Save” button to continue.
In section 2, if you need to change the "Unique User Identifier" simply click the “Edit” button in this section, and click the edit icon alongside "Unique User Identifier (Name ID)". Make sure you select an attribute that contains an email address (such as user.mail or user.userprincipalname) this will be the value users will input as their email address to SSO authenticate into Workvivo. Once you have made your selection, click the “Save” button.
3. Complete the configuration on Workvivo
If your full employee base will be using SSO authentication for Workvivo, you can plug in the metadata directly on Workvivo.
Firstly you will need the "IT Administrator" role on Workvivo, an Admin can grant this role for you or your Workvivo point of contact.
Once you have been granted this role, navigate to the Admin section > Authentication Settings
Change the Authentication Mode to SAML
For the metadata you can find these values in section 3 & 4 of your Single sign-on screen in Entra ID
1. Microsoft Entra Identifier = SAML IDP Entity ID URL
2. Login URL = SAML Single Sign On Service URL
3. Logout URL = SAML Single Logout Service URL
4. Certificate (Base64) = SAML X509 Certificate
If you’re using SAML JIT contact your Workvivo account manager for further guidance on configuring this in Entra ID.
If you have some password based users or have multiple single sign-on tenants please contact our Support team at support@workvivo.com who will assist you with this configuration.
4. Testing SSO with Workvivo
You’ll notice a "Test" button in section 5 of the Set up SSO with SAML screen for testing single sign-on with Workvivo. You should only proceed to click this button after the configuration changes from step 3 have been made. Before you can test SSO, you will need to grant access to the Workvivo application to the Entra ID users and/or groups that should be able to sign in to Workvivo using Entra ID SSO. You can do this using the "Users and groups" navigation item on the left-hand side of the screen in Entra ID.
You’ll also need to ensure that your user account has been set up in Workvivo before you can successfully test the sign in process. This can be done manually for testing purposes, or automatically by configuring SCIM provisioning in Entra ID. See the separate document on setting up Microsoft Entra ID SCIM API for guidance on how to get started with provisioning in Workvivo.