This document provides guidelines on how to configure Workvivo to authenticate via Single Sign On (SSO) using Microsoft Entra ID as the identity provider (IdP) solution in a SAML2 SSO configuration. The information contained in this document is intended as a guideline only – there may be significant differences in any given Entra ID configuration that require a different approach to be taken.
If you prefer to view a video walkthrough, you can skip ahead to this section.
1. Adding Workvivo as an Enterprise Application in Entra ID
The first step to configuring Workvivo in Entra ID is to add it as an Enterprise application in your Entra ID directory. In the Entra ID portal, select “Enterprise applications” from the main navigation in your Entra ID directory.
Next, click “New application” to create a new enterprise application.
In the Microsoft Entra gallery screen, select "Create your own application" - Name your application and then select the “Non-gallery” option.
2. Setting up SSO with SAML
When the application is created, select the “Single sign-on” navigation item to set up SSO. From the “Select a single sign-on method” screen, select the “SAML” option.
You’ll now be taken to the “Set up Single Sign-On with SAML” screen.
There are four main sections in this configuration. It may look like there’s a lot of options here, but there’s very little that needs to be changed. Click on the “Edit” icon to the top right of section 1 “Basic SAML Configuration”.
In this screen, add the relevant value for your company’s Workvivo installation in the “Identifier” and “Reply URL” fields. These are as follows, replacing the domain name as appropriate with the domain for your Workvivo environment. Leave the additional URLs empty.
Identifier (Entity ID): https://[companyname].workvivo[.com][.us][.me]/saml/metadata
Reply URL (ACS URL): https://[companyname].workvivo[.com][.us][.me]/saml/acs
*Note - Depending on whether your Workvivo instance is hosted on our EU, US, or UAE data center, make sure you enter the correct domain. It will either be workvivo.com, workvivo.us, or workvivo.me. The format may also differ if your organisation has configured a custom domain name for Workvivo. If you do not know your Workvivo domain name, please contact our Support Team via 'Submit a request' for assistance. Press the “Save” button to continue.
In section 2, if you need to change the "Unique User Identifier" simply click the “Edit” button in this section, and click the edit icon alongside "Unique User Identifier (Name ID)". Make sure you select an attribute that contains an email address (such as user.mail or user.userprincipalname) this will be the value users will input as their email address to SSO authenticate into Workvivo. Once you have made your selection, click the “Save” button.
3. Complete the configuration on Workvivo
If your full user base will be using SSO authentication for Workvivo, you can plug in the metadata directly in Workvivo.
Firstly you will need the "IT Administrator" role on Workvivo - this can be granted by a current Admin, or your Workvivo point of contact.
Once you have been granted this role, navigate to the Admin section > Authentication and System Settings.
Under Authentication Mode, choose Single Tenant SSO Only
Next, select Set up SSO Tenant
Enter a Name for your New SSO Tenant
Note: this is just a label for you to identify your sso tenant, for example 'Entra ID SSO Tenant'
On the next screen, you will find your specific Entity ID and ACS URL - these are the URLs you need to enter under the 'Basic SAML Configuration' within Microsoft Entra ID.
Next you will need to enter the metadata details from Mircrosoft Entra ID.
You can find these values in section 3 & 4 of your Single sign-on screen in Entra ID
1. Microsoft Entra Identifier = IdP Entity ID
2. Login URL = SSO Service URL
3. Logout URL = SLO Service URL
4. Certificate (Base64) = X509 Certificate
Once those details are added, Save your configuration
4. Testing SSO with Workvivo
To test that SSO has been configured correctly:
- Ensure the user profile has been created on Workvivo either manually or via SCIM provisioning, and they have been added to the Users and Groups section in Microsoft for the Workvivo Enterprise App.
- Open your Workvivo URL in your browser and you should be automatically redirected to the Microsoft sign-in page.
- Enter your sign-in credentials.
- Once authenticated , you should be automatically redirected back to the Workvivo app.
Please note, if you have some password based users or have multiple single sign-on tenants you would need to configure these by choosing the relevant Authentication Mode under Authentication and System Settings in the Workvivo Admin panel. If you have any questions please contact our Support Team via the 'Submit a request' button, who can help assist you with this configuration.