Top
Whatfix Single Sign On
  • 05 Mar 2024
  • 2 Minutes To Read
  • Dark
    Light
  • PDF

Whatfix Single Sign On

  • Dark
    Light
  • PDF

Article summary

Whatfix supports login with Single Sign-On (SSO). SSO is an authentication process that enables users to access multiple applications with one set of login credentials.

Your title goes here

Contact support@whatfix.com to enable SSO for your Whatfix account. There is no configuration required from your end to activate SSO for your Whatfix account.

How does SSO work in Whatfix?

  1. SSO-enabled enterprises have the following login screen:
  2. When you click LOGIN WITH SSO, you are redirected to the configured Identity Provider.
  3. Once you enter the credentials of the Identity Provider, it is verified and you are then redirected to the Whatfix account.
    id_verification_screen.png

Identity Providers supported by Whatfix

An Identity Provider (IdP) is an authority system that holds and verifies the user authentication information. Whatfix interacts with your IdP and trusts the information provided by the IdP to gain access to the application. Whatfix supports the following identity providers:

  • Okta
  • PingFederate
  • Azure Active Directory
    Any identity provider compliant with SAML 2.0 works with Whatfix SSO.

Where is the SSO login available?

You can log in with SSO on the Whatfix homepage.


Requirements to enable SSO on your account

The following information has to be exchanged with Whatfix.

Information Detail Example



The organization provides this information

Enterprise Name* XYZ corp
IdP EntityId* https://app.onelogin.com/saml/metadata/905b5aec-defd-4f7a-a910-dae67c220cbe
IdP SSO Service URL* https://ddash.onelogin.com/trust/saml2/http-post/sso/884595
X509 certificate*

SAML identity location*
(If the NameID is not available, you can provide the attribute element instead)

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

OR

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="User.email"> 



Whatfix provides this information

Identifier/Audience URI/Entity ID whatfix
ACS URL* https://whatfix.com/saml_auth/?service=samlFromIdp
ACS URL* (EU Dashboard) https://eu.whatfix.com/saml_auth/?service=samlFromIdp
Sign-on URL* https://whatfix.com/xyz-test

Your title goes here
  • If you face any issues while adding the mentioned Sign-on URL, you can also add the ACS URL (https://whatfix.com/saml_auth/?service=samlFromIdp) in place of the Sign-on URL. 
  • For example, in Okta, the ACS URL can added in place of the Sign-on URL.

sign_on_url


Relay state*

https%3A%2F%2Fwhatfix.com%2Fxyz-test%2F@d5f2f450-94b9-11e8-8f2f-04013d24cd02


Relay state* (EU Dashboard)

https%3A%2F%2Feu.whatfix.com%2Fxyz-test%2F@d5f2f450-94b9-11e8-8f2f-04013d24cd02

* The value of each detail varies for every organization. For more details, contact support@whatfix.com.

Your title goes here
  • Logging in via IdP is not supported when you have multiple accounts or ENTs. This is because the Sign-On URL is different for each account, or ENT.
  • You cannot configure both non-EU and EU Whatfix accounts simultaneously via SSO login since the ACS URL domain is different for non-EU and EU accounts.
Info
  • SSO users can't see the Change Password option in the admin menu. Any password changes need to be performed at the Identity Provider level.
  • Every time a user clicks LOGIN WITH SSOthey are redirected to their Identity Provider's login page.
  • Currently, Whatfix does not support SLO (Single Log Out). When a user signs out of a Whatfix account, it does not log them out of the IdP.
  • The user has to provide configuration parameters for Whatfix to establish an interface with their identity provider.
Your title goes here

If a user has access to more than one enterprise(ENT) and logs into any one of them using SSO, they are automatically logged into all the other SSO-enabled ENTs that they have access to. Thus, they can switch between enterprises from their Whatfix Dashboard. 


Use your organization's SSO to authenticate end users

If your organization has strict security policies that do not enable showing sensitive content to anyone apart from the required audience, you can add an additional layer of security between Whatfix and your end users. You can use your organization's SSO to authenticate your end users before they start seeing Whatfix content. For more information, see End-user authentication.

Your title goes here
To enable End-user authentication, contact support@whatfix.com.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.