Requiring Third-Party (Azure AD/SAML) Sign-in for Control
Last updated on April 12, 2024 by Robert Plamondon
Note: This feature is changing significantly in Control 18.2. This article will be updated to match soon.
The use of Azure AD or SAML sign-in for Control users can be made mandatory. By default, it is optional.
This is a selective option that is not available by default. Contact Workspot to enable it for your installation.
Once configured, Control users must sign into Control using the configured third-party authentication service (Azure AD or SAML).
As the sole exception to this rule, a single account can sign into Control as before. This account is the Designated Administrator and is used in case of problems with the third-party configuration.
Note: This feature does not apply to the Control API, just the Control UI.
Procedure
To use this feature:
- Configure and thoroughly test third-party authentication in its optional form before making it mandatory.
- Go to “Setup > Configuration > Authentication and Registration.”
- At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Azure AD (Entra ID)” or “SAML.”
- If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.
To use this feature:
- On the “Setup > Configuration” page, go to the “Access > Control Access” section and select an account to use as the Designated Administrator and select the “Authenticate using third-party identity provider only” checkbox.
- When the Alert popup appears, read the text carefully. Third-Party Control Sign-in cannot be disabled without assistance from Workspot. If you select “Yes”:
- All administrators will be logged off (including yourself).
- Control users (except the Designated Administrator) can no longer log in using Local (AD or Control-only) sign-ins.
- Go to “Setup > Configuration > Authentication and Registration.”
- At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Azure AD (Entra ID)” or “SAML.”
- If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.
Verification
-
Login with designated administrator from Control GUI on your Local Sign-in URL: https://control.workspot.com/login/local/companyIdentifier. This should work.
-
Using the same URL, try to sign in as another Control user. This should fail.
-
Logins using your IdP via https://control.workspot.com/companyIdentifier should work.