Tutorial: Azure Active Directory integration with Workplace by Facebook
In this tutorial, you learn how to integrate Workplace by Facebook with Azure Active Directory (Azure AD).
Integrating Workplace by Facebook with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Workplace by Facebook
- You can enable your users to automatically get signed-on to Workplace by Facebook (Single Sign-On) with their Azure AD accounts
- You can manage your accounts in one central location - the Azure portal
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
To configure Azure AD integration with Workplace by Facebook, you need the following items:
- An Azure AD subscription
- A Workplace by Facebook single sign-on enabled subscription
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial here.
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Workplace by Facebook from the gallery
- Configuring and testing Azure AD single sign-on
Adding Workplace by Facebook from the gallery
To configure the integration of Workplace by Facebook into Azure AD, you need to add Workplace by Facebook from the gallery to your list of managed SaaS apps.
To add Workplace by Facebook from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Workplace by Facebook.
In the results panel, select Workplace by Facebook, and then click Add button to add the application.
Configuring and testing Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Workplace by Facebook based on a test user called "Britta Simon."
For single sign-on to work, Azure AD needs to know what the counterpart user in Workplace by Facebook is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Workplace by Facebook needs to be established.
This link relationship is established by assigning the value of the user name in Azure AD as the value of the Username in Workplace by Facebook.
To configure and test Azure AD single sign-on with Workplace by Facebook, you need to complete the following building blocks:
- Configuring Azure AD Single Sign-On - to enable your users to use this feature.
- Configuring Reauthentication Frequency - to configure Workplace to prompt for a SAML check.
- Creating an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Creating a Workplace by Facebook test user - to have a counterpart of Britta Simon in Workplace by Facebook that is linked to the Azure AD representation of user.
- Assigning the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Testing Single Sign-On - to verify whether the configuration works.
Configuring Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Workplace by Facebook application.
To configure Azure AD single sign-on with Workplace by Facebook, perform the following steps:
In the Azure portal, on the Workplace by Facebook application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Workplace by Facebook Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
b. In the Identifier textbox, type a URL using the following pattern:
These values are not the real. Update these values with the actual Sign-On URL and Identifier. See the Authentication page of the Workplace Company Dashboard for the correct values for your Workplace community.
On the SAML Signing Certificate section, click Certificate (Base64) and then save the certificate file on your computer.
Click Save button.
On the Workplace by Facebook Configuration section, click Configure Workplace by Facebook to open Configure sign-on window. Copy the Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL from the Quick Reference section.
In a different web browser window, login to your Workplace by Facebook company site as an administrator.
As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to Azure AD.
In the Company Dashboard, go to the Authentication tab.
Under SAML Authentication, select SSO Only from the drop-down list.
Input the values copied from Workplace by Facebook Configuration section of the Azure portal into the corresponding fields:
- In SAML URL textbox, paste the value of Single Sign-On Service URL, which you have copied from Azure portal.
- In SAML Issuer URL textbox, paste the value of SAML Entity ID, which you have copied from Azure portal.
- In SAML Logout Redirect (Optional), paste the value of Sign-Out URL, which you have copied from Azure portal.
- Open your base-64 encoded certificate in notepad downloaded from Azure portal, copy the content of it into your clipboard, and then paste it to the SAML Certificate textbox.
You may need to enter the Audience URL, Recipient URL, and ACS (Assertion Consumer Service) URL listed under the SAML Configuration section.
Scroll to the bottom of the section and click the Test SSO button. This results in a popup window appearing with Azure AD login page presented. Enter your credentials in as normal to authenticate.
Troubleshooting: Ensure the email address being returned back from Azure AD is the same as the Workplace account you are logged in with.
Once the test has been completed successfully, scroll to the bottom of the page and click the Save button.
All users using Workplace will now be presented with Azure AD login page for authentication.
SAML Logout Redirect (optional) -
You can choose to optionally configure a SAML Logout Url, which can be used to point at Azure AD's logout page. When this setting is enabled and configured, the user will no longer be directed to the Workplace logout page. Instead, the user will be redirected to the url that was added in the SAML Logout Redirect setting.
You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and access the embedded documentation through the Configuration section at the bottom. You can read more about the embedded documentation feature here: Azure AD embedded documentation
Configuring Reauthentication Frequency
You can configure Workplace to prompt for a SAML check every day, three days, week, two weeks, month or never.
The minimum value for the SAML check on mobile applications is set to one week.
You can also force a SAML reset for all users using the button: Require SAML authentication for all users now.
Creating an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
In the Azure portal, on the left navigation pane, click Azure Active Directory icon.
To display the list of users, go to Users and groups and click All users.
To open the User dialog, click Add on the top of the dialog.
On the User dialog page, perform the following steps:
a. In the Name textbox, type BrittaSimon.
b. In the User name textbox, type the email address of BrittaSimon.
c. Select Show Password and write down the value of the Password.
d. Click Create.
Creating a Workplace by Facebook test user
In this section, a user called Britta Simon is created in Workplace by Facebook. Workplace by Facebook supports just-in-time provisioning, which is enabled by default.
There is no action for you in this section. If a user doesn't exist in Workplace by Facebook, a new one is created when you attempt to access Workplace by Facebook.
If you need to create a user manually, Contact Workplace by Facebook Client support team
Assigning the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Workplace by Facebook.
To assign Britta Simon to Workplace by Facebook, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Workplace by Facebook.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select Britta Simon in the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.
Testing single sign-on
If you want to test your single sign-on settings, open the Access Panel. For more information about the Access Panel, see Introduction to the Access Panel.