Configuration Guides

Configuring SAML SSO with Workplace by Facebook and PingOne for Enterprise

Learn how to enable Workplace by Facebook sign-on from the PingOne for Enterprise console (IdP initiated sign-on) and direct Workplace by Facebook sign-on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate Workplace by Facebook with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and Workplace by Facebook.

Set up the supplied Workplace by Facebook Application in PingOne for Enterprise

  1. Make a note of your Workplace by Facebook Organization ID and subdomain, for example, https://my-org.workplace.com.

  2. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  3. Search for Workplace by Facebook.

  4. Expand the Workplace by Facebook entry and click the Setup icon.

    Screen capture of PingOne for Enterprise Application Catalog. The table lists the Application Name as Workplace by Facebook, the Type as SAML, and the expand right arrow icon is highlighted in red.
  5. Copy the Issuer and IdP ID values.

  6. Download the signing certificate.

    Screen capture of PingOne for Enterprise SSO Instructions with the Signing Certificate Download hyperlink, IdP ID field, and Initiate Single Sign-On (SSO) URL field all highlighted in red.
  7. Click Continue to Next Step.

  8. Set ACS URL to https://your-subdomain.facebook.com/work/saml.php.

    Set EntityID to https://www.facebook.com/company/your-organization-ID.

    Screen capture of PingOne for Enterprise SSO attribute values with the URLs for the ACS URL field and Entity ID field highlighted in red.
  9. Click Continue to Next Step.

  10. Map SAML_SUBJECT to the attribute containing the Facebook username value (an email address).

    Screen capture of PingOne for Enterprise Attribute Mapping table. In the SAML_SUBJECT row and Identity Bridge Attribute or Literal Value column, the Email (Work) field is highlighted in red, as well as the Advanced button below it.
  11. Click Advanced.

  12. Set Name ID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    Screen capture of PingOne for Enterprise Advanced Attribute options with the Name ID Format to send to SP field highlighted in red.
  13. Click Save.

  14. Click Continue to Next Step twice.

  15. Click Add for all user groups that should have access to Workplace by Facebook.

    Screen capture of PingOne for Enterprise Group Access page with search bar for finding distinct groups.
  16. Click Continue to Next Step.

  17. Download the signing certificate.

    Screen capture of PingOne for Enterprise Signing Certificate and SAML Metadata Download options, with the Signing Certificate Download hyperlink highlighted in red.
  18. Click Finish.

Add the PingOne for Enterprise IdP connection to Workplace by Facebook

  1. Sign on to your Workplace by Facebook console as an administrator.

  2. Go to Admin Panel → Security.

  3. Click the Authentication tab.

  4. For Log in, select Single Sign-On (SSO).

  5. Click Add New SSO Provider.

  6. Set the following field values:

    Field Setting

    Allow users to login via

    SSO only

    SAML URL

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=IdP-ID-value (from Set up the supplied Workplace by Facebook Application in PingOne for Enterprise)

    SAML Issuer URL

    SAML Certificate

    Paste in the contents of the signing certificate that you downloaded.

    Screen capture of PingOne for Enterprise SSO settings with the SSO only SAML Authentication drop down menu, SAML URL field, SAML Issuer URI field, and SAML certificate field all highlighted in red.
  7. Click Test SSO.

  8. After a successful test, save the changes.

  9. Go to Admin panel → People and search for the user to use SSO.

  10. Edit the user and select SSO for Log in with.

    See Workplace documentation for setting this value on users in bulk.

Test the PingOne for Enterprise IdP-Initiated SSO integration

  1. Go to your Ping desktop as a user with Workplace by Facebook access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete PingOne for Enterprise authentication.

    You are redirected to your Workplace by Facebook domain.

    Screen capture of PingOne for Enterprise Sign On page.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to https://your subdomain.workplace.com.

  2. Enter your email address.

  3. When you are redirected to PingOne for Enterprise, enter your PingOne for Enterprise username and password.

    Screen capture of PingOne for Enterprise Sign On page.

    After successful authentication, you’re redirected back to Workplace by Facebook.