Facebook Workplace configuration - SSO

Introduction

Ubisecure SSO can be used as sign-in method for Facebook Workplace.

About this documentation

This documentation is a guide for configuring and using Ubisecure SSO as sign-in method for Facebook Workplace. It describes how an Ubisecure SSO Administrator can make the required configurations.

Facebook is a third-party and configuration steps may change at their discretion and without notice. Please contact Ubisecure Support if these instructions do match the current configuration.

Prerequisites

Before commencing, you must have Administrator access to a Facebook Workplace account.

Please refer to https://workplace.fb.com/ for instructions on enabling an account for your organization.

Production accounts are used by default – there is no concept of a test or staging account.

A working installation of Ubisecure SSO 7.0 or greater must be installed.

Setting up Facebook Workplace as SAML SP

To configure Facebook Workplace as a Service Provider:

1. In Facebook Workplace, as an administrator, go to Settings → Authentication

https://YOURCOMPANYNAME.facebook.com/work/admin/?section=authentication

Figure 1. Facebook Workplace SAML Configuration Settings


The following fields must be edited:

  • SAML URL is the HTTP-POST SingleSignOnService endpoint from the SPSSO metadata.
    https://UAS_URL/uas/saml2/SingleSignOnService
  • SAML Issuer URI is the EntityID of the UAS installation
    https://UAS_URL/uas
  • SAML Certificate is the certificate in PEM format from
    https://UAS_URL/uas/saml2/metadata.xml
    Ensure that the Compatibility Flags of the SSO Management Screen contains the setting MetadataCertificate to include the certificate in the Metadata. The certificate must be surrounded by headers:
    ----BEGIN CERTIFICATE----
    <copy and paste certificate from metadata>
    ----END CERTIFICATE---- 

 2. In Ubilogin Management, create an Application of type SAML2. Activate the following metadata, replacing "999999999999999" and "COMPANYNAME" with the values from Facebook Audience URL and Recipient URL:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.facebook.com/company/999999999999999">
    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://COMPANYNAME.facebook.com/work/saml.php" index="0"/>
    </SPSSODescriptor>
</EntityDescriptor>

After activation, the SAML Service Provider ID will be updated to contain the EntityID.


3. For testing purposes, disable AuthnRequest validation using the following compatibility flag. Not for production use.


4. Select the desired Authentication Methods from the Allowed Methods tab.

5. Select the permitted user groups from the "Allowed to" tab. Create appropriate groups if required

6. Create an Authorization Policy to send the user email address in the NameID field with the format of emailaddress.

${nameID.value(user.mail).format('emailaddress')}

Figure 2. Authorization Policy contain NameID setting for email address

No other attributes are required. The Attribute Name email-as-nameid is insignificant and will not be sent.

7. Attach the Authorization Policy to the Application.

8. Test by pressing the Test button in Facebook Workplace SAML settings. Testing using the Facebook Test buttons requires a popup. Ensure popups are permitted when testing.

9. If the test is successful, you will see the following screen:

Figure 3. Successful test authentication 


10. Save your settings

Figure 4. Settings saved correctly

Facebook Workplace Login Process

When Facebook Workplace SSO login is enabled, it behaves like other SAML Service Providers.
To log in

  1. Open the page COMPANYNAME.facebook.com

    Figure 5. Main log in page for Facebook Workplace
  2. Click Log In

  3. You will be redirected to login using the configured method

    Figure 6. Example login screen
  4. You will be logged in as the user with the matching email address

    Figure 7. Facebook Workplace home page after logging in 

Facebook Workplace SAML settings

Facebook workplace provides other settings to control the SAML sessions.

Session settings

Session settings can be adjusted as shown in the screenshot below:

Figure 8. Facebook Workplace SAML Authentication settings


Here, the frequency of reauthentication can be controlled. All users can be forced to logged out and log in again using SAML Authentication.

Disabling log in via SAML

To disable SAML Authentication, Enable Username/Password only

Figure 9. Facebook Workplace SAML Authentication settings - Disabling SAML