Facebook Workplace configuration - SSO
Introduction
Ubisecure SSO can be used as sign-in method for Facebook Workplace.
About this documentation
This documentation is a guide for configuring and using Ubisecure SSO as sign-in method for Facebook Workplace. It describes how an Ubisecure SSO Administrator can make the required configurations.
Facebook is a third-party and configuration steps may change at their discretion and without notice. Please contact Ubisecure Support if these instructions do match the current configuration.
Prerequisites
Before commencing, you must have Administrator access to a Facebook Workplace account.
Please refer to https://workplace.fb.com/ for instructions on enabling an account for your organization.
Production accounts are used by default – there is no concept of a test or staging account.
A working installation of Ubisecure SSO 7.0 or greater must be installed.
Setting up Facebook Workplace as SAML SP
To configure Facebook Workplace as a Service Provider:
1. In Facebook Workplace, as an administrator, go to Settings → Authentication
https://YOURCOMPANYNAME.facebook.com/work/admin/?section=authentication
Figure 1. Facebook Workplace SAML Configuration Settings |
The following fields must be edited:
- SAML URL is the HTTP-POST SingleSignOnService endpoint from the SPSSO metadata.
https://UAS_URL/uas/saml2/SingleSignOnService
- SAML Issuer URI is the EntityID of the UAS installation
https://UAS_URL/uas
SAML Certificate is the certificate in PEM format from
https://UAS_URL/uas/saml2/metadata.xml
Ensure that the Compatibility Flags of the SSO Management Screen contains the setting MetadataCertificate to include the certificate in the Metadata. The certificate must be surrounded by headers:
----BEGIN CERTIFICATE----
<copy and paste certificate from metadata>
----END CERTIFICATE----Â
 2. In Ubilogin Management, create an Application of type SAML2. Activate the following metadata, replacing "999999999999999" and "COMPANYNAME" with the values from Facebook Audience URL and Recipient URL:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://www.facebook.com/company/999999999999999"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://COMPANYNAME.facebook.com/work/saml.php" index="0"/> </SPSSODescriptor> </EntityDescriptor>
After activation, the SAML Service Provider ID will be updated to contain the EntityID.
3. For testing purposes, disable AuthnRequest validation using the following compatibility flag. Not for production use.
4. Select the desired Authentication Methods from the Allowed Methods tab.
5. Select the permitted user groups from the "Allowed to" tab. Create appropriate groups if required
6. Create an Authorization Policy to send the user email address in the NameID field with the format of emailaddress.
${nameID.value(user.mail).format('emailaddress')}
Figure 2. Authorization Policy contain NameID setting for email address |
No other attributes are required. The Attribute Name email-as-nameid is insignificant and will not be sent.
7. Attach the Authorization Policy to the Application.
8. Test by pressing the Test button in Facebook Workplace SAML settings. Testing using the Facebook Test buttons requires a popup. Ensure popups are permitted when testing.
9. If the test is successful, you will see the following screen:
Figure 3. Successful test authentication |
10. Save your settings
Figure 4. Settings saved correctly |
Facebook Workplace Login Process
When Facebook Workplace SSO login is enabled, it behaves like other SAML Service Providers.
To log in
Open the page
COMPANYNAME.facebook.com
Figure 5. Main log in page for Facebook Workplace Click Log In
You will be redirected to login using the configured method
Figure 6. Example login screen You will be logged in as the user with the matching email address
Figure 7. Facebook Workplace home page after logging inÂ
Facebook Workplace SAML settings
Facebook workplace provides other settings to control the SAML sessions.
Session settings
Session settings can be adjusted as shown in the screenshot below:
Figure 8. Facebook Workplace SAML Authentication settings |
Here, the frequency of reauthentication can be controlled. All users can be forced to logged out and log in again using SAML Authentication.
Disabling log in via SAML
To disable SAML Authentication, Enable Username/Password only
Figure 9. Facebook Workplace SAML Authentication settings - Disabling SAML |
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.