What is SSO?
With single sign-on (SSO), your users can access WOX without having to enter their username and password. When employees enter their email, WOX automatically knows the email is enabled for SSO, and redirect user to Identity Provider site to login. After login, user is redirected back to WOX and logined to portal automatically.
SSO is available for Premium and Enterprise Plan customers.
SSO setup with WOX as Service Provider
Depending on your organization's needs, you can set up Single Sign-On (SSO) with WOX as your service provider in various ways. SSO profiles that contain the settings for your Identity Provider (IdP) offer the flexibility to apply different SSO settings to different users.
SSO Protocols supported by WOX
WOX supports SAML-based and OpenID Connect OIDC-based SSO protocols:
If all your users will sign in through one IdP, using SAML, follow the steps below in "Configure an SSO profile for your organization".
If you want to exclude some users from using SSO and have them sign in directly to WOX, follow the steps in "Decide which users should use SSO". Here you can assign 'None' for SSO profile.
If you use multiple IdPs for your users or use OIDC, the steps you follow depend on the protocol used by your IdP (SAML or OIDC):
- For SAML: Follow the steps in "Create SSO profiles for each of your IdPs" and then "Decide which users should use SSO".
- For OIDC: Ensure that you have configured the prerequisites for OIDC in your organization's Azure AD tenant. Follow the steps in "Decide which users should use SSO" to assign the pre-configured OIDC profile to selected OUs/groups. Note that the WOX Cloud Command Line Interface does not currently support reauthentication with OIDC.
Before Setting up SAML SSO Profile
Before setting up a SAML SSO profile, you will require some basic configurations from your Identity Provider's (IdP) support team or documentation. These include:
Sign-in page URL: This is where users sign in to your IdP and is also known as the SSO URL or SAML 2.0 Endpoint (HTTP).
Sign-out page URL (Optional): This is where the user will be directed to after exiting the Google app or service.
Certificate: This is an X.509 PEM certificate from your IdP that is used for SAML key and verification certificate. For more information on X.509 certificates, refer to SAML key and verification certificate.
Certificate Fingerprint: This is SHA1 fingerprint for the X.509 PEM certificate above. Either one of certificate or SHA1 fingerprint can be used.
Configure SSO for your organization
Use this option if all your users using SSO will use one IdP.
In your WOX Admin console...
- Sign in using an administrator account.
- Go to
Integrations > SAML.
- Check the
- Fill in the following information for your IdP:
- Enter the Sign-in page URL and Sign-out page URL for your IdP. Note: All URLs must be entered and must use HTTPS, for example https://sso.domain.com.
Upload certificateand locate and upload the X.509 certificate supplied by your IdP. For information on generating a certificate, see SAML key and verification certificate.
- Choose whether to use a domain-specific issuer in the SAML request from WOX.
- If you have multiple domains using SSO with your IdP, use a domain-specific issuer to identify the correct domain issuing the SAML request.
- Checked: WOX sends an issuer specific to your domain: wox.com/a/your_domain.com (where your_domain.com is your primary WOX domain name)
- Unchecked: WOX sends the standard issuer in the SAML request: wox.com
- (Optional) To apply SSO to a set of users within specific IP address ranges, enter a network mask. For more information see Network mapping results. Note: you can also set up partial SSO by assigning the SSO profile to specific organizational units or groups.
- (Optional) Enter a change password URL for your IdP. Users will go to this URL (rather than the WOX change password page) to reset their passwords. Note: If you enter a URL here, users are directed
Set up SSO for your IdP
Here's how to set up SSO if you use a third-party Identity provider (such as Microsoft Azure AD, WOX Workspace or Okta) to authenticate your users: