WFM and Service Provider (SP) initiated Single Sign-On (SSO)

Note: This section does not contain detailed information on IdP (Identity Provider) configuration for tools such as ADSF or Ping Federate. It assumes that you have a working knowledge of these tools and are familiar with the configuration steps. If you need more information on how to configure and troubleshoot your preferred IdP, refer to your vendor documentation.

The configuration documented in this section will enable SP initiated SSO using your IdP. This configuration is intended for on-premise deployments that do not embed WFM within a portal such as Ming.le. In this configuration, the IdP only handles the user authentication and does not manage the WFM session. The IdP user session will timeout according to the IdP configuration and the WFM user session will timeout according to the WFM session timeout registry setting.

WFM will send the IdP a SAML authentication request if the user does not have a WFM authenticated session. The IdP will always prompt the user to authenticate each time WFM sends a SAML authentication request, even if there is already a valid IdP session for the authenticating user.

Logging out of WFM, ETM or mobility will only invalidate the WFM session and will not send a SAML LogoutRequest to the IdP.

There are differences between IdP initiated SSO and SP initiated SSO that is outlined in the table below:

Feature SP intiated SSO IdP initiated SSO
Authentication All users must use SAML SSO. Can be used with customizations to support some uses authenticating with the login.jsp
IdP configuration Only one IdP initiated SSO profile is needed for WFM, ETM, and mobility. Separate profiles are required for WFM, ETM, and mobility.
Requests from unauthenticated users Sends a SAML AuthnRequest to the IdP. Uses logoutRequest.jsp to do a HTTP redirect to the IdP.
SAML Response User identifier in either the SAML Response nameID or in a SAML Response claim. User identifier must be in the SAML Response nameID.