Requiring Third-Party (Azure AD/SAML) Sign-in for Control

Note: This feature is changing significantly in Control 18.2. This article will be updated to match soon.

The use of Azure AD or SAML sign-in for Control users can be made mandatory. By default, it is optional.

This is a selective option that is not available by default. Contact Workspot to enable it for your installation.

Once configured, Control users must sign into Control using the configured third-party authentication service (Azure AD or SAML).

As the sole exception to this rule, a single account can sign into Control as before. This account is the Designated Administrator and is used in case of problems with the third-party configuration.

Note: This feature does not apply to the Control API, just the Control UI.

Procedure

To use this feature:

1. Configure and thoroughly test third-party authentication in its optional form before making it mandatory.

2. Go to “Setup > Configuration > Authentication and Registration.”

3. At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Azure AD (Entra ID)” or “SAML.”

4. If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.

To use this feature:

1. On the “Setup > Configuration” page, go to the “Access > Control Access” section and select an account to use as the Designated Administrator and select the “Authenticate using third-party identity provider only” checkbox.

2. When the Alert popup appears, read the text carefully. Third-Party Control Sign-in cannot be disabled without assistance from Workspot. If you select “Yes”:

   • All administrators will be logged off (including yourself).

   • Control users (except the Designated Administrator) can no longer log in using Local (AD or Control-only) sign-ins.

3. Go to “Setup > Configuration > Authentication and Registration.”

4. At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Azure AD (Entra ID)” or “SAML.”

5. If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.

Verification

•  Login with designated administrator from Control GUI on your Local Sign-in URL: https://control.workspot.com/login/local/companyIdentifier. This should work.

• Using the same URL, try to sign in as another Control user. This should fail.

• Logins using your IdP via https://control.workspot.com/companyIdentifier should work.