You can make the use of Entra ID or SAML sign-in mandatory for Control users. By default, it is optional, and AD sign-ins are also accepted.
Once configured, Control users must sign into Control using the configured third-party authentication service (Entra ID or SAML).
As the sole exception to this rule, a single AD account can sign into Control as before. This account is the Designated Administrator and is used in case of problems with the third-party configuration. This account can bypass the third-party IdP in case of an IdP failure, so, at a minimum, it should have an especially secure password and perhaps be used for no other purpose.
Workspot recommends the use of SSO along with these options to protect your Control deployments from unauthorized users. SSO rules to sign out idle Control users are also appropriate to limit the possibility of unguarded access.
This is a selective option that is not enabled by default. Contact Workspot to enable it for your installation.
This article covers access to the Control UI. For Entra ID/Oauth access to the Control API, see Using Entra ID Authentication with the Control API. (SAML access to the Control API is not currently supported.)
Procedure
To use this feature:
Configure and thoroughly test third-party authentication in its optional form before making it mandatory.
Go to “Setup > Configuration > Authentication and Registration.”
At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Entra ID (Entra ID)” or “SAML.”
If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.
To use this feature:
On the “Setup > Configuration” page, go to the “Access > Control Access” section and select an account to use as the Designated Administrator and select the “Authenticate using third-party identity provider only” checkbox.
When the Alert popup appears, read the text carefully. Third-Party Control Sign-in cannot be disabled without assistance from Workspot. If you select “Yes”:
All administrators will be logged off (including yourself).
Control users (except the Designated Administrator) can no longer log in using Local (AD or Control-only) sign-ins.
Go to “Setup > Configuration > Authentication and Registration.”
At the bottom of the “Authentication and Registration” section, set “Control Authentication” to “Entra ID (Entra ID)” or “SAML.”
If you don’t see “Control Authentication,” contact Workspot to have the feature enabled.
Verify:
Login with designated administrator from Control GUI on your Local Sign-in URL: https://control.workspot.com/login/local/companyIdentifier. This should work.
Using the same URL, try to sign in as another Control user. This should fail.
Logins using your IdP via https://control.workspot.com/companyIdentifier should work.