All articles

SAML SSO: Implementation Guide

Table 1. Availability - Legacy plans


Overview

Account owners and admins with the Configure advanced security settings permission can enable SSO for the account.

Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their account. Single sign-on (SSO) is the general term for the various techniques that allow users to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited time and digitally signed.

Tip

It's possible to enable encrypted SAML SSO assertions if the IDP allows it. Reach out to our Support Team if you want to enable this option when configuring SAML SSO.

For more details on how SSO works after it has been enabled, please check our page: SAML SSO: User Guide.

Benefits of using single sign-on

  • Scalable user management for large organizations. With just-in-time user provisioning, you can save time normally spent setting up your Enterprise account and management methods. Wrike can create a user profile in your account every time a new user from your directory logs into Wrike via SSO — no extra invitations required. Employees who are removed from your corporate directory will lose access to the company's Wrike subscription automatically, but their tasks and historical activity records stay intact.

  • Unified username format. User identity is managed from one central location, which means that usernames in Wrike match the names in your directory.

  • Compliance with internal security guidelines. Your IT administrators get more control over authentication. Users aren't able to change their name or email address on their own. Any security policies you have adopted internally will also be in effect for Wrike.

  • Reduced password fatigue for users. Once someone logs in to the corporate network, they can open Wrike without having to enter another set of login credentials.

  • The ease of access offered by SSO is a driver of seamless Wrike adoption. You may also be able to monitor login activity and use the collected SSO metrics to track Wrike adoption.

Limitations of single sign-on

Once SSO/SAML integration is enabled, users included in SSO won’t be able to:

  • Edit their names in Wrike. First and last names are attributed by your identity provider.

  • Make changes to their email address from their Wrike profile. This includes adding additional addresses. However, a Wrike admin can do this for them provided that a user can confirm the new address, for that they need to be logged in to Wrike using the original email address and have access to the original email inbox to click the confirmation link. In other cases, admins will still need to contact support to change users’ emails. Account owner emails can only be changed by contacting support.

  • Enable two-step verification through Wrike. If you’d like to protect your account with this security feature, it must be configured with your identity provider.

  • Log in to Wrike using a Wrike password. As a general rule, they'll be redirected to the login page managed by your identity provider when trying to access Wrike in their browser. Some integrated tools don’t have native support for SSO (e.g., the Backup Tool and legacy API-v2 apps). SSO users will need to generate one-time passwords to authorize these tools.

Decide the scope of single sign-on

How you set up your SSO depends on how you use (or plan to use Wrike):

  • The optional mode: This means that everyone in the account will be able to log in via password or IDP-based login. This option is set up by default and is useful for testing the new SSO integration. We recommend starting with this option to make sure everything works correctly before enforcing SSO for the entire account.

    Note

    In the optional mode, the login.wrike.com/login page takes users through the regular login as if SAML SSO isn't set up for the account.

    To go through the SAML SSO flow, use the login.wrike.com/sso page.

  • If Wrike is used only by company employees: SSO can be enabled for all users on the account.

  • If Wrike is used by both company employees and non-employees: SSO can be enabled for users based on their email domain.

    Note

    In this case, you need to add and approve email domains from the Security tab of the Account Management section before enabling SAML SSO. Email domains must belong to the company in order to be approved.

    Users with emails with approved email domains are able to log in to Wrike via SSO, and users with emails without approved email domains will log in via a Wrike username and password. It's possible to enable 2-Step Verification to provide a more secure login option for users without approved domains.

    If you wish to add additional approved domains after SSO is enabled, an admin must follow the same aforementioned process.

    In most cases, the approval process requires help from your System Ops team because the Domain Name System (DNS) records of the domains must be updated. We recommend adding approved domains before turning on SAML, so that they're applied immediately when SAML is enabled.

Preconditions: Before you enable single sign-on

Before enabling SSO it’s important to confirm that:

  • The email address associated with each user's Wrike account matches their email in the company directory.

  • SSO isn't yet enabled for the account. To see this:

    • Click your profile picture.

    • Select Settings from the drop-down.

    • Click Security in the left panel.

    • On the Security page scroll to the SAML SSO section.

    • Check that the Disabled tag is shown near the SAML SSO header.

Additionally, you need to confirm compatibility:

  • Confirm that your identity or SSO provider supports federated authentication using SAML 2.0. The list of compatible SSO solutions includes, but isn't limited to: Okta, OneLogin, PingFederate, Microsoft AD FS, and Google Apps identity service. If you use identity management services provided by Okta, you can add Wrike to your list of applications by following these instructions.

  • To set up a custom SAML-based SSO for your account, please refer to our metadata file for standard parameters and options used by Wrike. The following user attributes should be included: firstName; lastName; NameID (must be an email address).

Enable single sign-on

  1. Click your profile picture.

  2. Select Settings from the drop-down.

  3. Click Security in the left panel.

  4. On the Security page, scroll to the SAML SSO section.

  5. Click the Setup SAML SSO button.

  6. In the window that opens, set up your identity provider with Wrike metadata and click Proceed.

  7. Next, you'll be asked to specify metadata from your provider. You can select from the following two options:

    • Enter a link to provide XML

    • Enter the XML as a text.

  8. Click Next.

  9. Check that you've chosen the right parameters and confirm your decision by clicking the Proceed and enable SAML button.

  10. An email will be sent to you with the code to confirm the implementation of SSO.

  11. Enter the code from the email in the pop-up window that opens.

  12. Click Confirm.

  13. (Optional) Test the new account settings.

  14. Click the Save SAML settings button.

We recommend conducting user acceptance testing and testing different use cases immediately after SSO is enabled. More information on using SSO after it's enabled can be found on our Single Sign-on Using SAML page.

Note

Tasks, folders, and projects aren't automatically shared between SSO users. You can read more about sharing tasks, folders, and projects on our help pages. In addition, internal user groups aren't automatically transferred to Wrike, but you can easily create user groups within Wrike.

Add approved email domains

Note

Adding approved email domains may require assistance from your sys ops team.

  1. Click your profile image in the upper right-hand corner of the Wrike workspace.

  2. Select Settings from the drop-down.

  3. Click Security in the left panel.

  4. Scroll to the Approved Domains section.

  5. Click Add domain and enter the appropriate email domain.

  6. Click Add.

  7. The pop-up window appears with instructions on approving domains.

  8. Follow the instructions that appear. Approving domains may take up to 24 hours and may require assistance from your sys ops team.

  9. Click Save changes.

  10. The email with the confirmation code will be sent to your primary email address.

  11. Copy the code from your email and paste it into the pop-up that appears.

  12. Click Confirm.

Allow users to join multiple SAML-integrated accounts

Big enterprise teams that have several Wrike accounts with SAML-based SSO enabled via the same IDP can integrate all of their accounts into a single network. As a result, users can be invited to or join all connected Wrike accounts using their corporate credentials via the IDP.

Note: There are several prerequisites for the implementation of this scheme, and it can only be enabled by Wrike Customer Support. Please contact Wrike Customer Support for more information.

Top