Single Sign-on (SSO) using SAML is available on Wrike Enterprise accounts.
- Benefits of Using Single Sign-on
- Limitations of Single Sign-on
- Decide the Scope of Sign-on
- Enabling Single Sign-on
- Add Approved Email Domains
Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their account. Single Sign-On (SSO) is the general term for the various techniques which allow a user to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization event. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.
For more details on how SSO works after it has been enabled please check our page: Single Sign-on Using SAML.
- Scalable user management for large organizations. With just-in-time user provisioning you can save time normally spent setting up your Enterprise account and management methods. Wrike can create a user profile in your account every time a new user from your directory logs into Wrike via SSO — no extra invitations are required. Employees who are removed from your corporate directory will lose access to the company's Wrike subscription automatically, but their tasks and historical activity records stay intact.
- Unified username format. User identity is managed from one central location which means that usernames in Wrike match the names in your directory.
- Compliance with internal security guidelines. Your IT administrators get more control over authentication. Users are not able to change their name or email address on their own. Any security policies you have adopted internally will also be in effect for Wrike.
- Reduced password fatigue for users. Once someone logs in to the corporate network, they can open Wrike without having to enter another set of login credentials.
- The ease of access offered by SSO is a driver for seamless Wrike adoption. You may also be able to monitor login activity and use the collected SSO metrics to track Wrike adoption.
Once SSO/SAML integration is enabled, users included in SSO won’t be able to:
- Edit their names in Wrike. First and last names are attributed by your identity provider.
- Have two or more Wrike accounts linked to one email address. If you have users who are members of several Wrike accounts, they will need to use a different email address to access other Wrike accounts, or merge their personal account into the main corporate account.
- Make changes to their email address from their Wrike profile. This includes adding additional addresses. However, a Wrike admin can do this for them.
- Enable 2-step verification through Wrike. If you’d like to protect your account with this security feature, it must be configured with your identity provider.
- Log in to Wrike using a Wrike password. As a general rule, they will be redirected to the login page managed by your identity provider when trying to access Wrike in their browser. Some integrated tools don’t have native support for SSO (e.g. the Backup Tool and legacy API-v2 apps). SSO users will need to generate one-time passwords to authorize these tools.
How you set up your SSO depends on how you use (or plan to use Wrike). If:
- Wrike is used only by company employees: SSO can be enabled for all users on the account.
- Wrike is used by both company employees and non-employees: SSO can be enabled for users based on their email domain*.
*Please note, in this case, Wrike's Support team adds approved domains during the set up process. If you wish to add additional approved domains after SSO is enabled, an admin must enter and approve those domains from the Security tab of the Account Management section. Users with emails with approved email domains are able to log in to Wrike via SSO and users with emails without approved email domains will log in via a Wrike username and password. Email domains must belong to the company in order to be approved.
In most cases the approval process requires help from your System Ops team because the Domain Name System (DNS) records of the domains must be updated.
- Before enabling SSO it’s important to confirm that:
- The email address associated with each user's Wrike account matches their email in the company directory.
- Users have only one account associated with their company email.
- Confirm compatibility
- Confirm that your identity or SSO provider supports federated authentication using SAML 2.0. The list of compatible SSO solutions includes, but is not limited to: Okta, Bitium, OneLogin, PingFederate, Microsoft AD FS, Google Apps identity service. If you use identity management services provided by Okta, you can add Wrike to the list of your applications by following these instructions.
- To set up a custom SAML-based SSO for your account, please refer to our metadata file for standard parameters and options used by Wrike. The following user attributes should be included: firstName; lastName; NameID (must be an email address).
If you need any additional details, we’ll be happy to provide them upon request. You can contact us at email@example.com.
- After configuring your SAML settings, please contact us at firstname.lastname@example.org and let us know that you would like to set up SSO for your account. Please provide:
- Your IDP metadata file in XML format (or a link to it).
- Details regarding how you want new users to be added (by JIT provisioning or by invitation only).
- What the scope of SSO should be.
- Work with Wrike to enable SSO. We will help:
- Gather any additional information on how the SSO should be set up.
- Understand compatibility between your identity provider and Wrike.
- Set up SSO for your account.
We recommend conducting user acceptance testing and testing different use-cases immediately after SSO is enabled. More information regarding using SSO after it's enabled can be found on our Single Sign-on Using SAML page.
Please note, Tasks, Folders, and Projects are not automatically shared between SSO users. You can read more about how to share Tasks, Folders and Projects on our help pages. In addition, internal user groups are not automatically transferred to Wrike, but you can easily create User Groups within Wrike.
Adding approved email domains may require assistance from your Sys Ops Team.
- Click on your profile image in the upper right-hand corner of the Wrike Workspace.
- Select “Account Management” from the dropdown.
- Switch to the Security tab. 1
- Click “+ add domain” 2 and add the appropriate email domain.
- Click “How do I approve domains” 3 and follow the instructions that appear. Approving domains may take up to 24 hours and may require assistance from your Sys Ops Team.