SSO with SAML: User Guide
If your workspace looks different, or if you can't follow the instructions described on this page you might have the New Wrike Experience enabled. Click here to find out more.
Single Sign-on (SSO) using SAML is available on Wrike Enterprise accounts.
⏱ 5 min read
- Accessing Wrike via Single Sign-on
- Login to Wrike Apps with One-time Passwords
- Adding New Users
- Removing Users
- Single Sign-out
Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their subscription. Single sign-on (SSO) is the general term for the various techniques which allow users to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization event. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.
For more details on how to enable SSO please check out our Single Sign-on Implementation Guide.
From Wrike’s side, we support both IDP-initiated and SP-initiated authorization flows which means that we support login from your company portal or from a Wrike login page. If you have a company portal and it supports sign on to different apps from the portal, then you can access Wrike directly from there. If your company’s identity provider supports service provider (in this case Wrike) initiated login then to login to Wrike from their browsers:
- Go to wrike.com/login.
- Enter your company (SSO) email address.
- Click "Next".
If you are already logged in to your company’s identity provider, then you'll be taken directly to the Wrike Workspace. If you are not logged in to your company’s identity provider you'll be taken to your identity provider login page first and, after logging in, you'll be taken to the Wrike Workspace.
- Launch the Android or iOS app on your phone.
- Click “Login with company credentials”.
- Enter your email.
- Enter your company login credentials.
Please note, not all identity providers support mobile. If you encounter a problem logging in with company credentials, due to lack of mobile support, you can generate a one-time password and use it to log in to Wrike from your mobile device.
One-time passwords allow SSO users to log in to Wrike’s mobile apps (if their identity providers don't support mobile) or to customer created API apps.
To generate a one time password:
- Click on your profile image in Wrike’s upper right-hand corner.
- Select "Settings" from the dropdown.
- "Profile" opens by default.
- Scroll to "One-Time Passowrds" and click “Generate new” at the bottom of the page.
You’ll get a pop-up with a 16 character one-time password which you can use with your email address to log in. The first time you log in to an app with a one-time password it will show up in the list of authorized apps along with the date when it was authorized. For Wrike’s mobile apps, you will remain logged in until you logout from the app or choose to “Revoke” on the App Access page.
- One-time passwords expire in 30 minutes.
- In Enterprise accounts with SAML SSO, one-time password usage may be disabled. If you need to use a one-time password, contact your account administrator or owner to enable this option.
Configure Invitation and Account Activation Settings
For greater control over who becomes a user on the company's Wrike subscription, account admins can configure invitation and account activation settings.
Admins can adjust settings so that:
- Only people who receive an invitation can activate an account on the company's Wrike subscription.
- Invitations can only be sent to emails that match an approved company email domain.
Automatic Account Activation with Just-in-Time Provisioning
Activating a Wrike account without an invitation (from the company portal or from a Wrike login page) is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become Wrike users automatically the first time they try to log in. An admin does not have to add them as a new Wrike user.
Please note, if JIT provisioning is enabled and a user attempts to activate an account and all user licenses are taken, then they are issued a Collaborator license. Wrike admins can change a user’s license type from the People or Users & Groups tab of the Account Management section.
Inviting team members to Wrike
You can also configure SSO without JIT provisioning. In this case all new team members need to be invited to join the Wrike account. Users can be invited using the same invitation methods as accounts without SSO.
When you remove an employee (with access to your SSO method) from your company directory, that person is no longer able to access Wrike, but all data created by the former employee, as well as historical activity records, will remain intact.
User profiles are not automatically deleted when employees are removed from the company directory. If necessary, an account administrator can remove a user profile. We recommend you reassign all active tasks assigned to the former employee prior to removing them from your Wrike account. Otherwise, those tasks will be left without an assignee and will be at risk of being lost or forgotten.
Along with single sign-on, Wrike supports single sign-out. If your identity provider is configured for global logout, then when users log out of Wrike they will also be logged out of all apps associated with their single sign-on credentials.