SAML SSO: User Guide
Table 43. Availability - Legacy plans
Table 44. Availability
Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their subscription. Single sign-on (SSO) is the general term for the various techniques that allow users to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization event. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.
For more details on enabling SSO, please check out our Single Sign-on Implementation Guide.
From Wrike’s side, we support both IDP-initiated and SP-initiated authorization flows, which means that we support login from your company portal or from a Wrike login page. If you have a company portal and it supports sign-on to different apps from the portal, you can access Wrike directly from there. If your company’s identity provider supports service provider (in this case Wrike) initiated login, then to log in to Wrike from their browsers:
Go to login.wrike.com.
Enter your company (SSO) email address.
If you're already logged in to your company’s identity provider, you'll be taken directly to the Wrike workspace. If you're not logged in to your company’s identity provider, you'll be taken to your identity provider login page first and, after logging in, you'll be taken to the Wrike workspace.
Launch the Android or iOS app on your phone.
Enter your email address and click Next.
You'll be redirected to your identity provider login page, where you should enter your company login credentials.
Not all identity providers support mobile. If you encounter a problem logging in with company credentials due to lack of mobile support, you can generate a one-time password and use it to log in to Wrike from your mobile device.
One-time passwords allow SSO users to log in to Wrike’s mobile apps (if their identity providers don't support mobile) or to customer-created API apps.
To generate a one time password:
Click your profile image in the upper-right corner of the workspace.
Select Settings from the drop-down.
Profile opens by default.
Scroll to One-Time Passwords and click Generate new password at the bottom of the page.
You’ll get a pop-up with a 16-character one-time password, which you can use with your email address to log in. The first time you log in to an app with a one-time password, it'll show up in the list of authorized apps along with the date when it was authorized. For Wrike’s mobile apps, you'll remain logged in until you log out from the app or choose to “Revoke” on the App Access page.
One-time passwords expire in 30 minutes.
In Enterprise accounts with SAML SSO, one-time password usage may be disabled. If you need to use a one-time password, contact your account administrator or owner to enable this option.
For greater control over who becomes a user on the company's Wrike subscription, account admins can configure invitation and account activation settings.
Admins can adjust settings so that:
Only people who receive an invitation can activate an account on the company's Wrike subscription.
Invitations can only be sent to emails that match an approved company email domain.
Activating a Wrike account without an invitation (from the company portal) is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become Wrike users automatically the first time they try to log in. An admin doesn't have to add them as a new Wrike user.
If JIT provisioning is enabled and a user attempts to activate an account but all user licenses are taken, then they're issued a Collaborator license. Wrike admins can change a user’s license type from the Users tab of the Account Management section.
You can also configure SSO without JIT provisioning. In this case, all new team members need to be invited to join the Wrike account. Users can be invited using the same invitation methods as accounts without SSO.
When you remove an employee (with access to your SSO method) from your company directory, that person is no longer able to access Wrike, but all data created by the former employee, as well as historical activity records, will remain intact.
User profiles aren't automatically deleted when employees are removed from the company directory. If necessary, an account administrator can remove a user profile.
We recommend transferring data from a deleted user to an active user in the account. For instructions and details on what data is transferred, please visit the Deleting Users page.
Along with single sign-on, Wrike supports single sign-out. If your identity provider is configured for global logout, then when users log out of Wrike they'll also be logged out of all apps associated with their single sign-on credentials.