All articles

SSO with SAML: Implementation Guide

Single Sign-on (SSO) using SAML is available on Wrike Enterprise accounts. Account admins with the “Configure advanced security settings” permission can enable SSO for the account.

⏱ 5.5 min read

Overview

Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their account. Single Sign-On (SSO) is the general term for the various techniques which allow a user to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization event. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.

For more details on how SSO works after it has been enabled please check our page: Single Sign-on Using SAML.  

Benefits of Using Single Sign-on

  • Scalable user management for large organizations. With just-in-time user provisioning you can save time normally spent setting up your Enterprise account and management methods. Wrike can create a user profile in your account every time a new user from your directory logs into Wrike via SSO — no extra invitations are required. Employees who are removed from your corporate directory will lose access to the company's Wrike subscription automatically, but their tasks and historical activity records stay intact.
  • Unified username format. User identity is managed from one central location which means that usernames in Wrike match the names in your directory.
  • Compliance with internal security guidelines. Your IT administrators get more control over authentication. Users are not able to change their name or email address on their own. Any security policies you have adopted internally will also be in effect for Wrike.
  • Reduced password fatigue for users. Once someone logs in to the corporate network, they can open Wrike without having to enter another set of login credentials.
  • The ease of access offered by SSO is a driver for seamless Wrike adoption. You may also be able to monitor login activity and use the collected SSO metrics to track Wrike adoption.

Limitations of Single Sign-on

Once SSO/SAML integration is enabled, users included in SSO won’t be able to:

  • Edit their names in Wrike. First and last names are attributed by your identity provider.
  • Have two or more Wrike accounts linked to one email address. If you have users who are members of several Wrike accounts, they will need to use a different email address to access other Wrike accounts, or merge their personal account into the main corporate account.
  • Make changes to their email address from their Wrike profile. This includes adding additional addresses. However, a Wrike admin can do this for them.
  • Enable 2-step verification through Wrike. If you’d like to protect your account with this security feature, it must be configured with your identity provider.
  • Log in to Wrike using a Wrike password. As a general rule, they will be redirected to the login page managed by your identity provider when trying to access Wrike in their browser. Some integrated tools don’t have native support for SSO (e.g. the Backup Tool and legacy API-v2 apps). SSO users will need to generate one-time passwords to authorize these tools. Please note that log in with Microsoft credentials or Google credentials will also not be possible.

Decide the Scope of Single Sign-on

How you set up your SSO depends on how you use (or plan to use Wrike). If:

  • Wrike is used only by company employees: SSO can be enabled for all users on the account.
  • Wrike is used by both company employees and non-employees: SSO can be enabled for users based on their email domain*. 
  • Also, there is an “optional” choice - this means that everyone in the account will be able to login via password or IDP based login. This option is setup by default and it is useful for the purposes of testing the new SSO integration.
    Note: In the optional mode, the login.wrike.com/login page takes users through the regular login as if SAML SSO is not set up for the account. To go through the SAML SSO flow use the login.wrike.com/sso page.

*Please note, in this case you need to add and approve email domains from the Security tab of the Account Management section before enabling SAML SSO. Users with emails with approved email domains are able to log in to Wrike via SSO and users with emails without approved email domains will log in via a Wrike username and password. Email domains must belong to the company in order to be approved.
If you wish to add additional approved domains after SSO is enabled, an admin must follow the same aforementioned process.

In most cases the approval process requires help from your System Ops team because the Domain Name System (DNS) records of the domains must be updated. We recommend adding approved domains before turning on SAML, so that they are applied immediately when SAML is enabled.

Enabling Single Sign-on

Before enabling SSO it’s important to confirm that:

  • The email address associated with each user's Wrike account matches their email in the company directory.
  • Users have only one account associated with their company email.
  • SSO is not yet enabled for the account. To see this:
    • Click on your profile picture.
    • Select "Settings" from the dropdown.
    • Click on “Security” in the left panel.
    • On the “Security” page scroll to the “SAML SSO” section.
    • Check that the “Disabled” tag is shown near the “SAML SSO” header.

Confirm compatibility

  • Confirm that your identity or SSO provider supports federated authentication using instructions.
  • To set up a custom SAML-based SSO for your account, please refer to our metadata file for standard parameters and options used by Wrike. The following user attributes should be included: firstName; lastName; NameID (must be an email address).

To enable SSO for your account:

  1. Click on your profile picture.
  2. Select "Settings" from the dropdown.
  3. Click "Security” in the left panel.
  4. On the “Security” page scroll to the “SAML SSO” section.
  5. Click the “Setup SAML SSO” button.
  6. In the wizard that opens, setup your Identity Provider with Wrike Metadata and click “Proceed”.
  7. Next you will be asked to specify metadata from your provider. You can select from the following two options:
    • Enter a link to provide XML
    • Enter the XML as a text
  8. Click “Proceed”.
  9. Check that you have chosen the right parameters and confirm your decision by clicking the “Proceed and enable SAML” button.
  10. An email is sent to you with the code to confirm implementation of SSO.
  11. Enter the code from the email in the pop-up window that opens.
  12. Click “Confirm”.
  13. Test the new account settings (optional)*.
  14. Click the “Save SAML settings” button.

We recommend conducting user acceptance testing and testing different use-cases immediately after SSO is enabled. More information regarding using SSO after it's enabled can be found on our Single Sign-on Using SAML page.

Please note, tasks, folders, and projects are not automatically shared between SSO users. You can read more about how to share tasks, folders and projects on our help pages. In addition, internal user groups are not automatically transferred to Wrike, but you can easily create user groups within Wrike.

Add Approved Email Domains

Adding approved email domains may require assistance from your Sys Ops Team.

  1. Click on your profile image in the upper right-hand corner of the Wrike Workspace.
  2. Select "Settings" from the dropdown.
  3. Click “Security” in the left panel.
  4. Scroll to the "Approved Domains" section. 
  5. Click “Add domain” and enter the appropriate email domain.
  6. Click “Add”.
  7. The pop-up window appears with instructions on how to approve domains.
  8. Follow the instructions that appear. Approving domains may take up to 24 hours and may require assistance from your Sys Ops Team.
  9. Click “Save changes”.
  10. The email with confirmation code is sent to your primary email address.
  11. Copy the code from your email and paste it into the pop-up that appears.
  12. Click "Confirm".

Allow Users to Join Multiple SAML-Integrated Accounts

Big enterprise teams that have several Wrike accounts with SAML-based SSO enabled via the same IDP can integrate all of their accounts into a single network. As a result, users can be invited to or join all connected Wrike accounts using their corporate credentials via the IDP.

Note: There are several prerequisites for implementation of this scheme, and it can only be enabled by Wrike Customer Support. Please contact Wrike Customer Support for more information.

Top