Single Sign-on (SSO) using SAML is available on Wrike Enterprise accounts.
⏱ 5 min read
Enterprise users can access Wrike with corporate credentials if SAML-based SSO (SSO/SAML integration) is enabled for their subscription. Single sign-on (SSO) is the general term for the various techniques which allow users to access multiple applications from a single authorization point, which is managed by an identity provider (IDP). Security Assertion Markup Language (SAML 2.0) is a leading industry standard for exchanging the authentication and authorization data that Wrike supports as a service provider (SP). No actual passwords are transferred to or from Wrike during the authorization event. Instead, Wrike receives a SAML assertion of the user identity, which is valid for a limited period of time and digitally signed.
For more details on how to enable SSO please check out our Single Sign-on Implementation Guide.
From Wrike’s side, we support both IDP-initiated and SP-initiated authorization flows which means that we support login from your company portal or from a Wrike login page. If you have a company portal and it supports sign on to different apps from the portal, then you can access Wrike directly from there. If your company’s identity provider supports service provider (in this case Wrike) initiated login then to login to Wrike from their browsers:
If you are already logged in to your company’s identity provider, then you'll be taken directly to the Wrike Workspace. If you are not logged in to your company’s identity provider you'll be taken to your identity provider login page first and, after logging in, you'll be taken to the Wrike Workspace.
Please note, not all identity providers support mobile. If you encounter a problem logging in with company credentials, due to lack of mobile support, you can generate a one-time password and use it to log in to Wrike from your mobile device.
One-time passwords allow SSO users to log in to Wrike’s mobile apps (if their identity providers don't support mobile) or to customer created API apps.
To generate a one time password:
You’ll get a pop-up with a 16 character one-time password which you can use with your email address to log in. The first time you log in to an app with a one-time password it will show up in the list of authorized apps along with the date when it was authorized. For Wrike’s mobile apps, you will remain logged in until you logout from the app or choose to “Revoke” on the App Access page.
For greater control over who becomes a user on the company's Wrike subscription, account admins can configure invitation and account activation settings.
Admins can adjust settings so that:
Activating a Wrike account without an invitation (from the company portal or from a Wrike login page) is possible if just-in-time (JIT) provisioning and SSO are enabled. JIT provisioning allows employees to become Wrike users automatically the first time they try to log in. An admin does not have to add them as a new Wrike user.
Please note, if JIT provisioning is enabled and a user attempts to activate an account and all user licenses are taken, then they are issued a Collaborator license. Wrike admins can change a user’s license type from the People or Users & Groups tab of the Account Management section.
You can also configure SSO without JIT provisioning. In this case all new team members need to be invited to join the Wrike account. Users can be invited using the same invitation methods as accounts without SSO.
When you remove an employee (with access to your SSO method) from your company directory, that person is no longer able to access Wrike, but all data created by the former employee, as well as historical activity records, will remain intact.
User profiles are not automatically deleted when employees are removed from the company directory. If necessary, an account administrator can remove a user profile. We recommend you reassign all active tasks assigned to the former employee prior to removing them from your Wrike account. Otherwise, those tasks will be left without an assignee and will be at risk of being lost or forgotten.
Along with single sign-on, Wrike supports single sign-out. If your identity provider is configured for global logout, then when users log out of Wrike they will also be logged out of all apps associated with their single sign-on credentials.