This site requires JavaScript to be enabled
External Customer KB > General > Configure SAML for Workplace by Facebook
Configure SAML for Workplace by Facebook
Article: KB0010244 Published: 05/21/2020 Last modified: 05/21/2020

This topic describes how to configure OneLogin to provide SSO for Workplace by Facebook using SAML. 

To get a free OneLogin account for Workplace by Facebook, go to

To configure OneLogin to enable SAML SSO for Workplace by Facebook:

  1. Log in to OneLogin as an admin and go to Applications > Applications.

  2. Search for Workplace by Facebook Provisioning and select it. You see the initial Configuration tab.

  3. Click Save to add the app to your Company Apps and display additional setup tabs.

  4. On the Configuration tab, enter the Subdomain that you use with Workplace. 

    Your Workplace subdomain is mycompany in the address If your url is "”, enter "onelogin-training" in the subdomain.

    The remaining fields are used to configure user provisioning from OneLogin to Workplace. For more information, see Provision Users to Workplace by Facebook.

  5. On to the Parameters tab, map Workplace attributes to OneLogin attributes.

    Typically, you should keep the default Configured by admin setting. For more information, see Setting Credential Configuration Options. The only required parameter for SSO is Name Identifier, while the other parameters are used when OneLogin provisions users to Workplace using the API. For an SSO-only implementation, you should accept the defaults. If you want to provision users and their attributes from OneLogin to Workplace, see Provision Users to Workplace by Facebook.

  6. Go to the SSO tab to view the values that you'll copy into your Workplace instance to set up SAML SSO.

  7. Return to your Workplace account in a new browser tab or window and enter OneLogin's SAML SSO values.

    Follow the instructions in Single Sign On Authentication in the Workplace documentation to copy the OneLogin SAML SSO values to Workplace:

    Copy this OneLogin SSO field value: To this Workplace SSO settings field:

    Issuer URL

    SAML Issuer URL

    SAML 2.0 Endpoint (HTTP)


    X.509 Certificate & SAML Signature Algorithm

    To get the X.509 certificate, click the View Details link under the X.509 Certificate field. Copy the complete string from in the X.509 Certificate field.

    SAML Signature Algorithm is the type of Cert the admin configures.

    SAML Certificate

  8. Test the SAML flow, using the instructions in Single Sign On Authentication in the Workplace documentation.

  9. Save your changes in Workplace.
  10. Return to OneLogin and go to the Access tab to assign the OneLogin roles that should have access to Workplace and provide any app security policy that you want to apply to Workplace.

    For example you can attach a policy to the app to require multi-factor authentication.

    You can also go to Users > All Users to add the app to individual user accounts.

    Note. If you are going to use OneLogin to provision users to Facebook, you might want to wait until you have tested provisioning before you assign users to the Workplace app in OneLogin.

  11. Click Save.

  12. Test the SAML connection by using SSO to access Workplace from OneLogin.

    1. Make sure you are logged out of Workplace.

    2. Give yourself or a test user a Workplace account that uses the same email address as their OneLogin account.

    3. Give yourself or a test user access to the Workplace app in OneLogin (see step 9, above).

    4. Log in to OneLogin as yourself or a test user.

    5. Click the Workplace icon on your OneLogin dashboard.

      If you are able to access Workplace, then SAML works.

Next steps:

Provision Users to Workplace by Facebook

Expand/Collapse Comments
Was this helpful?