FAQ

Enabling SAML single sign-on authentication

1.Enabling SAML single sign-on authentication

If you have configured a unique login URL, you may opt to enable the use of SAML single sign-on authentication.
By enabling single sign-on authentication, Chatwork will serve as an SP (service provider) and you can log in to Chatwork using your IdP (identity provider).


※SAML (Security Assertion Markup Language) is an open standard for exchanging authorization credentials.
※To enable single sign-on authentication in Chatwork, your IdP must support SAML 2.0. 


[Supported bindings]
 HTTP Redirect Binding 
 HTTP POST Binding


※You can enable the use of single sign-on authentication by checking the "Enable SAML single sign-on authentication" box.
mceclip0.png

 

2.How to set up SAML single sign-on authentication (IdP configuration)

To set up single sign-on, you will need to register the Chatwork information, which is the SP, on the IdP.

1. Registering the Federation Metadata information
 
Obtain the Federation Metadata information from the following URL and register it on the IdP.
 FederationMetadata
    https://www.chatwork.com/packages/saml/metadata.php

In the event that the Federation Metadata (XML) cannot be imported, please configure the following information on the IdP manually.
Entity ID:https://www.chatwork.com/packages/saml/metadata.php
SP (Chatwork) endpoint URL:https://www.chatwork.com/packages/saml/acs.php
Name ID: Please set this to return the email address.


2. Configuring claim rules
 Chatwork uses email addresses as tool to identify users.

 Under the claim rules settings, please set "Name ID" to return the email address.At the same time, please specify "SHA-256" for the Secure Hash Algorithm.
 ※Login authentication is carried out by linking the email address returned by the IdP with the email address used to log in to Chatwork.

mceclip2.png 

1. Before setting up SAML authentication, please check that the connection is functioning normally using the "SAML connection verification test."

2. Set a login URL for the IdP. Example: https://example.com/adfs/ls

3. Set an entity ID for the IdP. Example: http://example.com/adfs/services/trust

4. Specify or configure a URL to which you will be redirected after logging out of Chatwork.
  【When a URL has been specified】
      By specifying an IdP logout URL, it is possible to ensure that the IdP also logs out after you have logged out. ※This is not the single logout prescribed by the SAML 2.0 protocols.
      Example: https://example.com/adfs/ls/?wa=logout
  【When a URL has not been specified】
      Please be aware that if a URL is not specified, the IdP will remain logged in even after you have logged out of Chatwork.
      Export the certificate from the IdP and configure it. ※Its format is "Base 64 encoded X.509."

5. Administrators may log in without using SAML authentication.
    Example: https://www.chatwork.com/login.php?s=XXXXX&sso_skip=1
    ※For the syntax of this URL, "&sso_skip=1" is added to the end of the unique login URL.
    ※Please use this as an emergency login URL in the event that SAML authentication is not working as intended.

4. How to login using single sign-on (On a PC)

 1. Enter the unique login URL.
    Example: https://www.chatwork.com/s/cw/
    (For more information, please refer to "Setting up a unique login URL.")

2. You will be redirected to the IdP. Please perform the IdP login authentication.

3. Once the IdP login authentication is complete, you will be automatically logged in to Chatwork.

5. How to login using single sign-on (On the mobile app)

1. Enter your registered email address or the unique login URL into the login screen and tap "Confirm".
    (For more information, please refer to "Setting up a unique login URL.")

2. You will be redirected to the IdP. Please perform the IdP login authentication.

3. Once the IdP login authentication is complete, you will be automatically logged in to Chatwork.