SSO Setup FAQs

This article outlines some of the common questions and answers surrounding configuring Workzone's SSO.

NOTE: For details on setting up SSO in Workzone, check out Single Sign-On (SSO)

Sending Proper Attribute Names

Workzone's SSO requires the sending of proper assertion names. Your assertion must include an attribute with a name matching one of the four listed below, and the attribute value must be an email address that matches an established Workzone user account:

  • ""
  • "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  • "urn:oid:"
  • "urn:oid:0.9.2342.19200300.100.1.3"

Without one of those four attributes — containing attribute values with an email address — in place, Workzone will display a 403 error reading "Unable to authenticate via SSO" when attempting to authenticate.

Updating your SSO Certificate

For many Single Sign-On (SSO) identity providers, there is a need to regularly update the signing certificate. Workzone doesn't allow for more than one signing certificate in the metadata. When renewing one or more certificates, avoid putting the new certificate and the old certificate in the metadata at the same time, as Workzone does not support that. Workzone uses the first certificate and ignores all the rest. If this isn't specifically followed, your Workzone site's SSO implementation may cease to function properly.

Upload your updated Identity Provider Metadata XML file to complete the updating for Workzone. Please note that every time you upload a new file, it will overwrite all previous configurations.

For any additional assistance with this, please email us at or call 610-275-9861.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us