To help simplify and secure operations on client teams with many accounts, Upwork offers Single Sign-On (SSO) capabilities by leveraging Security Assertion Markup Language (SAML).
SAML is a markup language that lets users log into applications based on their sessions in other contexts where organizations are aware of the user’s identity. When users are already logged in to the Active Directory of their organization, as an example, organizations can leverage that information to log their users in to other applications.
By using SAML specifications, clients can achieve SSO for their users. SSO allows users to login once, and the same credentials will be reused to log into other service providers.
How does Single Sign-On work?
To understand how Single Sign-On works, read through the following hypothetical example:
Consider that you work for a shoe company (for example, SoleShoe) and your shoe company sells shoes to a big retailer chain (AwesomeMart). As an employee of SoleShoe, you need to access an application provided by AwesomeMart. The application would help you to manage sales and monitor various bottlenecks involved with the supply chain. In such a case, AwesomeMart must control the user authentication for their application access.
A simple solution requires that AwesomeMart provide separate login credentials to all the appropriate users at SoleShoe. However, AwesomeMart has other suppliers as well; maintaining that information for multiple users across many organizations is complex.
An effective solution would require that all the suppliers federate their user credentials with AwesomeMart. Thus, SSO provides a secure way for AwesomeMart (the Service Provider) to externalize authentication by integrating with the existing identity infrastructure of SoleShoe (the Identity Provider). Business use cases like this contributed to the development of federated protocols, such as SAML.
Single Sign-On in Upwork with SAML 2.0
With SSO in Upwork, your employees can access the Upwork platform by using your company’s credentials. This way, employees do not need to register and set up their own separate employee profile in Upwork.
In this case, Upwork is the Service Provider (SP) who allows users from different enterprises to access the platform. Once Upwork receives a SAML response from the Identity Provider (IdP) of your company, it validates if the user exists. If the user account exists, Upwork lets the user access the platform. However, if the user account does not exist, Upwork creates an account automatically for that user.
SAML Terms
These are common SAML terms that may assist you during set-up.
| Term | Definition |
|---|---|
|
Service Provider (SP) |
The entity that provides the service. Upwork is a service provider that lets users from different enterprises access the Upwork platform without requiring them to log into Upwork separately. SPs never directly interact with the IdP, and a browser acts as the agent to carry out all the redirections. |
|
Identity Provider (IdP) |
The entity that provides the identities to the service provider. The IdP contains the user profile, such as first name, last name, job code, phone number, etc. Note that different SPs might require different profile information. |
|
SAML Request |
The authentication request that is generated by the SP. |
|
SAML Response |
The authentication response sent by the IdP. Such a response contains information about the user, such as user profile information and group/role information. |
|
SP-Initiated login |
The SAML login flow that is initiated by the service provider. This flow is triggered whenever users try to access secure information in the service provider’s application. |
|
IdP-Initiated login |
The SAML login flow that is initiated by the identity provider. This flow is triggered when an IdP initiates a SAML response that is redirected to the SP to assert the user's identity. |