- Print
- PDF
Setting SSO
- Print
- PDF
The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.
Available in Classic/VPC.
Single Sign On (SSO) refers to integrated login integration that enables access (authenticate) to multiple systems with a single ID and password. By setting SSO linkage between WORKPLACE and another system, you can automatically access and use both systems with a single login.
WORKPLACE Developers supports the following two methods of SSO, and you can select one of the two methods for integration.
- IDP Method: IDP stands for Identify Provider and refers to a service that stores and manages the authentication information of users who access the cloud service, etc.
- SP Method: SP stands for Service Provider and refers to a service system.
When easy login has been set from the [Admin] > [Security] > [Manage Access] menu, you can integrate login after setting easy login to Not use.
IDP Method Linkage
You can integrate login between the company's corporate information system and WORKPLACE based on SAML 2.0 or OAuth 2.0 in the IDP method.
OAuth
Take the following procedure to perform SSO linkage with the IDP method.
- 1. Enter Linkage Information on Console
- 2. Redirect to WORKPLACE OAuth 2.0 Server and Process Response
- 3. Exchange Authentication Code for Access Token
- 4. Return Authenticated User Information
1. Enter Linkage Information on Console
- From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
- Click the Developers menu.
- If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
- Click SSO Settings.
- Click the [Link Login] button.
- If you are using SMARTWORK Solution (bundling WORKPLACE and NAVER WORKS), then you can skip this step.
- Specify the SSO setting items, and then click the [Apply] button.
- Domain: URL to be forwarded to redirect_uri of the company, copied onto the clipboard by clicking the [Copy] button
- Client ID: Client ID provided by WORKPLACE, copied onto the clipboard by clicking the [Copy] button
- Client Secret: Client secret value provided by WORKPLACE, copied onto the clipboard by clicking the [Copy] button
- Redirect Domain: Copy the URL to be forwarded to redirect_uri of the company, and enter it here.
2. Redirect to WORKPLACE OAuth 2.0 Server and Process Response
Create a request parameter and redirect to the WORKPLACE OAuth 2.0 server.
https://회사도메인ID.ncpworkplace.com/authn/oauthLogin
HTTP Method:
GET
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
response_type | String | Y | This is a classification value for the authentication process, specifying the format of result value is to be received. A fixed string called "code" is always used. |
client_id | String | Y | Client ID value provided by WORKPLACE |
redirect_uri | String | Y | This encoded URL returns the authorization code after processing authentication. |
state | String | Y | Unique value randomly created to prevent Cross-Site Request Forgery (CSRF) (included in the URL when returning the authorization code, sending the state value as a parameter) |
loginId | String | N | Login account entered by user |
Example:
GET https://회사도메인ID.ncpworkplace.com/authn/oauthLogin?response_type=code&client_id=17nRVbxDCSmzymTHMdnv&redirect_uri=http://고객사/oauth2callback&loginId=admin@nbp.co.kr
After confirming login or authentication as above, the OAuth 2.0 server uses the specified URL (redirect_uri) to respond to the access request.
https://회사도메인ID.ncpworkplace.com/authn/oauthLogin
HTTP Method:
GET
Response:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
code | String | Y (Success) | A one-time code that is used to issue the authorization code access token |
state | String | Y (Success) | Client ID value provided by WORKPLACE |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error returned in case of failure |
Example:
If an error occurs, http://Customer/oauth2callback?error=access_denied
If successful, http://Customer/oauth2callback?code=jxCiS2TA80GSocD2
3. Exchange Authentication Code for Access Token
To exchange the authentication code for the access token, receive the authentication code for the Access Token Return API as shown below.
https://회사도메인ID.ncpworkplace.com/authn/accessToken
HTTP Method:
POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
grant_type | String | Y | This is a classification value for the authentication process, specifying the format of the result value to be received. A fixed string called "authorization_code" is always used. |
client_id | String | Y | Client ID value provided by WORKPLACE |
client_secret | String | Y | Client secret value provided by WORKPLACE |
code | String | Y | Authorization code issued in the Step 2 |
state | String | N | String used by the application to maintain the status between the request and redirection response |
Example:
https://회사도메인ID.ncpworkplace.com/authn/accessToken?grant_type=authorization_code&client_id=17nRVbxDCSmzymTHMdnv&client_secret=JsjOUSDOtb&code=jxCiS2TA80GSocD2
Response:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
access_token | String | Y (Success) | Access token |
token_type | String | Y (Success) | Access token type, fixed as "Bearer" |
expires_in | String | Y (Success) | Validity period of access token (seconds), actual application's maintained login time |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error returned in case of failure |
4. Return Authenticated User Information
Return the authenticated user information as shown below.
https://회사도메인ID.ncpworkplace.com/authn/userProfile
HTTP Method:
POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
client_id | String | Y | Client ID value provided by WORKPLACE |
client_secret | String | Y | Client secret value provided by WORKPLACE |
access_token | String | Y | Access token received in Step 3 (URL encoded value, passes the returned access token as is) |
Example:
https://회사도메인ID.ncpworkplace.com/authn/userProfile?client_id=17nRVbxDCSmzymTHMdnv&client_secret=JsjOUSDOtb&access_token=imLS80bZNkpKtM9FWvZt7MjMTcXIyIN0ygyr8DERsgzetKFIUWqArHlCUQ1VJ6I....
Response:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
login_id | String | Y (Success) | Login ID |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error returned in case of failure |
Logout URL
https://회사도메인ID.ncpworkplace.com/authn/logoutProcess
SAML
Take the following procedure to perform SSO linkage based on SAML 2.0.
- 1. Enter Linkage Information on Console
- 2. Create and Deliver SAML Request
- 3. Validate SAML Request
- 4. Create and Deliver SAML Response
1. Enter Linkage Information on Console
- From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
- Click the Developers menu.
- If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
- Click SSO Settings.
- Click the [Link Login] button.
- If you are using SMARTWORK Solution (bundling WORKPLACE and NAVER WORKS), then you can skip this step.
- Select SAML.
- Specify the SSO setting items, and then click the [Apply] button.
- SSO URL: Copy the provided SSO URL and enter it for the login page URL (SSO URL field) of the customer system.
- Response Issuer: Copy the provided Response Issuer and enter it in the customer system.
- Application: Click the [Add] button, and then enter the application information.
- Application Name: Enter the name of the application you want to integrate with SSO in English.
- ACS URL: Enter the ACS URL provided by the customer system.
- SP Issuer (Entity ID): Enter the SP issuer (entity ID) provided by the customer system. The SP issuer can't be duplicated in a single domain.
- Certificate: Click the [Download] button of each added application to download the certificate, and then attach it to the Certificate field of the customer system.
- NAME ID: It is fixed and displayed as "Login ID."
- NAME ID Format: It is fixed and displayed as "UNSPECIFIED."
2. Create and Deliver SAML Request
A SAML request is created as a parameter of SSO URL, and delivered to the customer authentication system.
Request URL
It delivers the SSO URL, which is issued when registering SAML Apps in the Developer console.
Example:
https://{Companyid}.ncpworkplace.com/authn/saml/samlLogin
HTTP Method
POST
Request
Refer to the Request field.
Parameter | Type | Requirement Status | Description |
---|---|---|---|
SAMLRequest | String | Y | String according to SAML 2.0 request details - encoded with Base64 |
RelayState | String | Y | URL to retry in case the authentication fails |
SAML Request Details
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="{ACS URL registered in WORKPLACE}"
ID="{ID}"
IssueInstant="{SAML request creation date and time}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="{Service Provider Name}"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">{SP issuer registered in WORKPLACE}</saml2:Issuer>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
Item | Type | Requirement Status | Description |
---|---|---|---|
AuthnRequest AssertionConsumerServiceURL | String | Y | It is called ACS URL in short, and is the URL that receives the SAML response. It must be identical to the registered ACS URL. |
AuthnRequest ID | String | Y | It is the ID issued by WORKPLACE authentication system, and is used when creating a SAML response. |
AuthnRequest IssueInstant | Date(UTC) | Y | SAML request creation date and time |
AuthnRequest ProtocolBinding | String | Y | It is sent as "HTTP-POST," so a SAML response must be sent using the POST method. |
AuthnRequest ProviderName | String | N | Customer name |
Issuer | String | Y | It uses the registered SP issuer (entity ID). |
NameIDPolicy Format | String | Y | It uses "UNSPECIFIED" as a fixed value. |
3. Validate SAML Request
The customer authentication system receives the SAML request and executes the login page by validating it.
At this time, the customer's login page is executed for a domain that uses SSO, and WORKPLACE login page is executed otherwise.
4. Create and Deliver SAML Response
If the login is successful, a SAML response is created and delivered to the customer's ACS URL.
Request URL
It uses the ACS URL specified in the SAML request. (It must be identical to the registered ACS URL.)
HTTP Method
POST
Request
Parameter | Type | Requirement Status | Description |
---|---|---|---|
SAMLResponse | String | Y | String according to SAML 2.0 response details - encoded with Base64 |
RelayState | String | N | Delivered to the response only when delivered from the SP side |
Note
Since the value digitally signed with the registered certificate is included in the SAML response, the customer must validate the digital signature value.
SAML Response Details
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="{ACS URL registered in WORKPLACE}"
ID="{ID issued by WORKPLACE}"
InResponseTo="{ID included in the SAML request}"
IssueInstant="{SAML response creation date and time}"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
{Response Issuer}
</saml2:Issuer>
<ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
"{Digital signature}"
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{ID issued by WORKPLACE}"
IssueInstant="{SAML response creation date and time}"
Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
{Response Issuer}
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="unspecified">
"{Login ID of the logged in user}"
</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
InResponseTo="{ID included in the SAML request}"
NotOnOrAfter="{SAML response end date and time}"
Recipient="{ACS URL}"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="{SAML response start date and time}"
NotOnOrAfter="{SAML response end date and time}">
<saml2:AudienceRestriction>
<saml2:Audience>{SP issuer registered in WORKPLACE}
</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="{SAML response creation date and time}"
SessionIndex="{ID issued by WORKPLACE}">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
SAML Response Example
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="4ec6c869-4f1f-4027-adc2-90a5dc5cb597"
InResponseTo="ajinaekefnokobjefcegddakfdphcchikhgphael" IssueInstant="2021-12-29T06:24:26.000Z"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://회사id.ncpworkplace.com/authn/saml/metadata</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#4ec6c869-4f1f-4027-adc2-90a5dc5cb597">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>EcKuJWielgJv1XCEeb1lDR6yP7w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>oE1jjGQhtkRVxSp4....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHDCCAgSgAwIBAgIGAWm....</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
<saml2:Assertion ID="cf10bea7-f97d-4273-b431-36b1228244e3" IssueInstant="2021-12-29T06:24:26.000Z"
Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>http://회사id.ncpworkplace.com/authn/saml/metadata</saml2:Issuer>
<saml2:Subject>
<saml2:NameID NameQualifier="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@samltest.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ajinaekefnokobjefcegddakfdphcchikhgphael"
NotBefore="2021-12-29T06:24:26.000Z" NotOnOrAfter="2021-12-29T06:34:26.000Z"
Recipient="https://AuthenticationCompany/acs/samltest.com"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-12-29T06:24:26.000Z" NotOnOrAfter="2021-12-30T06:24:26.000Z">
<saml2:AudienceRestriction>
<saml2:Audience>worksmobile.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-12-29T06:24:26.000Z"
SessionIndex="ajinaekefnokobjefcegddakfdphcchikhgphael"
SessionNotOnOrAfter="2021-12-30T06:24:26.000Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Each item of a SAML response is as follows.
Item | Type | Requirement Status | Description |
---|---|---|---|
Response Destination | String | Y | ACS URL included in the SAML request |
Response ID | String | Y | ID issued by WORKPLACE |
Response InresponseTo | Date(UTC) | Y | ID included in the SAML request |
Response IssueInstant | Date(UTC) | Y | SAML response creation date and time |
Signature | String | Y | Digital signature |
Assertion ID | String | N | ID issued by WORKPLACE |
Assertion IssueInstant | Date(UTC) | N | SAML response creation date and time |
Subject NameID | String | Y | Login ID of the logged in user |
SubjectConfirmationData InResponseTo | String | Y | ID included in the SAML request |
SubjectConfirmationData NotOnOrAfter | Date(UTC) | Y | SAML response end date and time |
SubjectConfirmationData Recipient | String | Y | ACS URL |
Conditions NotBefore | Date(UTC) | Y | SAML response start date and time |
Conditions NotOnOrAfter | Date(UTC) | Y | SAML response end date and time |
Audience | String | Y | Issuer included in the SAML request |
AuthnStatement AuthnInstant | Date(UTC) | Y | SAML response creation date and time |
AuthnStatement SessionIndex | String | Y | ID issued by WORKPLACE |
SP Method Linkage
The SP method can perform SSO linkage by using Security Assertion Markup Language (SAML) 2.0 or OAuth 2.0. If WORKPLACE and the company's system are integrated, then WORKPLACE becomes the service provider. You'll automatically log in to the company's system by logging in to WORKPLACE.
The following describes how to set up linkage with the SP method.
- From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
- Click the Developers menu.
- If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
- Click SSO Settings.
- Click the [Link Login] button next to the service to set up SSO.
- Set the login linkage by referring to below.
Link Login With Google Workspace
You can link login with Google Workspace by using the SSO linkage based on the SAML 2.0 method.
The setting steps may differ from the explanation in this guide, depending on the Google Workspace environment. For more details about the usage method, see the Google Workspace Guide.
The following describes how to link login with Google Workspace.
Separately log in to Google Admin and the NAVER Cloud Platform console.
In the Google Admin page, click Apps > Web and mobile apps, in that order. In the next page, click Add App > Add custom SAML app.
In the Google Admin page, enter the app name in the App Details page. Upload the app logo for the app icon. Download the logo image from Developers > Set SSO in the NAVER Cloud Platform console.
In the Option 2 of the Step 2 Google Identity Provider Details from the Google Admin page, copy the URL of the SSO URL field, click the [Download] button for the certificate of the Certificate field to download it, and then click Continue.
From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE > Developers menus, in that order.
Click the [Link Login] button next to Google Workspace.
Paste the SSO URL copied in Step 4 onto the SSO URL input field of the NAVER Cloud Platform console.
After downloading the Certificate in Step 4, upload it by clicking the [Attach File] button of the Certificate field on the NAVER Cloud Platform console.
Separately copy the URL and ID displayed in the ACS URL and Entity ID items of the SSO Settings page on the NAVER Cloud Platform console, and then separately paste them onto the ACS URL and Entity ID input fields in the Detailed Information of Service Provider pop-up window of Google Admin.
Click Continue in the Service Provider Details pop-up window of Google Admin.
Click Finish in the Attribute Mapping pop-up window of Google Admin.
Click Modify Service.
Select Turn ON for everyone, and then click Save.
Click the icon at the top right of Google Admin to check the registered SAML app.
From the NAVER Cloud Platform console, click the [Apply] button.
- Once the SSO linkage between WORKPLACE and Google Workspace is completed, you can log in to WORKPLACE and use WORKPLACE with a Google account.
- You can register a shortcut to Google Workspace in All Services. For more details, see Manage Top Menu.
Link Login With Other Services
you can link login with various services that support SSO linkage based on the OAuth 2.0 or Security Assertion Markup Language (SAML) 2.0 method.
From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
Click the Developers menu.
- If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
Click SSO Settings.
Click the [Link Login] button next to Other Services.
Select the linkage method.
Enter the setting items according to the selected linkage method.
OAuth 2.0 SSO Setting Items
- Web Login URL: Enter the Request URL produced in OAuth 2.0 1. Web Login URL.
- Access Token Return API: Enter the Request URL produced in OAuth 2.0 3. Access Token Issue API.
- User Info Return API: Enter the Request URL created in OAuth 2.0 4. User Information Return API.
- Client ID: Enter the client ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console.
- Logout URL: Enter the Request URL created in Client Logout.
SAML 2.0 SSO Setting Items
- Web Login URL: Enter the Request URL produced in SAML 2.0 1. Web Login Page.
- Logout URL: Enter the Request URL created in Client Logout.
- Logout Domain: Enter the Request URL created in WORKPLACE Logout.
- Register File (*.pem): Register the certificate used when electronically signing a SAML response. (The certificate is used for validation.)
Click the [Apply] button.
OAuth 2.0 1. Web Login URL
Log in to the customer's system to issue the authorization code, and return it to redirect_uri.
https://CustomerDomain/CustomerLoginPage
Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.
HTTP Method: GET
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
response_type | String | Y | This is a classification value for the authentication process, specifying the format of result value is to be received. |
client_id | String | Y | Client ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console |
redirect_uri | String | Y | Encoded URL that returns the authorization code after processing authentication |
state | String | Y | Unique value randomly created to prevent Cross-Site Request Forgery (CSRF) (included in the URL when returning the authorization code, sending the state value as a parameter) |
loginId | String | N | Login account entered by user |
OAuth 2.0 2. Authorization
After processing authentication of the customer and SSO on the customer's SSO system, issue an authorization code and redirect to the WORKPLACE authentication system.
https://WORKPLACEAuthenticationSystemURL/authorizationURL
URL is a value that can change anytime, depending on the user environment and WORKPLACE policy. Make sure to use the URL received as redirect_uri.
HTTP Method: GET/POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
code | String | Y (Success) | A one-time code that is used to issue the authorization code access token |
state | String | Y (Success) | Authentication value on the client side used to prevent CSRF, with the URL encoded (state value sent to redirect_uri parameter) |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error returned in case of failure |
OAuth 2.0 3. Access Token Issue API
Validate the authorization code in the customer's SSO system, and then issue and return the access token.
https://CustomerDomain/accessToken
Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.
HTTP Method: POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
grant_type | String | Y | This is a classification value for the authentication process, specifying the format of result value is to be received. |
client_id | String | Y | Client ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console |
client_secret | String | Y | Client secret registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console |
code | String | Y | Authorization Code |
state | String | N | Authentication value on the client side used to prevent CSRF, with the URL encoded |
Response:
Property | Type | Requirement Status | Description |
---|---|---|---|
access_token | String | Y (Success) | Access Token |
token_type | String | Y (Success) | Access token type |
expires_in | String | Y (Success) | |
error | String | Y (Failure) | Error code returned in case of failure |
error_desciption | String | Y (Failure) | Explanation of the error returned in case of failure |
OAuth 2.0 4. User Information Return API
Validate the access token in the customer's SSO system, and then return the user information.
https://CustomerDomain/UserInformation
Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.
HTTP Method: POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
client_id | String | Y | Client ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console |
client_secret | String | Y | Client secret registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console |
access_token | String | Y | Access Token |
Response:
Property | Type | Requirement Status | Description |
---|---|---|---|
email_id | String | Y (Success) | Member's login ID |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error returned in case of failure |
SAML 2.0 1. Web Login Page
After validating the SAML request and processing the client login, create the SAML response and return to the ACS URL.
https://CustomerDomain/CustomerLoginPage
Only Port 80 or 443 can be used according to the WORKPLACE's infrastructure security policy.
HTTP Method: GET
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
SAMLRequest | String | Y | String according to SAML 2.0 request details |
RelayState | String | Y | URL to retry in case the authentication fails |
SAML 2.0 2. Validate SAML Request
The SAML request is encoded using Deflate + Base64. Validate the SAML request.
SAML Request Details:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="{ACS URL}"
ID="{ID issued by WORKPLACE authentication system}"
IssueInstant="{Request creation date and time}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="ncpworkplace.com"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncpworkplace.com</saml2:Issuer>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
SAML Request Items:
Item | Description |
---|---|
AuthnRequest AsssertionConsumerServiceURL | This URL is called ACS URL in short and delivers the SAML response. |
AuthnRequest ID | This ID is issued by the WORKPLACE authentication system and used when creating a SAML response. |
AuthnRequest IssueInstant | SAML request creation date and time |
AuthnRequest ProtocolBinding | It is sent as "HTTP-POST," so a SAML response must be sent using the POST method |
AuthnRequest ProviderName | This is the service provider name sent to "ncpworkplace.com." |
Issuer | It is the ID issued by the service provider's system. It is used when creating a SAML response |
SAML Request Example:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://회사ID.ncpworkplace.com/...."
ID="bemkplgpdoemkhjmncgmbcdibglpngclfombpmed"
IssueInstant="2018-02-14T03:33:49.999Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="ncpworkplace.com"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncpworkplace.com</saml2:Issuer>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
WORKPLACE Logout
This feature is used when logging out from WORKPLACE after logging out from the customer's system. Upon receiving a logout request, the WORKPLACE account logged in to WORKPLACE is logged out and redirected to redirect_uri received.
Since redirect_uri is managed as white_url, it should be registered as Logout Redirection Domain in SSO Settings of Developers on the NAVER Cloud Platform console.
https://회사ID.ncpworkplace.com/authn/logoutProcess
HTTP Method: GET/POST
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
redirect_uri | String | Y | Encoded URL to be redirected after logging out from WORKPLACE |
Response:
Redirect to redirect_uri.
Customer Logout
This feature is used to log out from the client's system after logging out from WORKPLACE.
https://CustomerDomain/Logout
Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.
HTTP Method: GET
Request:
Parameter | Type | Requirement Status | Description |
---|---|---|---|
redirect_uri | String | N | This is redirect_uri (URL encoded) to be redirected after the logout is processed from the client company's system. |
After Completion of SSO Linkage
When the SSO linkage is complete, you can log in to WORKPLACE using the login information of the existing corporate information system, which makes it convenient for managing login information.
User Login
If the user accesses the WORKPLACE company URL (https://기업ID.ncpworkplace.com), then the user is taken directly to the login page for the corporate information system or other services (e.g., Google).
When the user accesses the WORKPLACE basic URL (https://www.ncpworkplace.com):
- Click the [SSO Linkage Settings] button at the bottom of the login page.
- Enter the company ID and click the Log In button.
- You will be taken to the login page for other linked services (e.g., Google, company's corporate information system). By logging in to other services, you can immediately start using WORKPLACE.