Setting SSO
    • PDF

    Setting SSO

    • PDF

    Article Summary

    The latest service changes have not yet been reflected in this content. We will update the content as soon as possible. Please refer to the Korean version for information on the latest updates.

    Available in Classic/VPC.

    Single Sign On (SSO) refers to integrated login integration that enables access (authenticate) to multiple systems with a single ID and password. By setting SSO linkage between WORKPLACE and another system, you can automatically access and use both systems with a single login.

    WORKPLACE Developers supports the following two methods of SSO, and you can select one of the two methods for integration.

    • IDP Method: IDP stands for Identify Provider and refers to a service that stores and manages the authentication information of users who access the cloud service, etc.
    • SP Method: SP stands for Service Provider and refers to a service system.
    Note

    When easy login has been set from the [Admin] > [Security] > [Manage Access] menu, you can integrate login after setting easy login to Not use.

    IDP Method Linkage

    You can integrate login between the company's corporate information system and WORKPLACE based on SAML 2.0 or OAuth 2.0 in the IDP method.

    OAuth

    Take the following procedure to perform SSO linkage with the IDP method.

    1. Enter Linkage Information on Console

    1. From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
    2. Click the Developers menu.
      • If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
    3. Click SSO Settings.
    4. Click the [Link Login] button.
      • If you are using SMARTWORK Solution (bundling WORKPLACE and NAVER WORKS), then you can skip this step.
    5. Specify the SSO setting items, and then click the [Apply] button.
      workplace-workplace-developers1_ssoidp_ko
      • Domain: URL to be forwarded to redirect_uri of the company, copied onto the clipboard by clicking the [Copy] button
      • Client ID: Client ID provided by WORKPLACE, copied onto the clipboard by clicking the [Copy] button
      • Client Secret: Client secret value provided by WORKPLACE, copied onto the clipboard by clicking the [Copy] button
      • Redirect Domain: Copy the URL to be forwarded to redirect_uri of the company, and enter it here.

    2. Redirect to WORKPLACE OAuth 2.0 Server and Process Response

    Create a request parameter and redirect to the WORKPLACE OAuth 2.0 server.

    https://회사도메인ID.ncpworkplace.com/authn/oauthLogin
    

    HTTP Method:

    GET

    Request:

    ParameterTypeRequirement StatusDescription
    response_typeStringYThis is a classification value for the authentication process, specifying the format of result value is to be received. A fixed string called "code" is always used.
    client_idStringYClient ID value provided by WORKPLACE
    redirect_uriStringYThis encoded URL returns the authorization code after processing authentication.
    stateStringYUnique value randomly created to prevent Cross-Site Request Forgery (CSRF) (included in the URL when returning the authorization code, sending the state value as a parameter)
    loginIdStringNLogin account entered by user

    Example:

    GET https://회사도메인ID.ncpworkplace.com/authn/oauthLogin?response_type=code&client_id=17nRVbxDCSmzymTHMdnv&redirect_uri=http://고객사/oauth2callback&loginId=admin@nbp.co.kr
    

    After confirming login or authentication as above, the OAuth 2.0 server uses the specified URL (redirect_uri) to respond to the access request.

    https://회사도메인ID.ncpworkplace.com/authn/oauthLogin
    

    HTTP Method:

    GET

    Response:

    ParameterTypeRequirement StatusDescription
    codeStringY (Success)A one-time code that is used to issue the authorization code access token
    stateStringY (Success)Client ID value provided by WORKPLACE
    errorStringY (Failure)Error code returned in case of failure
    error_descriptionStringY (Failure)Explanation of the error returned in case of failure

    Example:

    If an error occurs, http://Customer/oauth2callback?error=access_denied
    If successful, http://Customer/oauth2callback?code=jxCiS2TA80GSocD2
    

    3. Exchange Authentication Code for Access Token

    To exchange the authentication code for the access token, receive the authentication code for the Access Token Return API as shown below.

    https://회사도메인ID.ncpworkplace.com/authn/accessToken
    

    HTTP Method:

    POST

    Request:

    ParameterTypeRequirement StatusDescription
    grant_typeStringYThis is a classification value for the authentication process, specifying the format of the result value to be received. A fixed string called "authorization_code" is always used.
    client_idStringYClient ID value provided by WORKPLACE
    client_secretStringYClient secret value provided by WORKPLACE
    codeStringYAuthorization code issued in the Step 2
    stateStringNString used by the application to maintain the status between the request and redirection response

    Example:

    https://회사도메인ID.ncpworkplace.com/authn/accessToken?grant_type=authorization_code&client_id=17nRVbxDCSmzymTHMdnv&client_secret=JsjOUSDOtb&code=jxCiS2TA80GSocD2
    

    Response:

    ParameterTypeRequirement StatusDescription
    access_tokenStringY (Success)Access token
    token_typeStringY (Success)Access token type, fixed as "Bearer"
    expires_inStringY (Success)Validity period of access token (seconds), actual application's maintained login time
    errorStringY (Failure)Error code returned in case of failure
    error_descriptionStringY (Failure)Explanation of the error returned in case of failure

    4. Return Authenticated User Information

    Return the authenticated user information as shown below.

    https://회사도메인ID.ncpworkplace.com/authn/userProfile
    

    HTTP Method:

    POST

    Request:

    ParameterTypeRequirement StatusDescription
    client_idStringYClient ID value provided by WORKPLACE
    client_secretStringYClient secret value provided by WORKPLACE
    access_tokenStringYAccess token received in Step 3 (URL encoded value, passes the returned access token as is)

    Example:

    https://회사도메인ID.ncpworkplace.com/authn/userProfile?client_id=17nRVbxDCSmzymTHMdnv&client_secret=JsjOUSDOtb&access_token=imLS80bZNkpKtM9FWvZt7MjMTcXIyIN0ygyr8DERsgzetKFIUWqArHlCUQ1VJ6I....
    

    Response:

    ParameterTypeRequirement StatusDescription
    login_idStringY (Success)Login ID
    errorStringY (Failure)Error code returned in case of failure
    error_descriptionStringY (Failure)Explanation of the error returned in case of failure

    Logout URL

    https://회사도메인ID.ncpworkplace.com/authn/logoutProcess
    

    SAML

    Take the following procedure to perform SSO linkage based on SAML 2.0.

    1. Enter Linkage Information on Console

    1. From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
    2. Click the Developers menu.
      • If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
    3. Click SSO Settings.
    4. Click the [Link Login] button.
      • If you are using SMARTWORK Solution (bundling WORKPLACE and NAVER WORKS), then you can skip this step.
    5. Select SAML.
    6. Specify the SSO setting items, and then click the [Apply] button.
      workplace-workplace-developers1_ssoidp2_ko
      • SSO URL: Copy the provided SSO URL and enter it for the login page URL (SSO URL field) of the customer system.
      • Response Issuer: Copy the provided Response Issuer and enter it in the customer system.
      • Application: Click the [Add] button, and then enter the application information.
        • Application Name: Enter the name of the application you want to integrate with SSO in English.
        • ACS URL: Enter the ACS URL provided by the customer system.
        • SP Issuer (Entity ID): Enter the SP issuer (entity ID) provided by the customer system. The SP issuer can't be duplicated in a single domain.
      • Certificate: Click the [Download] button of each added application to download the certificate, and then attach it to the Certificate field of the customer system.
      • NAME ID: It is fixed and displayed as "Login ID."
      • NAME ID Format: It is fixed and displayed as "UNSPECIFIED."

    2. Create and Deliver SAML Request

    A SAML request is created as a parameter of SSO URL, and delivered to the customer authentication system.

    Request URL

    It delivers the SSO URL, which is issued when registering SAML Apps in the Developer console.

    Example:

    https://{Companyid}.ncpworkplace.com/authn/saml/samlLogin

    HTTP Method

    POST

    Request

    Refer to the Request field.

    ParameterTypeRequirement StatusDescription
    SAMLRequestStringYString according to SAML 2.0 request details - encoded with Base64
    RelayStateStringYURL to retry in case the authentication fails

    SAML Request Details

     <saml2p:AuthnRequest
         xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
         AssertionConsumerServiceURL="{ACS URL registered in WORKPLACE}"
         ID="{ID}"
         IssueInstant="{SAML request creation date and time}"
         ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
         ProviderName="{Service Provider Name}"
         Version="2.0">
         <saml2:Issuer
             xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">{SP issuer registered in WORKPLACE}</saml2:Issuer>
         <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
     </saml2p:AuthnRequest>
    
    ItemTypeRequirement StatusDescription
    AuthnRequest AssertionConsumerServiceURLStringYIt is called ACS URL in short, and is the URL that receives the SAML response. It must be identical to the registered ACS URL.
    AuthnRequest IDStringYIt is the ID issued by WORKPLACE authentication system, and is used when creating a SAML response.
    AuthnRequest IssueInstantDate(UTC)YSAML request creation date and time
    AuthnRequest ProtocolBindingStringYIt is sent as "HTTP-POST," so a SAML response must be sent using the POST method.
    AuthnRequest ProviderNameStringNCustomer name
    IssuerStringYIt uses the registered SP issuer (entity ID).
    NameIDPolicy FormatStringYIt uses "UNSPECIFIED" as a fixed value.

    3. Validate SAML Request

    The customer authentication system receives the SAML request and executes the login page by validating it.
    At this time, the customer's login page is executed for a domain that uses SSO, and WORKPLACE login page is executed otherwise.

    4. Create and Deliver SAML Response

    If the login is successful, a SAML response is created and delivered to the customer's ACS URL.

    Request URL

    It uses the ACS URL specified in the SAML request. (It must be identical to the registered ACS URL.)

    HTTP Method

    POST

    Request

    ParameterTypeRequirement StatusDescription
    SAMLResponseStringYString according to SAML 2.0 response details - encoded with Base64
    RelayStateStringNDelivered to the response only when delivered from the SP side

    Note

    Since the value digitally signed with the registered certificate is included in the SAML response, the customer must validate the digital signature value.

    SAML Response Details

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
    Destination="{ACS URL registered in WORKPLACE}"
     ID="{ID issued by WORKPLACE}"
     InResponseTo="{ID included in the SAML request}"
     IssueInstant="{SAML response creation date and time}"
      Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
      {Response Issuer}
      </saml2:Issuer>
      <ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
          "{Digital signature}"
      </ds:Signature>
      <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
      </saml2p:Status>
      <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
      ID="{ID issued by WORKPLACE}"
      IssueInstant="{SAML response creation date and time}"
      Version="2.0">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
        {Response Issuer}
        </saml2:Issuer>
        <saml2:Subject>
          <saml2:NameID Format="unspecified">
          "{Login ID of the logged in user}"
          </saml2:NameID>
          <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData
            InResponseTo="{ID included in the SAML request}"
            NotOnOrAfter="{SAML response end date and time}"
            Recipient="{ACS URL}"/>
          </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="{SAML response start date and time}"
        NotOnOrAfter="{SAML response end date and time}">
          <saml2:AudienceRestriction>
            <saml2:Audience>{SP issuer registered in WORKPLACE}
            </saml2:Audience>
          </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="{SAML response creation date and time}"
         SessionIndex="{ID issued by WORKPLACE}">
          <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
          </saml2:AuthnContext>
        </saml2:AuthnStatement>
      </saml2:Assertion>
    </saml2p:Response>
    

    SAML Response Example

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:Response ID="4ec6c869-4f1f-4027-adc2-90a5dc5cb597"
        InResponseTo="ajinaekefnokobjefcegddakfdphcchikhgphael" IssueInstant="2021-12-29T06:24:26.000Z"
        Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://회사id.ncpworkplace.com/authn/saml/metadata</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#4ec6c869-4f1f-4027-adc2-90a5dc5cb597">
                    <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <ds:DigestValue>EcKuJWielgJv1XCEeb1lDR6yP7w=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
           <ds:SignatureValue>oE1jjGQhtkRVxSp4....</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDHDCCAgSgAwIBAgIGAWm....</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
        <saml2:Assertion ID="cf10bea7-f97d-4273-b431-36b1228244e3" IssueInstant="2021-12-29T06:24:26.000Z"
            Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Issuer>http://회사id.ncpworkplace.com/authn/saml/metadata</saml2:Issuer>
            <saml2:Subject>
                <saml2:NameID NameQualifier="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@samltest.com</saml2:NameID>
                <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ajinaekefnokobjefcegddakfdphcchikhgphael"
                    NotBefore="2021-12-29T06:24:26.000Z" NotOnOrAfter="2021-12-29T06:34:26.000Z"
                    Recipient="https://AuthenticationCompany/acs/samltest.com"/></saml2:SubjectConfirmation>
            </saml2:Subject>
            <saml2:Conditions NotBefore="2021-12-29T06:24:26.000Z" NotOnOrAfter="2021-12-30T06:24:26.000Z">
                <saml2:AudienceRestriction>
                    <saml2:Audience>worksmobile.com</saml2:Audience>
                </saml2:AudienceRestriction>
            </saml2:Conditions>
            <saml2:AuthnStatement AuthnInstant="2021-12-29T06:24:26.000Z"
                SessionIndex="ajinaekefnokobjefcegddakfdphcchikhgphael"
                SessionNotOnOrAfter="2021-12-30T06:24:26.000Z">
                <saml2:AuthnContext>
                    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                </saml2:AuthnContext>
            </saml2:AuthnStatement>
        </saml2:Assertion>
    </saml2p:Response>
    
    

    Each item of a SAML response is as follows.

    ItemTypeRequirement StatusDescription
    Response DestinationStringYACS URL included in the SAML request
    Response IDStringYID issued by WORKPLACE
    Response InresponseToDate(UTC)YID included in the SAML request
    Response IssueInstantDate(UTC)YSAML response creation date and time
    SignatureStringYDigital signature
    Assertion IDStringNID issued by WORKPLACE
    Assertion IssueInstantDate(UTC)NSAML response creation date and time
    Subject NameIDStringYLogin ID of the logged in user
    SubjectConfirmationData InResponseToStringYID included in the SAML request
    SubjectConfirmationData NotOnOrAfterDate(UTC)YSAML response end date and time
    SubjectConfirmationData RecipientStringYACS URL
    Conditions NotBeforeDate(UTC)YSAML response start date and time
    Conditions NotOnOrAfterDate(UTC)YSAML response end date and time
    AudienceStringYIssuer included in the SAML request
    AuthnStatement AuthnInstantDate(UTC)YSAML response creation date and time
    AuthnStatement SessionIndexStringYID issued by WORKPLACE

    SP Method Linkage

    The SP method can perform SSO linkage by using Security Assertion Markup Language (SAML) 2.0 or OAuth 2.0. If WORKPLACE and the company's system are integrated, then WORKPLACE becomes the service provider. You'll automatically log in to the company's system by logging in to WORKPLACE.

    The following describes how to set up linkage with the SP method.

    1. From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.
    2. Click the Developers menu.
      • If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
    3. Click SSO Settings.
    4. Click the [Link Login] button next to the service to set up SSO.
    5. Set the login linkage by referring to below.

    Link Login With Google Workspace

    You can link login with Google Workspace by using the SSO linkage based on the SAML 2.0 method.

    Note

    The setting steps may differ from the explanation in this guide, depending on the Google Workspace environment. For more details about the usage method, see the Google Workspace Guide.

    The following describes how to link login with Google Workspace.

    1. Separately log in to Google Admin and the NAVER Cloud Platform console.

    2. In the Google Admin page, click Apps > Web and mobile apps, in that order. In the next page, click Add App > Add custom SAML app.
      workplace-workplace-11-3-googlesso_ko

    3. In the Google Admin page, enter the app name in the App Details page. Upload the app logo for the app icon. Download the logo image from Developers > Set SSO in the NAVER Cloud Platform console.
      workplace-workplace-11-3-googlesso_ko

    4. In the Option 2 of the Step 2 Google Identity Provider Details from the Google Admin page, copy the URL of the SSO URL field, click the [Download] button for the certificate of the Certificate field to download it, and then click Continue.

    workplace-workplace-11-3-googlesso_ko

    1. From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE > Developers menus, in that order.

    2. Click the [Link Login] button next to Google Workspace.

    3. Paste the SSO URL copied in Step 4 onto the SSO URL input field of the NAVER Cloud Platform console.
      workplace-workplace-developers1_ssogoogleworkspacessourl_ko

    4. After downloading the Certificate in Step 4, upload it by clicking the [Attach File] button of the Certificate field on the NAVER Cloud Platform console.
      workplace-workplace-developers1_ssogooglesamlcertificate_ko

    5. Separately copy the URL and ID displayed in the ACS URL and Entity ID items of the SSO Settings page on the NAVER Cloud Platform console, and then separately paste them onto the ACS URL and Entity ID input fields in the Detailed Information of Service Provider pop-up window of Google Admin.
      workplace-workplace-developers1_ssogooglesamlacsurl_ko

      workplace-workplace-11-3-googlesso_ko

    6. Click Continue in the Service Provider Details pop-up window of Google Admin.

    7. Click Finish in the Attribute Mapping pop-up window of Google Admin.
      workplace-workplace-11-3-googlesso_ko

    8. Click Modify Service.
      workplace-workplace-11-3-googleApproval7-2_ko

    9. Select Turn ON for everyone, and then click Save.
      workplace-workplace-11-3-googleApproval7-3_ko

    10. Click the icon at the top right of Google Admin to check the registered SAML app.
      workplace-workplace-11-3-googleApproval8_ko

    11. From the NAVER Cloud Platform console, click the [Apply] button.

    Note
    • Once the SSO linkage between WORKPLACE and Google Workspace is completed, you can log in to WORKPLACE and use WORKPLACE with a Google account.
    • You can register a shortcut to Google Workspace in All Services. For more details, see Manage Top Menu.

    Link Login With Other Services

    you can link login with various services that support SSO linkage based on the OAuth 2.0 or Security Assertion Markup Language (SAML) 2.0 method.

    1. From the NAVER Cloud Platform console, click the Services > Business Applications > WORKPLACE menus, in that order.

    2. Click the Developers menu.

      • If the notification pop-up window appears, check the details in the pop-up window, and then click the [Close] button.
    3. Click SSO Settings.

    4. Click the [Link Login] button next to Other Services.

    5. Select the linkage method.

    6. Enter the setting items according to the selected linkage method.

      • OAuth 2.0 SSO Setting Items

      • SAML 2.0 SSO Setting Items

        • Web Login URL: Enter the Request URL produced in SAML 2.0 1. Web Login Page.
        • Logout URL: Enter the Request URL created in Client Logout.
        • Logout Domain: Enter the Request URL created in WORKPLACE Logout.
        • Register File (*.pem): Register the certificate used when electronically signing a SAML response. (The certificate is used for validation.)
    7. Click the [Apply] button.

    OAuth 2.0 1. Web Login URL

    Log in to the customer's system to issue the authorization code, and return it to redirect_uri.

    https://CustomerDomain/CustomerLoginPage
    
    Note

    Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.

    HTTP Method: GET

    Request:

    ParameterTypeRequirement StatusDescription
    response_typeStringYThis is a classification value for the authentication process, specifying the format of result value is to be received.
  • A fixed string called "code" is always used.
  • client_idStringYClient ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console
    redirect_uriStringYEncoded URL that returns the authorization code after processing authentication
    stateStringYUnique value randomly created to prevent Cross-Site Request Forgery (CSRF) (included in the URL when returning the authorization code, sending the state value as a parameter)
    loginIdStringNLogin account entered by user

    OAuth 2.0 2. Authorization

    After processing authentication of the customer and SSO on the customer's SSO system, issue an authorization code and redirect to the WORKPLACE authentication system.

    https://WORKPLACEAuthenticationSystemURL/authorizationURL
    
    Note

    URL is a value that can change anytime, depending on the user environment and WORKPLACE policy. Make sure to use the URL received as redirect_uri.

    HTTP Method: GET/POST

    Request:

    ParameterTypeRequirement StatusDescription
    codeStringY (Success)A one-time code that is used to issue the authorization code access token
    stateStringY (Success)Authentication value on the client side used to prevent CSRF, with the URL encoded (state value sent to redirect_uri parameter)
    errorStringY (Failure)Error code returned in case of failure
    error_descriptionStringY (Failure)Explanation of the error returned in case of failure

    OAuth 2.0 3. Access Token Issue API

    Validate the authorization code in the customer's SSO system, and then issue and return the access token.

    https://CustomerDomain/accessToken
    
    Note

    Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.

    HTTP Method: POST

    Request:

    ParameterTypeRequirement StatusDescription
    grant_typeStringYThis is a classification value for the authentication process, specifying the format of result value is to be received.
  • A fixed string called "authorization_code" is always used.
  • client_idStringYClient ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console
    client_secretStringYClient secret registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console
    codeStringYAuthorization Code
    stateStringNAuthentication value on the client side used to prevent CSRF, with the URL encoded

    Response:

    PropertyTypeRequirement StatusDescription
    access_tokenStringY (Success)Access Token
    token_typeStringY (Success)Access token type
  • Fixed as "Bearer"
  • expires_inStringY (Success)
  • Access token's validity period (seconds);
  • Actual application's maintained login time
  • errorStringY (Failure)Error code returned in case of failure
    error_desciptionStringY (Failure)Explanation of the error returned in case of failure

    OAuth 2.0 4. User Information Return API

    Validate the access token in the customer's SSO system, and then return the user information.

    https://CustomerDomain/UserInformation
    
    Note

    Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.

    HTTP Method: POST

    Request:

    ParameterTypeRequirement StatusDescription
    client_idStringYClient ID registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console
    client_secretStringYClient secret registered in Services > Business Applications > WORKPLACE > Developers of the NAVER Cloud Platform console
    access_tokenStringYAccess Token

    Response:

    PropertyTypeRequirement StatusDescription
    email_idStringY (Success)Member's login ID
    errorStringY (Failure)Error code returned in case of failure
    error_descriptionStringY (Failure)Explanation of the error returned in case of failure

    SAML 2.0 1. Web Login Page

    After validating the SAML request and processing the client login, create the SAML response and return to the ACS URL.

    https://CustomerDomain/CustomerLoginPage
    
    Note

    Only Port 80 or 443 can be used according to the WORKPLACE's infrastructure security policy.

    HTTP Method: GET

    Request:

    ParameterTypeRequirement StatusDescription
    SAMLRequestStringYString according to SAML 2.0 request details
  • Value encoded by Deflate + Base64
  • RelayStateStringYURL to retry in case the authentication fails

    SAML 2.0 2. Validate SAML Request

    The SAML request is encoded using Deflate + Base64. Validate the SAML request.

    SAML Request Details:

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:AuthnRequest
      xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
      AssertionConsumerServiceURL="{ACS URL}"
      ID="{ID issued by WORKPLACE authentication system}"
      IssueInstant="{Request creation date and time}"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      ProviderName="ncpworkplace.com"
      Version="2.0">
      <saml2:Issuer
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncpworkplace.com</saml2:Issuer>
      <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
    </saml2p:AuthnRequest>
    

    SAML Request Items:

    ItemDescription
    AuthnRequest AsssertionConsumerServiceURLThis URL is called ACS URL in short and delivers the SAML response.
    AuthnRequest IDThis ID is issued by the WORKPLACE authentication system and used when creating a SAML response.
    AuthnRequest IssueInstantSAML request creation date and time
    AuthnRequest ProtocolBindingIt is sent as "HTTP-POST," so a SAML response must be sent using the POST method
    AuthnRequest ProviderNameThis is the service provider name sent to "ncpworkplace.com."
    IssuerIt is the ID issued by the service provider's system. It is used when creating a SAML response

    SAML Request Example:

    <?xml version="1.0" encoding="UTF-8"?>
    <saml2p:AuthnRequest
      xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
      AssertionConsumerServiceURL="https://회사ID.ncpworkplace.com/...."
      ID="bemkplgpdoemkhjmncgmbcdibglpngclfombpmed"
      IssueInstant="2018-02-14T03:33:49.999Z"
      ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      ProviderName="ncpworkplace.com"
      Version="2.0">
      <saml2:Issuer
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncpworkplace.com</saml2:Issuer>
      <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
    </saml2p:AuthnRequest>
    

    WORKPLACE Logout

    This feature is used when logging out from WORKPLACE after logging out from the customer's system. Upon receiving a logout request, the WORKPLACE account logged in to WORKPLACE is logged out and redirected to redirect_uri received.

    Since redirect_uri is managed as white_url, it should be registered as Logout Redirection Domain in SSO Settings of Developers on the NAVER Cloud Platform console.

    https://회사ID.ncpworkplace.com/authn/logoutProcess
    

    HTTP Method: GET/POST

    Request:

    ParameterTypeRequirement StatusDescription
    redirect_uriStringYEncoded URL to be redirected after logging out from WORKPLACE

    Response:

    Redirect to redirect_uri.

    Customer Logout

    This feature is used to log out from the client's system after logging out from WORKPLACE.

    https://CustomerDomain/Logout
    
    Note

    Only Port 443 can be used according to the WORKPLACE's infrastructure security policy.

    HTTP Method: GET

    Request:

    ParameterTypeRequirement StatusDescription
    redirect_uriStringNThis is redirect_uri (URL encoded) to be redirected after the logout is processed from the client company's system.

    After Completion of SSO Linkage

    When the SSO linkage is complete, you can log in to WORKPLACE using the login information of the existing corporate information system, which makes it convenient for managing login information.

    User Login

    • If the user accesses the WORKPLACE company URL (https://기업ID.ncpworkplace.com), then the user is taken directly to the login page for the corporate information system or other services (e.g., Google).

    • When the user accesses the WORKPLACE basic URL (https://www.ncpworkplace.com):

      • Click the [SSO Linkage Settings] button at the bottom of the login page.
      • Enter the company ID and click the Log In button.
      • You will be taken to the login page for other linked services (e.g., Google, company's corporate information system). By logging in to other services, you can immediately start using WORKPLACE.

    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.