Skip to main content
English (US) Nederlands

Setting up users and user groups in the WoodWing Identity Service using an external identity provider

  • Updated

The WoodWing Identity Service (WIS) is a cloud-only service for WoodWing Cloud customers in which administrators can manage users and user groups in a central location, and give these users access to one or more WoodWing products.

Setting up users and user groups can be done in one of two ways:

  1. Manually
  2. By integrating a Single Sign-On (SSO) provider; users and user groups that are set up in that provider are then automatically added

Note: A mix of these methods is also possible.

This article describes how to set up and manage users in the WoodWing Identity Service using an external identity provider.

The process is as follows:

  1. The identity provider is connected to the WoodWing Identity Service.
  2. User groups are optionally given the role of 'owner'.
  3. Users and tenants are added to a group.
  4. Users are at some point removed.

External users in the WoodWing Identity Service

Users in an organization that are copied from an external identity provider are marked in the WoodWing Identity Service as ‘External’.

These users can only log in using the default organization URL (without /#/signin appended to the URL, as can be used for groups of users who are given temporary access). 

Whether or not an existing user is marked as external in the WoodWing Identity Service is validated during the login process based on their e-mail address.

Note: It is recommended to have one or more administrative users that are not marked as external so that these users can still log in when the external identity provider is for some reason not available. Add these users manually as explained in Manually setting up users and user groups in the WoodWing Identity Service.

Moving from an identity service to an external identity provider

A scenario may exist in which users who need to connect to the WoodWing Identity Service have been managed in an identity service such as Microsoft Entra ID or Okta, but that the decision has been made to start using an external identity provider and connect this to the WoodWing Identity Service.

In such a scenario, many if not all users that are created in the external identity provider then also already exist in the WoodWing Identity Service.

When a user subsequently logs in to the WoodWing Identity Service through this external identity provider, the WoodWing Identity Service needs to match the external user with the existing user.

Note that this matching is then done based on the exact e-mail address as configured in the external identity provider and in the WoodWing Identity Service. It is not matched on the full name or e-mail alias.

Examples:

  • rob.smart@woodwing.com will not match rob.smart@woodwinggroup.com
  • Rob Smart will not match Rob Smart | WoodWing

Supported providers

The following SSO standards are supported:

  • OpenID
  • SAML

We cannot test compatibility with all identity platforms but the following have been tested:

  • Microsoft EntraID (currently ongoing)
  • Okta
  • Keycloak

User group roles

Within the WoodWing Identity Service, a user group can have one of two roles:

  1. A default role. Users within a group with this role can only access their profile page. This role is used for all users who should not have admin access to the WoodWing Identity Service.
  2. The role of owner. Users within a group with this role can access all areas of the WoodWing Identity Service and set up and manage users, user groups, and an external identity provider.

Adding an identity provider

Note: Only one connection to a provider can be made.

Step 1. Log in to the WoodWing Identity Service as a user that is part of a group with the role of 'owner'.

Step 2. Access the Settings page.

A page appears with information about the organization, including any identity provider that is set up.

wis-settings-page.jpg

Step 3. To set up an identity provider, click Set up or edit in the Identity provider section.

A panel appears in which the identity provider can be configured.

wis-settings-idp-setup-panel-none.jpg

Step 4. Set up your connection as needed by using one of the following protocols:

  • SAML. The Security Assertion Markup Language Single Sign-On (SAML SSO) is a protocol that allows users to access multiple applications with a single set of login credentials. This simplifies user authentication, enhances security, and improves user experience by reducing the need to remember and enter multiple passwords.

wis-settings-idp-setup-panel-saml-setup-empty.jpg

  • OIDC. The OpenID Connect Single Sign-On (OIDC SSO) is an authentication protocol built on top of the OAuth 2.0 framework. It enables users to authenticate once and gain access to multiple applications without needing to log in separately for each one. OIDC SSO enhances security and streamlines the user experience by providing a standardized and efficient approach to identity verification.

wis-settings-idp-setup-panel-oidc-setup-empty.jpg

Step 5. When done, click Set up. Once users and user groups start logging in, they become available within the WoodWing Identity Service.

Assigning the 'owner' role to a group

Users who should be able to manage users, user groups, and identity providers in the WoodWing Identity Service should be part of a group to which the 'owner' role is assigned.

To do this, select one or more groups on the Groups page, click Promote, and confirm the action.

Note: There should always be at least one group with the 'owner' role containing at least one user, else no user will have access to manage users, user groups, and identity providers.

Adding users and tenants to a group

When users and user groups have been added, user groups can be fully set up.

Step 1. On the Groups page, select the group that you want to edit and click Edit.

A panel appears containing the following tabs:

  • Group info. Shows a summary of the number of users and tenants that are part of the group, and an option to change the name of the group.

wis-groups-edit-panel-group-info-tab.jpg

  • Users. Shows a list of all users that have been set up in the WoodWing Identity Service. Select the check box for the users who should be part of the group, and clear the check box for the users who should not be part of the group.

Note: When using SSO, users cannot be added or removed from groups when the user comes from the external identity provider. The user’s groups are fully managed through the external identity provider.

wis-groups-edit-panel-users-tab.jpg

  • Tenants. Shows all tenants that have been made available to the organization (this is managed by WoodWing). Select the check box for the tenants that users in the group should have access to, and clear the check box for the tenants that users in the group should not have access to.

wis-groups-edit-panel-tenants-tab.jpg

Step 2. Make the necessary changes and when done click Save.

Removing users

At some point, it may be needed to remove a user account. This is done by first removing the user from the external provider, followed by removing the user from the WoodWing Identity Service.

Step 1. In your external identity provider, delete the account for the user you want to remove. 

Step 2. In the WoodWing Identity Service, access the Users page.

Step 3. Select the user account you want to remove, click Delete, and confirm the action.

Revisions

  • 28 May 2025: Added section 'External users in the WoodWing Identity Service'.
  • 28 May 2025: Added section 'Moving from an identity service to an external identity provider'.
  • 20 May 2025: Added section 'Removing users'.

Related articles

Comment

Do you have corrections or additional information about this article? Leave a comment!
Do you have a question about what is described in this article? Please contact Support.


0 comments

Please sign in to leave a comment.