Admin Portal

A first-class Single Sign-On and Directory Sync onboarding experience for organization admins.

Introduction

The Admin Portal provides an out-of-the-box UI for IT admins to configure SSO and Directory Sync Connections. Designed to remove friction, custom walk-through documentation for each Identity Provider means that organization admins can onboard their organizations without high-touch support from your team. Easy to integrate and fully maintained and hosted by WorkOS, the Admin Portal makes the SSO and Directory Sync setup process simple, fast, and secure.

A screenshot showing the IdP selection in the WorkOS Admin Portal.

Workflow Options

There are two main workflows for initiating an Admin Portal session for IT admins. You can either share a link to the Admin Portal from the WorkOS Dashboard, or you can seamlessly integrate Admin Portal into your application through WorkOS SDKs or APIs.

A screenshot showing the different workflows for creating an Admin Portal shareable link.

If you want to provide an IT admin with a link to the Admin Portal, in a email for example, then you would need to create that link in the WorkOS Dashboard.

However, if you are adding a button to open the Admin Portal from within your application, then you would need to use the API.

Workflow	Use cases	Security	Return URL and Success URLs
Share a link from the dashboard	Setup only	Can be revoked; Automatically revoked on setup completion; Expires after 30 days	Not applicable
Generate a link via the API	Setup and post-configuration	Can not be revoked; Expires after 5 minutes	Can be configured on the Redirects page in the dashboard or specified as a parameter for the API

Before getting started

To get the most out of these guides, you’ll need:

A WorkOS account

API object definitions

Connection: Represents the method by which users of an organization sign in to your application.
Organization: Describes an organization whose users sign in with a SSO Connection, or whose users are synced with a Directory Sync Connection.
Portal Link: A temporary link to initiate an Admin Portal session.

A. Setup Link from WorkOS Dashboard

The Admin Portal Setup Link gives your customer access to a guided configuration experience through our Admin Portal. It instructs them how to configure their Identity or Directory Provider. If successfully configured, no other action is required and you’ll see an Active connection appear under the Organization.

First decide whether your customer will be configuring an Identity Provider, a Directory Provider OR both. Once you generate a link, the customer will have access for 30 days or until configured.

You’ll need a WorkOS Dashboard account to create an organization that will represent the enterprise you are onboarding.

Create Organization

WorkOS Dashboard UI showing organization creation

Generate a Setup Link

Click the “Invite Admin” button, select the features to include and then click “Next.” Enter the email of the IT admin for the organization to automatically send them a setup link, or click “Copy setup link.” Only one link can be active at a time. After creating the initial link, you can click the “Manage” button to revoke the existing link before creating a new one.

If you chose to copy the setup link you can share it over email, Slack or direct message. We also recommend including details on what the link does and how long the link is active.

B. Integrate with your app

In this guide, we’ll walk you through the full end-to-end integration of the Admin Portal into your application.

Configure Admin Portal redirect links

In order to integrate, you must configure your app’s default return URI in the production environment. A button in the Admin Portal will use this value to allow users to return to your app unless otherwise specified when generating the Admin Portal link.

A screenshot showing the Admin Portal Redirect Links tab to set redirect URIs in the WorkOS Dashboard.

Additionally, you can configure success URIs to redirect users upon successfully setting up Single Sign-On, Directory Sync, or Log Streams.

A screenshot showing the Admin Portal redirect URI variations in the WorkOS Dashboard.

All redirect links must use HTTPS.

You can configure these links in the Dashboard.

Install the WorkOS SDK

WorkOS offers native SDKs in several popular programming languages. Choose a language below to see instructions in your application’s language.

Set secrets

To make calls to WorkOS, provide the API key and, in some cases, the client ID. Store these values as managed secrets, such as WORKOS_API_KEY and WORKOS_CLIENT_ID, and pass them to the SDKs either as environment variables or directly in your app’s configuration based on your preferences.

Environment variables

 WORKOS_API_KEY='sk_example_123456789'
WORKOS_CLIENT_ID='client_123456789'

Create a new Organization

Each Admin Portal session is scoped to a specific Organization resource, meaning a session is only capable of managing a Connection that belongs to its associated Organization. Organizations may only have one Connection.

For every customer in your application that would like access to the Admin Portal, you must create an Organization and maintain a reference to its ID.

Create an Organization when onboarding a new customer.

 import type { NextApiRequest, NextApiResponse } from 'next';
import { WorkOS } from '@workos-inc/node';

const workos = new WorkOS(process.env.WORKOS_API_KEY);
const clientId = process.env.WORKOS_CLIENT_ID;

export default async (req: NextApiRequest, res: NextApiResponse) => {
  if (req.method === 'POST') {
    const organizationName = 'Example Organization';
    const organizationDomains = [
      {
        domain: 'foo-corp.com',
        state: 'pending',
      },
    ];

    const organization = await workos.organizations.createOrganization({
      name: organizationName,
      domainData: organizationDomains,
    });

    // You should persist `organization.id` since it will be needed
    // to generate a Portal Link.

    // Provision additional Enterprise-tier resources.
  }
};

 const express = require('express');
const { WorkOS } = require('@workos-inc/node');

const app = express();
const workos = new WorkOS(process.env.WORKOS_API_KEY);

app.post('/provision-enterprise', async (_req, res) => {
  const organizationName = 'Example Organization';
  const organizationDomains = [
    {
      domain: 'foo-corp.com',
      state: 'pending',
    },
  ];

  const organization = await workos.organizations.createOrganization({
    name: organizationName,
    domainData: organizationDomains,
  });

  // You should persist `organization.id` since it will be needed
  // to generate a Portal Link.

  // Provision additional Enterprise-tier resources.
});

Redirect an IT admin to the Admin Portal

A Portal Link is your enterprise user’s gateway to accessing their Admin Portal. Each Portal Link is generated using an Organization resource ID. Only resources belonging to the specified Organization can be managed during a Portal Session.

In the API call to generate an Admin Portal Link, you will pass an intent with possible values of sso for an Admin Portal session to create an SSO connection, and dsync for an Admin Portal session to create a Directory Sync connection.

For security reasons, Portal Links expire 5 minutes after they’re created, so we recommend redirecting users immediately (i.e. don’t email the user Portal Links).

The endpoint that redirects a user to the Admin Portal should be guarded by auth in your application and only available to IT admins.

 import type { NextApiRequest, NextApiResponse } from 'next';
import { WorkOS } from '@workos-inc/node';

export default async (_req: NextApiRequest, res: NextApiResponse) => {
  // The ID of the organization to start an Admin Portal session for
  const organizationId = 'org_123';

  const { link } = await workos.portal.generateLink({
    organization: organizationId,
    intent: 'sso',
  });

  res.redirect(link);
};

 const express = require('express');
const { WorkOS } = require('@workos-inc/node');

const app = express();
const workos = new WorkOS(process.env.WORKOS_API_KEY);

app.get('/admin-portal', async (_req, res) => {
  // The ID of the organization to start an Admin Portal session for
  const organizationId = 'org_123';

  const { link } = await workos.portal.generateLink({
    organization: organizationId,
    intent: 'sso',
  });

  res.redirect(link);
});

An optional return_url parameter can be used to describe exactly where a user should be sent when they are finished in the Admin Portal. If one is not provided, the success URL configured on the Redirects page of the dashboard will be used.

C. Using Admin Portal

In this guide, we’ll review the features of Admin Portal from an IT manager’s perspective.

Managing SSO Connections

On the Admin Portal SSO screen, you can view the identity provider details and connection status, metadata configuration details, and a list of recent connection sessions. You may test your SSO connection from the Admin Portal by using the “Test sign-in” button.

A screenshot showing the Admin Portal SSO screen and where to click the “Test Single Sign-On” button.

You may also edit your metadata configuration from the Admin Portal.

A screenshot showing the Admin Portal SSO screen and where to "Edit Metadata Configuration".

The Sessions section displays a list of recent sessions by timestamp, and can be sorted by state.

A screenshot showing the Admin Portal SSO screen and how to sort "Sessions" by "state".

Click on a session in the list to see session details, such as the request made to the IdP, and the response.

A screenshot showing the "Session Details" within the Admin Portal SSO screen.

If you wish to reset your SSO connection and set it up from scratch, select “Reset Connection” and follow the prompts.

A screenshot showing how to "Reset Connection" within the Admin Portal SSO screen.

Managing Directories

On the Admin Portal Directory Sync screen, you can view the directory provider details and connection status, user and group counts, and last sync time. There is also an option to reset the directory.