Skip to main content

Workforce access quickstart

Give employees single sign-on and multi-factor authentication to internal tools and SaaS apps, with their existing corporate identity source (Active Directory, Entra ID, RADIUS, SAML, OIDC, or SecureAuth's built-in directory) as the source of truth.

What is Workforce access?

Workforce identity differs from consumer, B2B, and partner identity in four ways:

  • Known, managed users. HR or IT already owns the employee record. You don't want employees self-registering; you want the identity source of truth to stay with your directory.
  • SSO to many apps. A single employee hits 20+ apps a day. Friction per login compounds. The goal is one authentication that travels across SaaS and internal apps via SAML or OIDC.
  • Policy by role and risk, not per user. Access rules follow group membership and context (device, location, risk signals), not individual user configuration.
  • Lifecycle tied to HR. Joiners, movers, and leavers flow from your directory into SecureAuth automatically. Offboarding has to be immediate when employment ends.

Pick the right SecureAuth product

SecureAuth offers three workforce products. Most teams start with Connect (what this guide covers). The other two serve specific requirements.

ProductUse whenSupports
SecureAuth Connect (this guide)Modern workforce identity on standard protocols. Most customers land here.Built-in directory, Active Directory / LDAP, Microsoft Entra ID, RADIUS, SAML, OIDC
SecureAuth IdP (Enterprise)You need older protocols, air-gapped environments, or on-prem-heavy stacks that Connect does not coverLegacy and niche protocols, air-gapped deployments, full IPv6 support
Arculix (Enterprise)Purpose-built for global banks and financial institutions eliminating passwords entirely from employee workflowsPasswordless, device-bound trust, behavioral biometrics, risk-scoring at every transaction

If your requirements fit Connect, continue below. If you need SecureAuth IdP or Arculix, contact your SecureAuth account team for access to those products.

How Workforce Access fits together

1. Create a Workforce workspace

In the admin console, launch a new workspace using the Workforce template. This provisions an authorization server tuned for employee SSO flows.

2. Connect your identity source

Pick the simplest source that fits your environment. Connect supports several, listed here in order of setup effort.

  • Built-in Identity Pool (simplest, no extra infrastructure). Use SecureAuth Identity Pools as the directory when you don't have an existing corporate directory, when you're piloting, or when a subset of employees needs to live outside the corporate directory (e.g., field staff without AD accounts).
  • Microsoft Entra ID, RADIUS, or other federated SAML / OIDC IdPs. Follow the Identity Providers guide to federate with your existing ß. No on-prem agent required.
  • Active Directory via LDAP Agent. Use when AD is your source of truth and you need near-real-time sync.
    • Connect Active Directory to create the directory connection and capture the Agent ID and Shared Secret.
    • Download and install the LDAP Agent on a server inside your network. Configure it, start it, and verify the connection shows online.
    • Prerequisites: Active Directory with admin permissions and a server (Windows or Linux) for the LDAP Agent.

3. Configure your authentication policy

Set how strong the authentication bar should be for workforce users and which conditions trigger step-up.

4. Enroll the mobile authenticator

The SecureAuth mobile app is how employees satisfy MFA in day-to-day use.

5. Test end-to-end

Validate the full flow before rolling out to employees:

  1. In the Workforce workspace, open Overview → User Portal (under Client Applications).
  2. Log in with a test user's Active Directory credentials.
  3. Scan the QR code with the SecureAuth mobile app and complete pairing.
  4. Sign out and sign back in to confirm the paired device is used for MFA.

Video walkthrough

Next steps