Overview
In many organizations, connecting employees might be challenging due to the complexity of the organizational structure. Examples include:
- Conglomerates: Employees belong to different companies with different email domains. These might be competing companies or brands within the same conglomerate
- Merger and acquisition: Employees belong to recently acquired or merged companies, with completely separate IT infrastructure and governance.
- Franchises: Some markets have strict requirements for franchisee data to remain separate from the franchisor.
This article will address some of the key considerations or challenges organizations like these might encounter during their Workplace setup.
Considerations
This section will help guide Workplace admins choosing the best deployment approach, based on their requirements.
Multiple Separate Workplaces
Workplace is identified with a specific subdomain, e.g. yourcompany.workplace.com
Workplace works better when all employees have access to a shared community as part of their company. However, in some cases, organizations have legal or regulatory requirements to keep all data completely separate between different parts of the company (e.g. if their company is composed of separate legal entities or there’s a strict data separation policy in place between them).
Account Management
Deciding which employees should be granted access and how to provision their accounts are key deployment steps. For many organizations there is no single source of truth for employee information. Employee information may come from separate systems depending on the organisational structure.
At this stage, companies should consider whether:
- A single instance or multiple instances are needed.
- All user profiles and employee data that need to be provisioned in Workplace are stored in a single directory or they have multiple sources of truth (e.g. multiple separate identity systems).
- They plan to provision accounts manually or by implementing automatic provision (recommended).
- The same email domain will be used across multiple Workplaces. Companies should also assess if they have domain management rights to verify these domains in Workplace (e.g. access to DNS controls).
Authentication
Deciding on the right authentication method is key to the success and security of your deployment. Different parts of your organization might use different methods of authentication. Furthermore, these systems might be owned by separate teams.
At this stage, companies should consider whether:
- All users (independently of which instance they belong to) have a corporate identity.
- Users will authenticate to Workplace via SSO, password or a mix of both.
- Their users are using multiple SSO providers to access other corporate solutions (e.g. a portion of their users uses Azure AD for SSO while another portion uses Google Identity).
- For the domains they plan to be SSO enabled, if they have domain management rights to verify these domains in Workplace (e.g. access to DNS controls).
- For users they plan to not be using SSO for access to Workplace, they intend to adopt two-factor authentication.
Deployment Options
In the next section we cover some of the most common deployment approaches for complex organizations:
- A single Workplace - Single SSO Provider
- A single Workplace - Multiple SSO Providers
- Multiple Separate Workplaces
1. Single Workplace - Single SSO Provider
In this option all of your employees are provisioned onto a single Workplace. You are using a single SSO solution for all verified email domains, or you allow some of your users to authenticate via username/password. Any accounts from allow-listed domains are allowed to authenticate via username/password.
Provisioning
- Identify the source or sources of information in which your employee data is stored. In complex organisations, different parts of the company may have separate employee directories.
- Users can be provisioned automatically using any of the out-of-the-box Cloud IdP connectors. If your employee data is currently stored in a system for which no out-of-the-box integration is available, you can also build a custom connector using Workplace APIs.
Authentication
- Verified domain users can authenticate using a single SSO provider. Follow these instructions to set up SSO for all your verified email domains. If necessary, users can also authenticate via username/password.
- Allow-listed domain users can only authenticate via username/password.
Diagram
2. Single Workplace - Multiple SSO Providers
Recommendation: This approach is recommended if different parts of the company are authenticating through multiple systems (e.g. multiple Azure tenants, Okta, Google Workspace, etc.), and you want to bring your entire organization together on one platform to communicate seamlessly.
The Multiple-SSO feature is only supported in our Workplace Enterprise Plan.
In this option all of your employees are provisioned onto a single Workplace. However, accounts may authenticate using SSO through multiple IdPs.
Provisioning
- Identify the source of information where your employee data is stored. In complex organisations, different parts of the company may have separate employee directories.
- Users can be provisioned automatically using any of the out-of-the-box Cloud IdP connectors. If your employee data is currently stored in a system for which no out-of-the-box integration is available, you can also build a custom connector using Workplace APIs.
Authentication
- Verified domain users can authenticate using multiple SSO providers. For each email domain you will be able to set different SSO settings in the Workplace Admin panel. If required, users can also be configured to authenticate via username/password.
- Allow-listed domain users can only authenticate via username/password.
Diagram
Use Case Example
- A government department that was formed by grouping of multiple separate government agencies had separate Cloud IdPs. They set up a new Workplace instance, bringing people from all different agencies together onto the same Workplace, with each individual agency's employees provisioned and authenticated through a separate Cloud IdP
3. Multiple separate Workplaces
Recommendation: This approach is recommended if your company has any legal or hard business requirements to keep employees from different parts of the organization completely separate from each other.
In this option employees from different parts of the company are provisioned into completely separate Workplaces. All or some administrative functions will be completely separate.
Domain Verification
Consider whether in your case, employees of each separate Workplace will also be using completely different email domains.
If there is a need to share an email domain across multiple Workplaces, this domain will have to be verified for each individual instance before you can set up your provisioning and authentication. This option is administered by Workplace support teams. Please contact us if this is the case and you need assistance.
Provisioning and Authentication
Each Workplace can be set up entirely separately, with provisioning and authentication happening through the relevant Identity Providers.
Content Distribution
For some companies, despite the need for overall separationness between different parts of the business, there is still a need to share some content across all users (e.g. corporate announcements relevant to all instances).
Use Case Example
- A large chain of franchise restaurants had the need to set up separate instances for each franchisee. However, they had the need to share corporate communications to all franchisees. They implemented a custom integration using the Workplace Graph API to post corporate communications simultaneously to all instances.
