Networked Enterprise

A Networked Enterprise is an enterprise-level architecture supported by the Igloo platform that provides centralized management of multiple digital workplaces. Often referred to as a hub and spoke enterprise or enterprise solution. A hub and spoke enterprise consists of a single hub (a central digital workplace) and one or more spokes (all other digital workplaces within the enterprise). Used in combination with an Enterprise Administration Panel (EAP), this is a scalable and flexible framework for large distributed enterprises.

Are you interested in getting a Networked Enterprise solution for your organization or adding more spokes to your existing Networked Enterprise? Contact your Customer Success Manager or email the Customer Success Team to learn more. 

Sections in this article:

Features of a Networked Enterprise

The hub workplace

The hub is the digital workplace that connects all spokes in a Networked Enterprise. 

A defining feature of the hub is that when users are added to a spoke, they are automatically added to the hub. However, when users are revoked from spokes, they are not revoked from the hub. 

Spoke workplaces

A spoke is an independent digital workplace within a networked enterprise. A spoke site provides a community of users with a digital workplace where they can work together. These communities often have a specific theme or interest that brings them together. Spokes are created in the Enterprise Administration Panel (EAP) from an existing spoke template.

Membership to a spoke is controlled directly; however, whenever a spoke site adds a member, that member is automatically added to the hub's All Members group. Spoke members are a subset of hub members, so not all members in the hub will be in every spoke.

Enterprise administrators

The enterprise administrator role is only available within a Networked Enterprise. Enterprise administrators have workplace administrator rights and privileges in each site of the Networked Enterprise. They control and manage the network and individual workplaces by using two essential tools:

  1. Enterprise Administration Panel (EAP): An area enterprise administrators access from the Control Panel of any digital workplace within a Networked Enterprise. 
  2. Control Panel: Every spoke site (digital workplace) has a Control Panel for administering and managing the specific spoke site.

An enterprise administrator has the rights and privileges of a workplace administrator in each site (hub or spoke) of the networked enterprise. When an existing user is promoted to an enterprise administrator:

  • They become an administrator for any spokes they were already a member of.
  • They become a facilitator for any spokes they were not already a member of. 

Changing the status of an enterprise administrator has the following results:

  • Demoting an enterprise administrator to a regular member removes them from any spokes where they were a facilitator. However, access to workplaces where they are a member persists.
  • Revoking an enterprise administrator from a spoke of which they are a member will convert them to a facilitator of that spoke.
  • Revoking an enterprise administrator from the hub will result in the user being revoked from all spokes of the Networked Enterprise.

Facilitators of a digital workplace have the same rights and privileges as workplace administrators, but they don't appear as members of the digital workplace.

Only existing enterprise administrators can add or demote another enterprise administrator.

An enterprise administrator's actions in a digital workplace will appear on a locations' Activity page regardless of whether the administrator is a member of that digital workplace.

Enterprise Administration Panel (EAP)

The Enterprise Administration Panel (EAP) is how Networked Enterprise administrators can manage their hub and all of the spokes. Enterprise administrators cab access the EAP via the Control Panel of any workplace within the Networked Enterprise. Within the EAP console, enterprise administrators can centrally control, manage, and update the networked enterprise configuration. The Enterprise Administration Panel's Workplace's tab.

Enterprise administrators can perform the following tasks within EAP:

Master domain

Master domain is an optional feature configured by the Igloo team during the deployment of your Networked Enterprise that allows authentication sessions to be shared across the hub and spoke digital workplaces. This means that:

  • When users log in to the hub, they can also log in to the spokes without authenticating.
  • When users log in to a spoke, they can also log in to the hub without authenticating.
  • When users log in to a spoke, they can also log in to other spokes without authenticating.

Users will still need to be members of the digital workplaces to access content or navigate the digital workplace. Successfully authenticating to a workplace also does not guarantee that a user can see all the content in the workplace. The visibility of content is determined by access rules in the digital workplace.

With master domain enabled, if you select a link in the responsive mobile view that leads to another site in the Networked Enterprise, you will be taken to the site. Otherwise, it is not compatible with the mobile app.

Content sharing

Blog channels located in the hub workplace can have their content shared to select spokes. These shared articles will display in the Enterprise Feed widget. For more information, see:

Searching the hub from a spoke

Spokes can be configured to allow users to search the hub. After performing a search and arriving on the Search Results page, users can select whether they are searching the hub or spoke using the dropdown down next to the search box. When switching between the available workplaces, the search must be rerun. 

Hub searches have the following limitations:

  • Only content can be searched.
  • Only Content Type, Last Updated, and Include Archived Content filters can be applied.

To enable this functionality in a spoke, see Enabling a spoke to search the hub.

Membership and authentication

Managing membership

Member management defines how users will be added, removed, and assigned to groups in the hub and spoke sites. The Igloo platform supports four methods for member management:

  • ILST: Sync users from a corporate Active Directory (AD).
  • Invitations: Send invitations to specific users. 
  • Add members: Add users manually to a hub and/or spoke(s).
  • Bulk user import: Bulk upload users from a pre-formatted spreadsheet.

Regardless of which membership management model is chosen, consider the following caveats when adding and revoking users in a Networked Enterprise:

  • Adding a member to a spoke automatically adds them to the hub.
  • Adding a member to the hub does not automatically add them to a spoke. 
  • Revoking users from a spoke will not automatically revoke them from the hub.
  • Revoking users from the hub will automatically revoke them from any spokes to which they are members.

Managing authentication methods

Each digital workplace in a Networked Enterprise (i.e., the hub and spokes) have their own authentication configuration. This means that:

  • Each digital workplace can have different authentication methods (i.e., Igloo, SSO, LDAP authentication).
  • Each digital workplace can have different identity providers for SSO.

Authentication methods for each spoke can be both chosen and configured from the Enterprise Administration Panel (EAP). EAP Administrators can also lock the authentication methods to prevent site Administrators from making changes. To do so, select the spoke under Networked Enterprise Sites, followed by the Authentication tab. You can also modify the SAML or LDAP configuration within each spoke by selecting the Control Panel followed by Sign In Settings.

Example setup

When setting up a Networked Enterprise, the Igloo team will advise on how best to set up the Networked Enterprise to meet your organization's goals. However, the following example is meant to give you an idea of what a typical Network Enterprise structure looks like.

In this example, each spoke uses its own Active Directory, ILST, and IDP. A user's membership is directly synced to their spoke, and they must authenticate with their spoke before being able to access the hub. Some content creators and administrators may be given credentials to sign in directly to the hub in order to manage enterprise-wide collaborative resources. 


Syncing members directly to the hub should be avoided. Using multiple ILSTs to sync to a single workplace can cause conflicts in which members get added or removed. This is avoided by using separate ILST syncs for each spoke. With this setup, if a user is revoked from a spoke, they also must be manually revoked from the hub.


A diagram showing multiple spokes each configured with their own ILST and IDP.

Looking at a single spoke more closely:

A diagram showing how the ILST and IDP connect to a spoke.