# Workato Identity
Workato Identity is a unified identity and access management system that lets you control user and group access for Agentic features across your entire Workato account. It enables you to sync and manage users and groups from your external identity provider (IdP), or manually define users and groups within Workato. Users and groups are managed independently of environments to provide fine-grained control over user access.
FEATURE AVAILABILITY
Workato Identity is available for the Agent Studio and Workato GO Agentic features.
Workato Identity enables you to:
- Store users and groups at the account level (above environments).
- Manually manage or sync users and user groups from your identity provider, such as Okta, Azure AD, or OneLogin.
- Assign access to specific groups, making it easy for builders to scope access securely.
- View and manage all user identities and group memberships from a centralized interface.
# Authenticated user flows
Workato Identity includes the user’s identity as a signed JSON web token (JWT) at runtime in every interaction. This token is passed along with each message to allow components to verify identity and enforce access control. Each component is responsible for checking whether the authenticated user is authorized to perform the action, based on their group membership and the Agent Studio genie or Workato GO access policy. This ensures that the user is authorized to access specific functions and data.
# Identity provider user access
You can add users to the Agentic platform through your external identity provider (IdP). This enables you to authenticate end-user accounts for Agentic access. This authentication method doesn't grant end users access to Workato Orchestrate. You must configure a SAML-based SSO through your IdP before you can provide a user with access.
# Configure SAML settings
You can configure Just-in-Time (JIT) provisioning and select which users require SAML-based authentication.
Complete the following steps to configure your SAML settings:
Sign in to your Workato account and go to Workspace admin. The Access control page displays by default.
Click Authentication in the sidebar.
Ensure that the SAML-based SSO authentication toggle is enabled.
Ensure the SAML-based SSO authentication toggle is enabled
Go to the Configure SAML settings section.
Configure SAML settings
Use the Enforce SAML authentication for drop-down menu to select who is required to use SAML-based authentication.
Click the Enable SAML Just-in-Time (JIT) provisioning toggle if you plan to automatically create accounts for new users who sign in using SAML-based SSO.
Click the Enable user groups syncing toggle if you plan to update user groups from your identity provider. Refer to Enforce SAML-based SSO authentication for Okta for more information.
Click Save changes.
# Get SAML configuration values
The Authentication page provides the Single sign-on URL and Service provider (SP) entity ID for your SSO-based SAML app.
Complete the following steps to access your Workato Single sign-on URL for Agentic:
Sign in to Workato.
Go to Workspace admin > Access control > Authentication.
Ensure that the SAML-based SSO authentication toggle is enabled.
Locate the Create a SAML application in your IdP section to access your Single sign-on URL and Service provider (SP) entity ID.
# Configure your identity provider
Configure your external IdP to use your company-provided Single Sign-on (SSO), such as Okta, to authenticate user accounts.
Complete the following steps to configure your IdP:
Sign in to your Okta (opens new window) account.
Go to Applications > Applications and click Create App Integration.
Add application in Okta
Refer to the Okta documentation (opens new window) for more information.
Select SAML 2.0 as the Sign-in method and click Next.
Create a new application in Okta
Enter a name for the app in the App name field. For example, Workato Agentic.
Click Next.
Paste your Workato Single Sign-On URL into the corresponding field in Okta. Refer to Get SAML configuration values for more information.
Select the Use this for Recipient URL and Destination URL checkbox.
Paste the Service provider (SP) entity ID into the Audience URI (SP Entity ID) field.
Set Name ID format to EmailAddress.
Go to the Attribute Statements section and add the following attributes:
| Name | Value |
|---|---|
workato_end_user_name | user.displayName |
workato_end_user_groups | appuser.workato_end_user_groups |
Click Next.
Use the App type drop-down menu to choose This is an internal app that we have created.
Click Finish.
Go to Directory > People and add one or more users. You must complete the verification steps for each user.
Go to Applications > My App > Assignments.
Click Assign > Assign to People and add one or more users for My App.
Click Done.
Go to Applications > [Your App] > Sign On in Okta.
Copy the Metadata URL.
Return to Workato and go to Workspace admin > Access control > Authentication.
Ensure the SAML-based SSO authentication toggle is enabled.
Go to the Provide metadata from your identity provider (IdP) section.
Locate the Do you have your identity provider metadata URL? field and select Yes or No depending on whether you have access to your IdP metadata URL.
Provide your metadata URL
Provide your IdP informationClick Save changes.
# Add a user manually
You can manually add users without SSO configuration.
Complete the following steps to manually create a user:
Sign in to Workato.
Click Workato Identity in the sidebar.
Click the Users tab.
Click the Add user manually.
Enter the user name in the Full name field.
Add a user manually modal
Enter the user's email in the Email address field.
UNIQUE EMAIL REQUIRED
The email address you enter must be unique. An error message displays if the system detects an existing email that matches the email you entered.
Use the Groups drop-down menu to select the user groups where you plan to add the user.
Click Add user.
Last updated: 6/16/2025, 5:01:59 AM