SCIM provisioning

SCIM (System for Cross-domain Identity Management) provisioning automatically synchronizes user accounts and groups between your identity provider and Workato. This eliminates the need for administrators to manually create or update accounts, and allows you to manage Workato users and groups entirely from your existing identity provider.

SCIM provisioning behavior scenarios

Workato behaves differently depending on whether the user already exists in the workspace:

An administrator creates a new user in your identity provider:

• A new user account is created automatically in Workato
• User name and email fields are populated from SCIM attributes
• User is assigned to groups and environments based on SCIM mappings

An administrator updates an existing user in your identity provider:

• Workato updates the user profile from SCIM attributes
• Permissions and group memberships are updated to match the identity provider
• Changes are synced immediately without requiring user login

flowchart TD A(Admin creates or updates <br/> user in IdP) -- Sends provisioning request --> M(IdP provisions user <br/> through <br/> <strong> SCIM </strong>) M --> B{{Does the <br/> user exist in Workato?}} B -->|No| C(A new user account <br/> is created automatically) C --> D(User profile fields <br/> are populated from <br/> SCIM attributes) D --> RR(User is assigned <br/> to groups and environments <br/> based on SCIM mappings) B -->|Yes| E(User profile is <br/> updated from <br/> SCIM attributes) E --> F(Permissions and <br/> group memberships <br/> are updated) F --> G(User account is <br/> synced and ready) classDef default fill:#67eadd,stroke:#67eadd,stroke-width:2px,color:#000; classDef WorkatoBlue fill:#5159f6,stroke:#5159f6,stroke-width:2px,color:#fff; classDef SubgraphDash fill:#e1fffc,stroke:#f66,stroke-width:2px,color:#000,stroke-dasharray: 5 5 class A,M,E,F,G SubgraphDash class B WorkatoBlue

Enable SCIM provisioning

You can configure SCIM provisioning and select which environments require SAML-based authentication. You can customize authentication methods for each environment. For example:

• Dev: Password auth
• Test: SSO
• Prod: SSO

Complete the following steps to configure SCIM provisioning and SAML settings for your environment authentication:

1

Sign in to your Workato account and go to Workspace admin.

2

Click Authentication & Groups in the sidebar.

3

Select the environment you plan to configure. The environment End-user group page displays by default.

ENVIRONMENT AVAILABILITY

Workspaces without Environments provisioned only have one environment available.

4

Select the Authentication tab.

5

Ensure that the SAML-based SSO authentication toggle is enabled.

Ensure the SAML-based SSO authentication toggle is enabled

6

Go to the Select an identity provider (IdP) section and click + Set up new provider.

7

Provide a name for your IdP in the Identity provider (IdP) name field. For example: Okta Dev.

8

Use the Enforce SAML authentication for drop-down menu to select who is required to use SAML-based authentication.

9

Click Next.

10

Copy the Specify Single sign-on URL and Service provider (SP) entity ID values and paste each value into your IdP to enable access to Workato-powered apps and services.

Copy the Specify Single sign-on URL and Service provider (SP) entity ID values

11

Locate the Do you have your identity provider metadata URL? field and select Yes or No depending on whether you have access to your IdP metadata URL.

1

Provide your metadata URL in the Metadata URL field.

Provide your metadata URL

1

Provide your IdP SSO URL in the Identity provider single sign-on URL field.

Provide your IdP information

2

Provide the unique identifier of your IdP in the Identity provider issuer field.

3

Provide the IdP X.509 certificate your IdP uses for request validations in the X.509 certificate field.

12

Click Set up. You are redirected to the Authentication tab where your configured IdP displays.

13

Go to the IdP you configured in the preceding steps and click Set up.

Click Set up.

14

Use the Provisioning method drop-down menu to select SCIM provisioning.

Select SCIM provisioning.

15

Copy the Base URL and SCIM token. Use these values to give your IdP permission to provision end users and optionally sync groups. End-user and group data may be overwritten by your IdP with this configuration.

Copy the Base URL and SCIM token.

16

Click Save.

Set up SCIM in your IdP

You must configure your IdP to use SCIM with the Base URL and SCIM token provided in the End user and group provisioning configuration.

Complete the following steps to obtain your Base URL and SCIM token:

1

Go to the Authentication tab.

2

Click the ellipsis menu for the IdP you plan to use.

3

Select End user & group provisioning.

Refer to the following IdP resources for IdP-specific SCIM provisioning information and examples:

• SCIM provisioning in Okta (opens new window)
• SCIM provisioning in Microsoft Entra ID (Azure Active Directory) (opens new window)
• SCIM provisioning in OneLogin (opens new window)