# Microsoft Entra ID SAML role sync configuration

When using Microsoft Entra ID, you can only sync roles for groups, not individual users.

Here, we configure role sync for basic Workato environments: DEV (default), PROD, and TEST.

# Prerequisites

  1. Ensure that you configured the SAML SSO for your Microsoft Entra ID organization.
  2. Ensure that you enabled just-in-time provisioning in the Workato UI.
  3. Ensure that you use SAML SSO enforcement for your team or organization.

# Set up role sync

1

In Microsoft Azure, navigate to Enterprise Applications >> Workato >> Single Sign On >> Attributes & Claims >> Add a new claim.

2

Specify claim conditions according to group membership.

Setting SAML claims on Microsoft Entra IDSetting SAML claims on Microsoft Entra ID

3

Configure the claim by specifying its attributes.

In this example, we specify that all members of the group inherit the “DevOps_Admin” role, while another group inherits the "Analyst" role in your Workato workspace.

Name
This is the name of the claim; in this case, the name of the new role. Here, we use workato_role_prod.
Namespace
An optional URI for the namespace.
Chose name format
Specification of the format.
Source
Either Attribute (default), or Transformation
Source attribute
specify the source attribute from the list.
Claim conditions
This section defines the claim conditions that must be true to generate a claim.
Specify the table of claim conditions. For each record, select:
User type
Select from the drop down. Here, we are using Members.
Scoped Groups
Select a group.
Source
Select either an Attribute or a Transformation.
Value
Select a possible value. Here, we chose DevOps_Admin for the first claim condition, and Analyst for the second claim condition.
Conditions
Use these fields to control how members of your groups inherit the Value. In this example, we set the conditions so that all members of the group DevOps_Admins inherit the DevOps_Admin role in the Workato workspace.

Multiple groups

For users who belong to multiple groups, Microsoft Entra ID assigns roles based on the order of specified conditions. See Emitting claims based on conditions (opens new window).

4

Click Save.

# Configure environment-specific Workato roles in Microsoft Entra ID

Add more attributes, depending on the number of environments in your Workato workspace.

Attribute Statements for workato_role in Microsoft Azure

In our example, we use multiple claims to specify the roles in Workato's different environments. For example, in addition to the generic workato_role, we define workato_role_prod for the production environment, and workato_role_test for the test environment. Note also that the Value field for these roles contains multiple conditions, depending on the group membership.

# Update the user role in Microsoft Entra ID

To update a user’s role, you can change the user’s group membership, or change the claim attribute role value.

# Verify role changes

If your organization uses Workato's Activity Audit Logs feature, you can verify the automatic role sync when the user logs in through SAML SSO.

Role changes triggered by SAML assertions appear under the Source attribute, with the value saml_auto_sync.

Manual role changes made in Workato UI appear have the value user.

You can also see the New Role and Previous Role values.


Last updated: 11/25/2024, 8:28:37 PM