# Microsoft Entra ID SAML role sync configuration
When using Microsoft Entra ID, you can only sync roles for groups, not individual users.
Here, we configure role sync for basic Workato environments: DEV (default), PROD, and TEST.
# Prerequisites
- Ensure that you configured the SAML SSO for your Microsoft Entra ID organization.
- Ensure that you enabled just-in-time provisioning in the Workato UI.
- Ensure that you use SAML SSO enforcement for your team or organization.
# Set up role sync
In Microsoft Azure, navigate to Enterprise Applications >> Workato >> Single Sign On >> Attributes & Claims >> Add a new claim.
Specify claim conditions according to group membership.
Setting SAML claims on Microsoft Entra ID
Configure the claim by specifying its attributes.
In this example, we specify that all members of the group inherit the “DevOps_Admin” role, while another group inherits the "Analyst" role in your Workato workspace.
- Name
- This is the name of the claim; in this case, the name of the new role. Here, we use
workato_role_prod
. - Namespace
- An optional URI for the namespace.
- Chose name format
- Specification of the format.
- Source
- Either Attribute (default), or Transformation
- Source attribute
- specify the source attribute from the list.
- Claim conditions
- This section defines the claim conditions that must be true to generate a claim.
- Specify the table of claim conditions. For each record, select:
- User type
- Select from the drop down. Here, we are using Members.
- Scoped Groups
- Select a group.
- Source
- Select either an Attribute or a Transformation.
- Value
- Select a possible value. Here, we chose DevOps_Admin for the first claim condition, and Analyst for the second claim condition.
- Conditions
- Use these fields to control how members of your groups inherit the Value. In this example, we set the conditions so that all members of the group DevOps_Admins inherit the DevOps_Admin role in the Workato workspace.
Multiple groups
For users who belong to multiple groups, Microsoft Entra ID assigns roles based on the order of specified conditions. See Emitting claims based on conditions (opens new window).
Click Save.
# Configure environment-specific Workato roles in Microsoft Entra ID
Add more attributes, depending on the number of environments in your Workato workspace.
Attribute Statements for workato_role in Microsoft Azure
In our example, we use multiple claims to specify the roles in Workato's different environments. For example, in addition to the generic workato_role
, we define workato_role_prod
for the production environment, and workato_role_test
for the test environment. Note also that the Value field for these roles contains multiple conditions, depending on the group membership.
# Update the user role in Microsoft Entra ID
To update a user’s role, you can change the user’s group membership, or change the claim attribute role value.
# Verify role changes
If your organization uses Workato's Activity Audit Logs feature, you can verify the automatic role sync when the user logs in through SAML SSO.
Role changes triggered by SAML assertions appear under the Source attribute, with the value saml_auto_sync
.
Manual role changes made in Workato UI appear have the value user
.
You can also see the New Role and Previous Role values.
Last updated: 11/5/2024, 6:04:00 PM