# CyberArk Idaptive SAML role sync configuration

Integrate Workato with CyberArk Idaptive to manage SAML role synchronization and ensure that your users' roles are updated when they log in through SAML SSO.

Set up role sync for standard Workato environments: DEV (default), PROD, and TEST, as we recommend this for consistent role management.

# Prerequisites


Ensure that you have successfully configured the SAML SSO within your CyberArk Idaptive platform. For guidance, go to the CyberArk Idaptive SAML Documentation (opens new window).


Ensure that you enabled just-in-time provisioning in Workato.


Ensure that you use SAML SSO enforcement for your team or organization.


Ensure that you enabled role syncing in Workato.

Enable role syncEnable role sync in Workato

# Configure custom user attributes in CyberArk Idaptive

To set up custom user attributes for Workato environments within CyberArk Idaptive, follow these steps:


Log in to your CyberArk Idaptive admin console.


Navigate to Settings > Customization in your CyberArk Idaptive admin portal.


Click Additional Attributes to manage custom attributes.

Custom user attributesCreate custom user attributes for SAML role sync


Select Add to create a new attribute.


Define the attributes for various Workato environments by adding the following:

  • workato_role: This attribute maps to the DEV environment.
  • workato_role_test: This attribute maps to the TEST environment.
  • workato_role_prod: This attribute maps to the PROD environment.

Select the attribute type as Text from the drop-down menu. Repeat this for each attribute.


Ensure the User Editable box is unchecked, unless you intend for users to modify this attribute from their portal.


Click Add to save each attribute.


Configure the values for each user based on the roles you plan to assign within each Workato environment.

Specify AttributesDefine attribute types and role values

By completing these steps, you'll have successfully configured custom user attributes in CyberArk Idaptive, which can be utilized for SAML role synchronization with Workato.

# Configure Workato roles in the CyberArk Identity portal


Ensure that custom roles are defined in Workato before you sync them with SAML assertions. Undefined roles default to Operator. Role names are case-sensitive.

The following steps show you how to set up the necessary SAML response attributes for role synchronization in Workato:


Log in to CyberArk and navigate to Apps & Widgets > Apps.


Select the Workato SAML app from the list to configure it.


Click SAML response to set up the attributes that Workato receives during SSO.

SAML Response appSet up SAML response attributes


Click Add to create new attribute statements.


Specify the attribute names and values based on the custom user attributes you defined earlier. Refer to the following table:

Attribute Name Attribute Value
workato_role LoginUser.Get('workato_role')
workato_role_prod LoginUser.Get('workato_role_prod')
workato_role_test LoginUser.Get('workato_role_test')

Ensure that you Save your settings to apply the changes.

# Change roles in the CyberArk Identity portal

To change a user's Workato role:


Log in to your CyberArk Idaptive admin console.


Select the user and the environment you plan to change.


Enter the new role value and click Save.

Enter role valueUpdate user roles in CyberArk Idaptive

The user's access privileges in Workato are updated on their next login through SAML SSO.

You can verify the user’s updated role privileges from the Activity Audit tab on Workato.

Verify role privilegesConfirm role updates in Workato's activity audit

# Verify with the SAML tracer extension

Use the SAML Tracer browser extension to verify the values passed in SAML assertions. You should see the workato_role, workato_role_test, and workato_role_prod attributes successfully passed.

Verify SAML TracerCheck SAML assertion values with SAML tracer extension

Last updated: 11/21/2023, 4:34:36 PM