# OneLogin SAML role sync configuration
When using OneLogin IdP, you can sync role configurations both for users and for groups.
Here, we configure role sync for basic Workato environments: DEV (default), PROD, and TEST.
# Prerequisites
- Ensure that you configured the SAML SSO for your OneLogin organization.
- Ensure that you enabled just-in-time provisioning in the Workato UI.
- Ensure that you use SAML SSO enforcement for your team or organization.
# Add custom Workato role attributes to your user profile on OneLogin
To begin, you must create the necessary Workato role attributes inside your identity provider, OneLogin.
In OneLogin, navigate to Users >> More Actions >> Custom User Fields >> New User Field.
In the Custom User Fields interface, specify the new role using these fields:
- Name
- Use
appuser.workato_role
. This sets up the default user role for Workato, for the DEV environment. - Short name
- Use
workato_role
.
Similarly, specify the roles for the other Workato environments, if you use them:
- Name
appuser.workato_role_prod
with Short nameworkato_role_prod
for the PROD environment - Name
appuser.workato_role_test
with Short nameworkato_role_test
for the TEST environment
Add Workato custom role in OneLogin
If you use additional environments in Workato, add more custom user fields.
# Configure SAML attribute statements
To include workato_role
attribute values each time a users signs into Workato through SAML SSO, you must configure the SAML attribute statements.
In OneLogin, navigate to Applications >> Workato >> Parameters >> Create new field by clicking the + (plus) icon.
In the New Field interface, add the the Short name of the role, which you specified in the user profile.
Here, we are adding the field name for workato_role_prod
, the Workato role for the PROD environment.
Add new Workato role to SAML attribute statements in OneLogin
Select the option Include in SAML assertion.
Click Save.
Open the field you just created to edit it. Here, we are editing workato_role_prod.
In the Edit Field workato_role_prod interface, select the Value appuser.workato_role_prod (Custom)
from the drop-down.
Adding Workato roles in SAML attribute statements in OneLogin
Click Save.
Similarly, specify the values for the other Workato environments:
- Name
workato_role
with Valueappuser.workato_role (Custom)
for the DEV environment - Name
workato_role_test
with Valueappuser.workato_role_test (Custom)
for the TEST environment
Repeat these steps if you use environments in Workato.
After adding the necessary SAML statements, your custom fields for Workato may resemble the following screenshot:
List of SAML custom fields for Workato
# Assign the Workato app to users
Here, we demonstrate how to assign the app to users and update the workato_role
parameter.
Navigate to Users in OneLogin.
Select the user to assign to Workato.
Here, we assign the Workato app to the user Gregory.
In the Edit SAML Custom Connector ... interface, specify the level of permissions for each environment-based role.
Select the Allow the user to sign in option, if not turned on already.
Specify the user's role value. You may enter either system-defined or custom-defined roles.
NOTE
Role names are case-sensitive.
Edit the values for other environment attributes.
Here, we specify the Analyst permissions for user Gregory in the PROD environment, and Admin permissions in the DEV and TEST environments.
Assign user to Workato app, and specify permissions
Recommendation
Workato recommends that you update a users workato_role
attribute value at the user or group level in the identity provider only. After you enable role sync, Workato overwrites all manual role changes that you make in the Workato UI when the user subsequently logs in through SAML SSO.
Click Save.
# Assign the Workato app to groups
Start by creating a new group, and assign users to that group in OneLogin.
You must then create and configure a new rule, and then set workato_role
values based on group membership.
Navigate to Users >> Groups, click New Group, and create a new group.
Here, we create the group Workato DevOps Admins.
In Users >> Select User >> Authentication, click Add membership to groups.
Add individual users as members to the new group, Workato DevOps Admins.
Navigate to Applications >> Workato >> Rules, and click Create new rule.
In the New mapping interface, specify rule mappings based on group membership. Here, we assign to the members of the Workato_DevOps_Admins group the DevOps_Admin role in the various Workato environments by mapping the values of the roles to the Macro DevOps_Admin.
Make sure to select the correct group.
Here, under Conditions, we construct the statement by setting Group is Workato_DevOps_Admin.
Under Actions, select one of the previously defined roles.
For each role, select the Map from OneLogin option.
Under Set workatorole to, select Macro.
Make sure to use the group you created to complete the mapping. Here, we use DevOps_Admin.
Assign the group to Workato app, and specify permissions
Make sure to complete the mappings for all workato environments:
- DEV: workato_role
- PROD: workato_role_prod
- TEST: workato_role_test
- any additional custom environments that you use is Workato
# Change assignment for user management at group level
To include previously-configured users under group management rules, complete these steps:
Navigate to Users in OneLogin.
Select the user to assign to Workato.
Here, we change the Workato app assignment of the user Gregory to be managed at group level.
In the Edit SAML Custom Connector ... interface, make the changes to the necessary Workato role attributes.
Here, we are changing the fields workato_role_test and workato_role (for TEST and DEV environments, respectively) to group DevOps_Admin.
Workato field definition, SAML assertion
Click Reset login. This action remaps the login for the user at the application level by applying the new rule. You only need to do this for users who were previously configured as individuals.
Click Save.
# Verify role changes
If your organization uses Workato's Activity Audit Logs feature, you can verify the automatic role sync when the user logs in through SAML SSO.
Role changes triggered by SAML assertions appear under the Source attribute, with the value saml_auto_sync
.
Manual role changes made in Workato UI have the value user
.
You can also see the New Role and Previous Role values.
SAML roles sync activity audit log
Last updated: 11/5/2024, 6:04:00 PM