# Team collaboration - Just in time provisioning
Just-in-Time (JIT) provisioning eliminates the needs for team admins to create Workato user accounts in advance on behalf of team members. When an employee signs up for a new Workato account via SAML SSO, they will automatically be added into the organization's team.
If an employee has an existing Workato account they will be automatically be added into the organization's team.
You may enable SAML Just-In-Time provisioning on Team > Settings page.
Enable SAML Just-In-Time provisioning
# Customize JIT provisioning
You can customize JIT provisioning to relay user-specific information to Workato. Workato will take a SAML attribute (e.g. name) and apply it for the provisioned Workato account. This enables new users to be provisioned with the appropriate information according to your workflow.
The following attributes are supported:
workato_role. If the attributes are not configured, a default value will be used.
|Workato user field||SAML attribute||Default value|
|User email|| ||SAML |
(in email format)
|User name|| ||Part of SAML |
|User team role|| |
# Why customize JIT provisioning
Outside of the default roles (
Operator), custom roles can be configured with specific access to folder or permissions to edit connections and recipes. This gives you more control to enforce security policies for Workato accounts.
Also, this eliminates the need to manually provision Workato accounts with the appropriate access privileges. This leads to reduced operations cost and smoother onboarding.
# How to customize JIT provisioning
To assign user information during JIT provisioning, you first need complete the basic setup:
- Enable SAML based SSO for Team
- Enable SAML Just-in-Time provisioning for Team
- Create custom role on Workato
mktg_opswith specific access to the Marketing folder
- Configure the SAML attribute on the SAML provider's application page.
# Configure SAML attribute on SAML provider
Let's configure the SAML attributes for
workato_role on Okta.
|1. Locate Profile Editor|
|2. Select Okta > Profile|
|3. Select Add attribute|
|4. Fill in the attribute details||For more information see here.|
|5. Locate the Workato SAML app|
|6. Select SAML settings > edit|
|7. Skip to Configure SAML|
|8. Locate Attribute statement||The |
Instead of the
|9. Save and exit SAML setting||Note that existing users will not be affect. In order to implement JIT custom role provisioning, define the user's |
# Setting up
Workato accepts certain attributes and converts them into user values when provisioning a new account. In order to facilitate this, all values have to be identical to the roles in Workato Team.
For example, we created a custom role in workato Team called
mktg_ops with custom permissions to certain folders and recipes.
Thus, the SAML attribute will be as follows:
|SAML attribute||Stored values|
It is recommended that you also list out the default roles;
All values are case-sensitive (
). Ensure that you have configured the role names identical to the ones on your Team setting.
# Assign roles for team members
- When an employee is onboarded with Okta, select a value for
workato_role for new user
- For existing Okta users, assign
workato_roleon their profile page. This only applies if this Okta user does not have an existing Workato account.
workato_role for an existing user
Now, when when a user logins to Workato using SSO, the identity provider passes
workato_role for this new user. For a new hire in the Marketing department, the provisioned Workato account with be configured with the custom role