# SAML role sync: maintaining Workato roles in the identity provider

When your organization uses a large number of SaaS applications, such as Workato, managing access can be extremely laborious and prone to error. For example, you may find it difficult to address these concerns:

User lifecycle
It becomes progressively more difficult to fully manage the user lifecycle: provisioning, changing user roles, and deprovisioning), especially as your organization grows larger and more sophisticated, with many custom roles.
Difficulties arise in enforcing organization-wide security policies to protect access to Workato because of the manual steps involved in configuring access at the application level.
Lack of automation
The majority of apps do not support automatic user provisioning.

To address these difficulties, we offer a one-time configuration that syncs roles from your identity provider directly into Workato. Your organization can now sync Workato user roles from your IdP by including custom attributes in the SAML assertion. This works for both individual users, and for groups.

When implemented, Workato automatically synchronizes role assignments with the custom SAML attributes that you configure in your identity provider.

For example, you can change a user's workato_role attribute from Analyst to Admin inside the IdP, and that changes the the role permissions inside Workato.

Similarly, you can provision members of a group called “DevOps_Admins” with a custom “DevOps_Admin” role on Workato. All new users in that group inherit the Workato permissions through group priority, or a combination of values.

Workato supports SAML role sync for all customers who enable SSO on their identity provider. In this document, we describe how to use SAML role sync for the following identity providers:

We support SAML role sync in all regions.


Workato strongly recommends that you manage user role assignment through your identity provider after configuring the role sync, because the system overwrites manual role changes.

# Support for environment-specific roles

If you have environments enabled with Workato (through the Lifecycle Management add-on), you can sync environment-specific user roles from your IdP. Workato defines the following custom attributes that map to specific environment roles:

  • DEV workato_role
  • TEST workato_role_test
  • PROD workato_role_prod

# Enable role sync

To use the role sync with your identity provider, you must enable the feature in the Workato interface.


If not already turned on, we recommend enabling the Enforce SAML authentication and Enable SAML JIT provisioning options at the same time.


In Workato, navigate to Team >> Settings.


Toggle the switch Enable role sync to the ON position.

Enable role sync in Workato


Click Validate settings.


Click Save.

# Next steps

Complete role sync set-up on your identity provider. In this section, we describe how to connect to the following:

Last updated: 11/29/2023, 10:13:21 PM