# Enable Single Sign-On for a Workato workspace
Workato supports authentication using SAML-based Single Sign-On (SSO), allowing you to provide authorized access to Workato for multiple workspace members.
Along with just-in-time (JIT) provisioning, you can streamline onboarding by eliminating the need to pre-provision Workato accounts.
ENFORCE SAML AUTHENTICATION
You can enforce SAML SSO for your workspace. When you do so, all workspace members (except for the workspace account owner) must authenticate through your identity provider. They cannot access the workspace and its resources by logging in with a Workato username and password.
Note that the account owner of the workspace cannot use SAML-based SSO to authenticate with the workspace. They must sign in with their username and password instead.
# Prerequisites
To fully configure SSO for Workato, you must have the following:
SAML SSO privileges in Workato.
Knowledge of which Workato data center supports your account. The values for some configuration settings vary depending on your account's data center.
For the following data centers, the URLs for configuring a SAML app begin with:
- US Data Center (USDC):
https://www.workato.com - European Union Data Center (EUDC):
https://app.eu.workato.com - Japan Data Center (JPDC):
https://app.jp.workato.com - Singapore Data Center (SGDC):
https://app.sg.workato.com - Australia Data Center (AUDC):
https://app.au.workato.com
- US Data Center (USDC):
Privileges in your SAML provider that enable you to complete the following actions:
- Create and modify SAML applications.
- Assign applications to users.
# Step 1: Create a Workato SAML application
The first step to enabling SSO for Workato is to create a SAML application for Workato in your SAML provider.
To get started, locate the instructions for your SAML provider:
KNOW YOUR WORKATO DATA CENTER?
Before proceeding, verify the data center your Workato account is in.
When setting up your SAML application, make sure to use the SSO URLs for your data center.
# Google G Suite
VIEW GOOGLE G SUITE INSTRUCTIONS
Refer to the Google Workspace Admin documentation (opens new window) for more details.
# In Workato
Navigate to Workspace admin > Settings > Login methods.
Fill in the following fields:
Authentication method
Select SAML based SSO.
Workspace handle
Provide a handle for the workspace. The maximum length is 20 characters.
SAML provider
Select Other SAML IdP.
Copy the Service provider (SP) entity ID.
Retrieve entity ID
# In your Google Admin console
Navigate to Apps > Web and mobile apps.
Click Add App > Add custom SAML app.
In the Service Provider Details window, fill in the configuration details as follows:
- ACS URL
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
- Entity ID
- Enter the Service provider (SP) entity ID obtained from Workato.
- Start URL
- Optional. This sets the RelayState parameter in a SAML request, which can be a URL to redirect users to after authentication. We recommend leaving this field empty, or providing the final destination to which you plan to direct users.
Finish configuring the app and defining settings as needed.
After you've finished the preceding steps, move on to the next step to complete the setup.
# Microsoft Entra ID
VIEW MICROSOFT ENTRA ID INSTRUCTIONS
Follow the Microsoft documentation for a complete step-by-step guide on configuring SAML-based SSO in Microsoft Entra ID (opens new window).
# In your Workato account
Navigate to Workspace admin > Settings > Login methods.
Select SAML based SSO in the Authentication method menu.
Fill in the Workspace handle field. The maximum length is 20 characters.
Select Microsoft Entra ID in the SAML provider menu.
Copy the Service provider (SP) entity ID:
Retrieve entity ID
# In your Azure portal
Create a Non-gallery application to connect Microsoft Entra ID SSO to Workato:
- Select Microsoft Entra ID > Enterprise applications.
- Create a New application and choose Non-gallery application.
Refer to the Azure documentation (opens new window) for more details.
Navigate to the new application's Single sign-on tab and select SAML.
Fill in the configuration details as follows:
Identifier (Entity ID)
Enter the Service provider (SP) entity ID obtained from Workato.
Reply URL (Assertion Consumer Service URL)
Use the URL for your Workato data center:
US Data center:
https://www.workato.com/saml/consumeEU Data center:
https://app.eu.workato.com/saml/consumeJP Data center:
https://app.jp.workato.com/saml/consumeSG Data center:
https://app.sg.workato.com/saml/consumeAU Data center:
https://app.au.workato.com/saml/consume
Sign on URL
Locate your Workspace handle in Workato. Then, configure the URL for the data center you use. Replace
{WORKSPACE_HANDLE}in the following URL with your actual workspace handle:US Data center:
https://www.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}EU Data center:
https://app.eu.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}JP Data center:
https://app.jp.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}SG Data center:
https://app.sg.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}AU Data center:
https://app.au.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}
Azure SAML Configuration
Click Save.
You must configure the Attributes & Claims section to ensure email addresses are transformed to lowercase after saving the SAML configuration. This prevents case-sensitive login issues. Complete the following steps to configure Attributes & Claims:
Go to the Attributes & Claims section.
Click Edit.
Click Unique User Identifier (Name ID) to open and edit the required claim.
Edit required claim
Set the Source to Transformation on the Manage claim page.
Set the source
Choose ToLowercase() from the Transformation drop-down menu on the Manage transformation page.
Select your transformation
Select Attribute as the parameter.
Enter user.mail in the Attribute name field.
Click Add to add the transformation.
Click Save to complete the configuration.
Next, obtain your Azure AD Metadata URL. This is required to complete the SSO setup in Workato.
Navigate to the Single sign-on tab and locate the SAML Certificate details.
Copy the App Federation Metadata URL.
Microsoft Entra ID metadata URL
After you've finished the preceding steps, proceed to the next step to complete the setup.
# CyberArk Identity
VIEW CYBERARK IDENTITY INSTRUCTIONS
# In CyberArk Identity
Sign in to your CyberArk Identity admin console.
Navigate to the Apps & Widgets sidebar and select Add custom SAML app.
Name the application Workato.
Click Trust to configure SAML Settings.
Navigate to the Service Provider Configuration section and select Manual Configuration.
Provide the SAML settings as follows:
- Audience
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/metadata- EU data center:
https://app.eu.workato.com/saml/metadata- JP data center:
https://app.jp.workato.com/saml/metadata- SG data center:
https://app.sg.workato.com/saml/metadata- AU data center:
https://app.au.workato.com/saml/metadata
- Recipient
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
- ACS (Consumer) URL Validator
- Use the URL for your Workato data center:
- US data center:
^https:\/\/www.workato.com\/saml\/*$- EU data center:
^https:\/\/app.eu.workato.com\/saml\/*$- JP data center:
^https:\/\/app.jp.workato.com\/saml\/*$- SG data center:
^https:\/\/app.sg.workato.com\/saml\/*$- AU data center:
^https:\/\/app.au.workato.com\/saml\/*$
- ACS (Consumer) URL
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
Select Assertion.
Leave other settings as the default unless otherwise specified by your Workato implementation details.
CyberArk Identity service provider configuration
Click Save.
After saving the basic SAML configuration, you must configure user account mapping to ensure email addresses are lowercase:
Go to the Account Mapping page.
Select the Account Mapping Script option.
Add the following custom JavaScript to map the login email to lowercase:
LoginUser.Username = LoginUser.Get('mail').toLowerCase();
This script retrieves the user's email from the mail attribute in Active Directory, converts it to lowercase, and assigns it as the LoginUser.Username. This ensures consistency and prevents case-sensitive login issues in Workato.
Click Test to verify the script.
Verify the script
Click Save to apply the account mapping changes.
After you configure account mapping, complete the following steps to finalize the SAML setup:
Locate and copy the Metadata URL provided by CyberArk Identity. This is required to complete the SSO setup in Workato.
CyberArk Identity metadata URL configuration
Obtain your Identity provider single sign-on URL, Identity provider issuer, and Signing certificate from CyberArk Identity. These values are required to complete the SSO setup in Workato.
Deploy the Workato SAML app to make it available to users in CyberArk Identity.
Go to the Permissions section in your CyberArk Identity admin console.
Click Add and select a user, typically a system administrator responsible for app deployment.
Click Save to deploy the Workato SAML app.
You must assign role permissions to the Workato SAML app so that users can access Workato. Complete the following steps to assign role permissions:
Go to Core Services > Roles in your CyberArk Identity admin console.
Select Add Role and name the role Workato Users to define permissions for users using Workato.
Go to Assigned Applications, locate the Workato SAML app, and click Add to associate it with theWorkato Users role.
Click Save to confirm the role assignments and complete the setup process.
Assign the Workato SAML app to roles
Users assigned the Workato Users role can find the Workato SAML app in their CyberArk Identity user portal. Clicking this app enables them to sign in to Workato and automatically provisions their account.
After you've finished the preceding steps, continue to the next step to complete the setup in Workato.
# Okta
VIEW OKTA INSTRUCTIONS
# In Okta
Sign in to your Okta instance.
Navigate to Applications > Applications.
Click Create App Integration.
Add application on Okta
Refer to the Okta documentation (opens new window) for more information.
Select SAML 2.0 for the Sign on method in the window that displays.
Create a new application on Okta
Locate the Configure SAML tab and provide the Single Sign-On URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume - EU data center:
https://app.eu.workato.com/saml/consume - JP data center:
https://app.jp.workato.com/saml/consume - SG data center:
https://app.sg.workato.com/saml/consume - AU data center:
https://app.au.workato.com/saml/consume
Set Application username to Custom and enter the following expression. This expression converts the user email to lowercase:
toLowerCase(user.email)
Set Application username to Custom
Select the Use this for Recipient URL and Destination URL check box.
Provide the Audience URI (SP Entity ID) for your Workato data center:
- Workato data centers
- US data center:
https://www.workato.com/saml/metadata- EU data center:
https://app.eu.workato.com/saml/metadata- JP data center:
https://app.jp.workato.com/saml/metadata- SG data center:
https://app.sg.workato.com/saml/metadata- AU data center:
https://app.au.workato.com/saml/metadata
Click Other Requestable SSO URLs > Show Advanced Settings > Add Another and provide your Workato data center:
- Workato data centers
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
Find your Identity provider single sign-on URL, Identity provider issuer, and X.509 certificate in Okta. These values are required to complete the SSO setup in Workato.
- Sign in to your Okta account, navigate to Applications, and open the page for the newly created application.
- Go to the Sign On interface.
- Click View SAML setup instructions in the right sidebar.
- Copy the following values for use in Workato:
- Identity provider single sign-on URL
- Identity provider issuer
- X.509 certificate
After you've finished the preceding steps, continue to the next step to complete the setup in Workato.
# OneLogin
VIEW ONELOGIN INSTRUCTIONS
# In OneLogin
Sign in to your OneLogin instance.
Navigate to Applications > Applications.
Click Add App.
Add application on OneLogin
Search for and select SAML Test Connector (IdP w/ attr w/ sign response).
SAML test connector
In the Application details, fill in the configuration details as follows:
- Audience
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/metadata- EU data center:
https://app.eu.workato.com/saml/metadata- JP data center:
https://app.jp.workato.com/saml/metadata- SG data center:
https://app.sg.workato.com/saml/metadata- AU data center:
https://app.au.workato.com/saml/metadata
- Recipient
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
- ACS (Consumer) URL Validator
- Use the URL for your Workato data center:
- US data center:
^https:\/\/www.workato.com\/saml\/*$- EU data center:
^https:\/\/app.eu.workato.com\/saml\/*$- JP data center:
^https:\/\/app.jp.workato.com\/saml\/*$- SG data center:
^https:\/\/app.sg.workato.com\/saml\/*$- AU data center:
^https:\/\/app.au.workato.com\/saml\/*$
- ACS (Consumer) URL
- Use the URL for your Workato data center:
- US data center:
https://www.workato.com/saml/consume- EU data center:
https://app.eu.workato.com/saml/consume- JP data center:
https://app.jp.workato.com/saml/consume- SG data center:
https://app.sg.workato.com/saml/consume- AU data center:
https://app.au.workato.com/saml/consume
Click Save.
Next, retrieve your OneLogin Metadata URL. This is needed to complete the SSO setup in Workato.
- On the application's page, click More Actions.
- Right-click SAML Metadata and select Copy link address:
OneLogin metadata URL
After you've finished the preceding steps, proceed to the next step to complete the setup.
# Other Identity Providers
OTHER IDENTITY PROVIDERS INSTRUCTIONS
If your Identity Provider (IdP) is not listed, you can still configure SAML-based Single Sign-On (SSO) in Workato using the common SAML 2.0 standard.
Complete the following steps to configure SAML SSO for other Identity Providers:
Sign in to your Identity Provider (IdP) and begin setting up a SAML application.
Provide the Audience URI (SP Entity ID) for your Workato data center in the SAML configuration settings:
US data center:
https://www.workato.com/saml/metadataEU data center:
https://app.eu.workato.com/saml/metadataJP data center:
https://app.jp.workato.com/saml/metadataSG data center:
https://app.sg.workato.com/saml/metadataAU data center:
https://app.au.workato.com/saml/metadata
Provide the ACS URL (Assertion Consumer Service URL) based on your data center:
US data center:
https://www.workato.com/saml/consumeEU data center:
https://app.eu.workato.com/saml/consumeJP data center:
https://app.jp.workato.com/saml/consumeSG data center:
https://app.sg.workato.com/saml/consumeAU data center:
https://app.au.workato.com/saml/consume
Optional. Provide the SSO URL (Single Sign-On URL). This URL may be optional depending on your Identity Provider. You must locate your Workspace handle in Workato and replace {WORKSPACE_HANDLE} in the URL for the data center you use:
US Data center:
https://www.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}EU Data center:
https://app.eu.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}JP Data center:
https://app.jp.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}SG Data center:
https://app.sg.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}AU Data center:
https://app.au.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}
Set additional parameters required by your Identity Provider and Save your SAML application setup.
Retrieve the Metadata URL from your Identity Provider. This URL is required to complete the SSO setup in Workato.
After you've finished the preceding steps, proceed to set up your Workato SSO to complete the setup.
# Step 2: Finish setup in Workato
Sign in to Workato and navigate to Workspace admin > Settings > Login methods.
Fill in the following fields:
Authentication method
Select SAML based SSO.
Workspace handle
Provide a handle for the workspace. The maximum length is 20 characters.
SAML provider
Select your SAML provider from the SAML provider menu. If using Google G Suite, select Other SAML IdP.
Do you have your identity provider metadata URL?
OKTA
If your identity provider is Okta, you must configure your SAML settings manually. Follow the instructions contained in I don't have my metadata URL.
I have my metadata URL
# I have my metadata URL
If you have the metadata URL from your SAML provider:
- Select Yes.
- Paste the metadata URL into the Metadata URL field.
I don't have my metadata URL
# I don't have my metadata URL
If you don't have your metadata URL or plan to configure your SAML settings manually, you must:
- Select No.
- Retrieve the following from your SAML provider:
- Identity provider single sign-on URL
- Identity provider issuer
- X.509 certificate
Enable JIT provisioning
Refer to our Just-in-time provisioning guide for more information.
Enforce SAML Authentication Enforce SAML SSO for all users. If you need to disable SSO for a few workspace collaborators while keeping SAML SSO for the majority, you can disable SSO selectively.
Click Validate settings.
VALIDATION ERROR
If you encounter a validation error, perform the following actions:
- Verify that the certificate is valid with a tool like sslshopper (opens new window).
Certificates must start with
-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----. - Verify that your IdP SSO URL/metadata URL is in a valid format. Refer to your identity provider's SAML configuration guide.
After successful validation, click Save.
# Step 3: Assign SAML to users
After completing the SSO configuration, you can start assigning the SAML application to your workspace members.
The following example uses an Okta application:
Navigate to the newly created SAML application in Okta:
- Applications > Workato > Assignments > Assign Users to App.
Okta displays a list of workspace members. Use this list to assign workspace members to the application.
# Sign in to an SSO-enabled Workato workspace
WORKSPACE ACCOUNT OWNERS
Workspace owners cannot use SAML-based SSO to authenticate with the workspace. They must use their username and password instead.
When you enable SSO in Workato, your SAML provider controls access to a Workato workspace. You must assign the SAML application to your workspace members to grant them access to a Workato workspace. Workspace members can then access their Workato accounts from the SAML provider, such as:
- Google G Suite
- Use your company or organization sign-in URL. For example,
google.com/abc-example - Microsoft Entra ID
https://myapps.microsoft.com/- Okta
- Use your company or organization sign-in URL. For example,
123-example.okta.com - OneLogin
- Use your company or organization sign-in URL. For example,
xyz-example.onelogin.com
REQUEST THE SSO URL FROM YOUR ADMIN
Reach out to your admin to request the SSO URL for your company or organization.
The steps to sign in to an SSO-enabled Workato workspace can vary depending on the SAML provider and the configuration set by your administrator. For instance, Okta and OneLogin accounts usually provide dashboards that allow you to select Workato (and other) applications with SSO enabled. In the Okta dashboard, you can click the Workato application to sign in:
Workato app on Okta
When a workspace member switches from their personal account to an SSO-enabled workspace account, they must authenticate through the SAML provider. This process will vary depending on the SAML provider and the configuration selected by the administrator. The following example demonstrates this process:
Switch to workspace account with Okta authorization
# Email verification for SAML JIT provisioning
For SAML JIT Provisioning, a user logging in for the first time through either SP-initiated SSO or IdP-initiated SSO must verify their email address.
When users attempt to access the workspace for the first time, Workato prompts them to verify their email before they can access it:
Receive Invitation Email: Workato sends an email invitation to the selected users. Instruct users to click the link in the email to verify their email address:
Email invitation to join a workspace
Once users receive the email, they need to access their email account and open the invitation.
The collaborator can then sign in to the assigned workspace with the roles you have configured.
TROUBLESHOOTING
If clicking on the invitation email redirects you to the Workato login page instead of your organization’s workspace, you likely already have a Workato account associated with the same email. Reset your password if you have forgotten your login credentials.
Verify Activity Audit Log: You can check the Workato activity audit log to confirm the addition of the user:
Activity audit log showing that a user has accepted an invitation
# IdP-initiated SSO flow
To execute IdP-initiated flows (accepting SAML Responses directly generated by the IdP), the IdP may provide the team_id as a GET parameter. This allows Workato to identify the workspace the user is trying to access. If Workato does not have the team_id information, the SAML Response is ignored, and Workato starts a fresh SP-initiated SSO flow.
Configure the following value at the IdP:
ACS URL: Use the URL for your Workato data center
- US data center:
https://www.workato.com/saml/consume?team_id={WORKSPACE_HANDLE} - EU data center:
https://app.eu.workato.com/saml/consume?team_id={WORKSPACE_HANDLE} - JP data center:
https://app.jp.workato.com/saml/consume?team_id={WORKSPACE_HANDLE} - SG data center:
https://app.sg.workato.com/saml/consume?team_id={WORKSPACE_HANDLE} - AU data center:
https://app.au.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}
- US data center:
Where {WORKSPACE_HANDLE} is the Workspace handle configured in Workspace admin > Settings > Login methods.
# Disable SSO for select users
In some situations, you may need to disable SSO selectively for specific users in your workspace. For example, consider a situation where you must comply with your organization's SSO policies while also granting access to Workato to external users who do not have accounts in your identity provider. In such cases, it is possible to disable SSO for specific users without affecting the SSO settings for the entire workspace.
Complete the following steps to disable SSO selectively:
Navigate to Workspace admin > Collaborators.
Click Invite collaborator to invite a new collaborator to your workspace. Alternatively, select an existing collaborator to edit their SSO settings.
Toggle Enable SAML for this collaborator to disable SAML SSO for this user.
Disable SSO selectively
Click Send invitation or Save changes to save your settings. You can enable SSO for this user anytime by navigating to Workspace admin and adjusting this collaborator's SSO settings.
# Troubleshooting
# Unable to switch workspace error message
If you are a workspace account owner attempting to access the workspace using SAML-based SSO, you will encounter the following error message:
Unable to switch workspace: the user doesn't belong to the workspace
This message means that you cannot authenticate with Workato using SAML-based SSO because you are the workspace account owner. Instead, you must sign in to the workspace using your username and password.
# Unable to login error message
When attempting to log through SAML SSO, you may encounter the following error message:
Unable to login: Email invited user is already a member
This error typically occurs when a user was provisioned through SAML Just-In-Time (JIT) provisioning or SCIM, removed, and then tries to log in again using SAML SSO. Workato's backend is case-sensitive and automatically converts usernames to lowercase.
To fix this issue, update the SAML configuration on your identity provider (IdP) to convert email addresses to lowercase. This ensures that they match the format in Workato's backend. For example, in Okta, use the expression toLowerCase(user.email). In Azure AD, apply the ToLower() function to the user.mail attribute.
Last updated: 10/24/2024, 5:02:28 PM