# Enabling Single Sign-On for a Workato workspace

Workato supports authentication using SAML-based Single Sign-On (SSO), allowing you to provide authorized access to Workato for multiple workspace members.

Along with just-in-time (JIT) provisioning, you can streamline onboarding by eliminating the need to pre-provision Workato accounts.

ENFORCE SAML AUTHENTICATION

You can enforce SAML SSO for your workspace. When you enforce SAML SSO, all members of the workspace (except for the workspace account owner) must authenticate through your identity provider. They cannot access the workspace and its resources by logging in with a Workato username and password.

Note that the account owner of the workspace cannot use SAML-based SSO to authenticate with the workspace. They must log in with their username and password instead.


# Prerequisites

To fully configure SSO for Workato, you must have the following:


# Step 1: Create a Workato SAML Application

The first step to enabling SSO for Workato is creating a SAML application for Workato in your SAML provider.

To get started, locate the instructions for your SAML provider:

KNOW YOUR WORKATO DATA CENTER?

Before proceeding, verify the data center your Workato account is in.

When setting up your SAML application, make sure to use the SSO URLs for your data center.

# Google G Suite

VIEW GOOGLE G SUITE INSTRUCTIONS

Refer to the Google Workspace Admin documentation (opens new window) for more details.

# In Workato:

1

Navigate to Workspace admin > Settings > Authentication & provisioning.

2

Fill in the following fields:

  • Authentication method

  • Select SAML based SSO.

  • SAML provider

  • Select Other SAML IdP.

3

Copy the Service provider (SP) entity ID.

Retrieve entity ID

# In your Google Admin console:

1

Navigate to Apps > Web and mobile apps.

2

Click Add App > Add custom SAML app.

3

In the Service Provider Details window, fill in the configuration details as follows:

ACS URL
Use the URL for your Workato data center:
US data center: https://www.workato.com/saml/consume
EU data center: https://app.eu.workato.com/saml/consume
JP data center: https://app.jp.workato.com/saml/consume
SG data center: https://app.sg.workato.com/saml/consume
AU data center: https://app.au.workato.com/saml/consume
Entity ID
Enter in the Service provider (SP) entity ID obtained from Workato.
Start URL
Use the URL for your Workato data center:
US data center: https://www.workato.com/saml/consume
EU data center: https://app.eu.workato.com/saml/consume
JP data center: https://app.jp.workato.com/saml/consume
SG data center: https://app.sg.workato.com/saml/consume
AU data center: https://app.au.workato.com/saml/consume
4

Finish configuring the app, defining settings as needed.

After you've finished the preceding steps, move on to the next step to complete the setup.

# Microsoft Azure Active Directory (AD)

VIEW AZURE AD INSTRUCTIONS

Follow the Microsoft documentation for a complete step-by-step guide on configuring SAML-based SSO in Azure AD (opens new window).

1

In your Workato account:

1

Navigate to Navigate to Workspace admin > Settings > Authentication & provisioning.

2

Enter your Workspace ID.

3

Select SAML based SSO for the Authentication method.

4

Select Azure Active Directory for the SAML provider.

5

Copy the Service provider (SP) entity ID:

Retrieve entity ID

2

In your Azure portal:

1

Create a Non-gallery application to connect Azure AD SSO to Workato:

  • Select Azure Active Directory > Enterprise applications.
  • Create a New application and choose Non-gallery application.

Refer to the Azure documentation (opens new window) for more details.

2

Navigate to the new application's Single sign-on tab and select SAML.

3

Fill in the configuration details as follows:

  • Identifier (Entity ID):

  • The Entity ID from Workato, generated in Step 1.

  • Reply URL (Assertion Consumer Service URL):

  • Use the URL for your Workato data center:

    • US Data Center:

    • https://www.workato.com/saml/consume

    • EU Data Center:

    • https://app.eu.workato.com/saml/consume

    • JP Data Center:

    • https://app.jp.workato.com/saml/consume

    • SG Data Center:

    • https://app.sg.workato.com/saml/consume

    • AU Data Center:

    • https://app.au.workato.com/saml/consume

  • Sign on URL:

  • Locate your Workspace ID in Workato. Then, configure the URL for the data center you use, replacing workspace-id with your Workspace ID, for example: acme-dev-1:

    • US Data Center:

    • https://www.workato.com/saml/init?team_handle=workspace-id

    • EU Data Center:

    • https://app.eu.workato.com/saml/init?team_handle=workspace-id

    • JP Data Center:

    • https://app.jp.workato.com/saml/init?team_handle=workspace-id

    • SG Data Center:

    • https://app.sg.workato.com/saml/init?team_handle=workspace-id

    • AU Data Center:

    • https://app.au.workato.com/saml/init?team_handle=workspace-id

Azure SAML Configuration

4

Save your settings.

3

Next, you'll obtain your Azure AD Metadata URL. This is needed to complete the SSO setup in Workato.

1

In Single sign-on, find the details of the SAML Certificate.

2

Copy the App Federation Metadata URL from the menu.

Azure AD metadata URL

After you've finished the above steps, move on to the next step to complete the setup.

# CyberArk Idaptive

VIEW CYBERARK IDAPTIVE INSTRUCTIONS
1

Log in to your CyberArk Idaptive admin console.

2

Navigate to the Apps & Widgets sidebar and select Add custom SAML app.

3

Name the application Workato.

4

Click Trust to configure SAML Settings.

5

Navigate to the Service Provider Configuration section and select Manual Configuration.

6

Provide the SAML settings as follows:

  • Audience: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/metadata
    • EU data center: https://app.eu.workato.com/saml/metadata
    • JP data center: https://app.jp.workato.com/saml/metadata
    • SG data center: https://app.sg.workato.com/saml/metadata
    • AU data center: https://app.au.workato.com/saml/metadata
  • Recipient: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/consume
    • EU data center: https://app.eu.workato.com/saml/consume
    • JP data center: https://app.jp.workato.com/saml/consume
    • SG data center: https://app.sg.workato.com/saml/consume
    • AU data center: https://app.au.workato.com/saml/consume
  • ACS (Consumer) URL Validator: Use the URL for your Workato data center:
    • US data center: ^https:\/\/www.workato.com\/saml\/*$
    • EU data center: ^https:\/\/app.eu.workato.com\/saml\/*$
    • JP data center: ^https:\/\/app.jp.workato.com\/saml\/*$
    • SG data center: ^https:\/\/app.sg.workato.com\/saml\/*$
    • AU data center: ^https:\/\/app.au.workato.com\/saml\/*$
  • ACS (Consumer) URL: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/consume
    • EU data center: https://app.eu.workato.com/saml/consume
    • JP data center: https://app.jp.workato.com/saml/consume
    • SG data center: https://app.sg.workato.com/saml/consume
    • AU data center: https://app.au.workato.com/saml/consume
7

Select Assertion.

8

Leave other settings as default unless otherwise specified by your Workato implementation details.

Metadata URL Configuration 2CyberArk Idaptive service provider configuration

9

Save your settings.

10

Locate and copy the Metadata URL provided by CyberArk Idaptive. This is needed to complete the SSO setup in Workato.

Metadata URL ConfigurationCyberArk Idaptive metadata URL configuration

11

Obtain your Identity provider single sign-on URL, Identity provider issuer, and Signing certificate from CyberArk Idaptive. These values are required to complete the SSO setup in Workato.

12

Deploy the Workato SAML app to make it available to users within CyberArk Idaptive:

1

Log in to your CyberArk Idaptive admin console.

2

Navigate to the Permissions section in the admin console.

3

Click Add and select a user, typically a system administrator tasked with managing the app deployment.

4

Confirm the deployment by clicking Save.

13

Assign the Workato SAML app to role permissions in CyberArk Idaptive:

1

Log in to your CyberArk Idaptive admin console.

2

Navigate to Core Services > Roles.

3

Select Add Role and name it "Workato Users" to define the permissions for users who will use Workato.

4

Under Assigned Applications, locate the Workato SAML app, select it, and click Add to associate it with the "Workato Users" role.

Assign app to rolesAssign the Workato SAML app to roles

5

Click Save to confirm the role assignments and complete the setup process.

14

Users assigned the Workato Users role can find the Workato SAML app in their CyberArk Idaptive user portal. Clicking this app enables them to log into Workato and automatically provisions their account.

After you've finished the preceding steps, continue to the next step to complete the setup in Workato.

# Okta

VIEW OKTA INSTRUCTIONS
1

Log in to your Okta instance.

2

Navigate to Applications > Applications.

3

Click Create App Integration.

Add application on Okta

Refer to the Okta documentation (opens new window) for more information.

4

Select SAML 2.0 for the Sign on method in the window that displays.

Create a new application on Okta Create a new application on Okta

5

Locate the Configure SAML tab and provide the Single Sign-On URL for your Workato data center:

  • US data center: https://www.workato.com/saml/metadata
  • EU data center: https://app.eu.workato.com/saml/metadata
  • JP data center: https://app.jp.workato.com/saml/metadata
  • SG data center: https://app.sg.workato.com/saml/metadata
  • AU data center: https://app.au.workato.com/saml/metadata
6

Set Application username to Custom and enter the following expression. This expression converts the user email to lowercase:

toLowerCase(user.email)

Set Application username to CustomSet Application username* to Custom

7

Select the Use this for Recipient URL and Destination URL check box.

8

Provide the Audience URI (SP Entity ID) for your Workato data center:

  • US data center: https://www.workato.com/saml/metadata
  • EU data center: https://app.eu.workato.com/saml/metadata
  • JP data center: https://app.jp.workato.com/saml/metadata
  • SG data center: https://app.sg.workato.com/saml/metadata
  • AU data center: https://app.au.workato.com/saml/metadata
9

Click Other Requestable SSO URLs > Show Advanced Settings > Add Another and provide your Workato data center:

  • US data center: https://www.workato.com/saml/consume
  • EU data center: https://app.eu.workato.com/saml/consume
  • JP data center: https://app.jp.workato.com/saml/consume
  • SG data center: https://app.sg.workato.com/saml/consume
  • AU data center: https://app.au.workato.com/saml/consume
10

Find your Identity provider single sign-on URL, Identity provider issuer, and X.509 certificate in Okta. These values are required to complete the SSO setup in Workato.

1

Log in to your Okta account, navigate to Applications, and select the newly-created application's page.

2

Go to the Sign On interface.

3

Click View SAML setup instructions, located in the right sidebar.

4

Copy the following values for use in Workato:

  • Identity provider single sign-on URL
  • Identity provider issuer
  • X.509 certificate

After you've finished the preceding steps, continue to the next step to complete the setup in Workato.

# OneLogin

VIEW ONELOGIN INSTRUCTIONS
1

Log in to your OneLogin instance.

2

Navigate to Applications > Applications.

3

Click Add App.

Add application on OneLogin Add application on OneLogin

Refer to the OneLogin documentation (opens new window) for more details.

4

In the search box, enter saml test connector and click it in the results:

SAML test connector SAML test connector

5

In the Application details, fill in the configuration details as follows:

  • Audience: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/metadata
    • EU data center: https://app.eu.workato.com/saml/metadata
    • JP data center: https://app.jp.workato.com/saml/metadata
    • SG data center: https://app.sg.workato.com/saml/metadata
    • AU data center: https://app.au.workato.com/saml/metadata
  • Recipient: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/consume
    • EU data center: https://app.eu.workato.com/saml/consume
    • JP data center: https://app.jp.workato.com/saml/consume
    • SG data center: https://app.sg.workato.com/saml/consume
    • AU data center: https://app.au.workato.com/saml/consume
  • ACS (Consumer) URL Validator: Use the URL for your Workato data center:
    • US data center: ^https:\/\/www.workato.com\/saml\/*$
    • EU data center: ^https:\/\/app.eu.workato.com\/saml\/*$
    • JP data center: ^https:\/\/app.jp.workato.com\/saml\/*$
    • SG data center: ^https:\/\/app.sg.workato.com\/saml\/*$
    • AU data center: ^https:\/\/app.au.workato.com\/saml\/*$
  • ACS (Consumer) URL: Use the URL for your Workato data center:
    • US data center: https://www.workato.com/saml/consume
    • EU data center: https://app.eu.workato.com/saml/consume
    • JP data center: https://app.jp.workato.com/saml/consume
    • SG data center: https://app.sg.workato.com/saml/consume
    • AU data center: https://app.au.workato.com/saml/consume

OneLogin Config Wizard Workato Service Provider settings for OneLogin

6

Click Save.

7

Next, you'll retrieve your OneLogin Metadata URL. This is needed to complete the SSO setup in Workato.

1

On the application's page, click More Actions.

2

Hover over SAML Metadata, then right-click and select Copy link address:

OneLogin metadata URL

After you've finished the above steps, move on to the next step to complete the setup.


# Step 2: Finish setup in Workato

1

Log in to Workato and navigate to Workspace admin > Settings > Authentication & provisioning.

2

In the Settings tab, fill in the fields as follows:

  • Workspace name

  • Enter a name for the workspace.

  • Authentication method

  • Select SAML based SSO.

  • Workspace ID

  • Enter a unique ID for the workspace. This is used to identify workspaces on login.

  • SAML provider

  • Select your SAML provider from the dropdown menu. If you are using Google G Suite, select Other SAML IdP.

  • Do you have your identity provider metadata URL?

  • Okta

    If your identity provider is Okta, you must configure your SAML settings manually. Follow the instructions contained in "I don't have my metadata URL".

    I have my metadata URL

    If you have the metadata URL from your SAML provider:

    1. Select Yes.
    2. Paste the metadata URL into the Metadata URL field.
    I don't have my metadata URL

    If you don't have your metadata URL or plan to configure your SAML settings manually, you must:

    1. Select No.
    2. Retrieve the following from your SAML provider:
    • Identity provider single sign-on URL
    • Identity provider issuer
    • X.509 certificate
  • Enable JIT provisioning

  • Refer to our Just-in-time provisioning guide for more information.

  • Enforce SAML Authentication

  • Enforce SAML SSO for all users. If you must selectively disable SSO for a few collaborators, while enforcing SAML SSO for the majority of your workspace collaborators, you can disable SSO selectively.

3

Click Validate settings.

VALIDATION ERROR

If you encounter a validation error, perform the following actions:

  1. Verify that the certificate is valid with a tool like sslshopper (opens new window). Certificates must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  2. Verify that your IdP SSO URL/metadata URL is in a valid format. Refer to your identity provider's SAML configuration guide.
4

After successful validation, click Save.


# Step 3: Assign SAML to users

After the SSO configuration is complete, you can start assigning the SAML application to your workspace members.

We'll use an Okta application as an example.

1

In Okta, navigate to the newly created SAML application Applications > Workato > Assignments > Assign Users to App.

2

Okta displays a list of workspace members. Use this list to assign workspace members to the application.


# Log in to an SSO-enabled Workato workspace

WORKSPACE ACCOUNT OWNERS

Workspace owners cannot use SAML-based SSO to authenticate with the workspace. They must use their username and password instead.

When you enable SSO in Workato, access to a Workato workspace is controlled by your SAML provider. You must assign the SAML application to your workspace members in order to grant them access to a Workato workspace. Workspace members can then access their Workato accounts from the SAML provider such as:

  • Google G Suite: use your company or organization sign-in URL, for example, google.com/abc-example
  • Microsoft Azure Active Directory (AD): https://myapps.microsoft.com/
  • Okta: use your company or organization sign-in URL, for example, 123-example.okta.com
  • OneLogin: use your company or organization sign-in URL, for example, xyz-example.onelogin.com

REQUEST THE SSO URL FROM YOUR ADMIN

Reach out to your admin to request the SSO URL for your company or organization.

Steps to log in to an SSO-enabled Workato workspace will vary depending on the SAML provider and the configuration setup by your administrator. For example, Okta and OneLogin accounts typically provide dashboards that allow you to select Workato (and other) applications that have SSO enabled. In the Okta dashboard, you can click the Workato application to log in to Workato:

Workato app on Okta Workato app on Okta

When a workspace member switches from their personal account to an SSO-enabled workspace account, they must authenticate through the SAML provider. This process will vary depending on the SAML provider and the configuration selected by the administrator. The following example demonstrates this process.

Workspace Switch with Okta Switch to workspace account with Okta authorization

# Email Verification for SAML JIT Provisioning

For SAML JIT Provisioning, a user logging in for the first time through either SP-initiated SSO or IdP-initiated SSO must verify their email address.

When a user attempts to access the workspace for the first time, they will be prompted to verify their email before they can access the workspace.

Workspace verification

Receive Invitation Email: Workato sends an email invitation to the selected users. Instruct users to click the link in the email to verify their email address:

Email invitation to join a workspace Email invitation to join a workspace

Once they receive the email, users need to access their email account and open the invitation.

The collaborator can then sign in to the assigned workspace with the role(s) you configured.

TROUBLESHOOTING

If clicking on the invitation email redirects you to the Workato login page instead of your organization’s workspace, it is likely that you already have a Workato account associated with the same email. If you have forgotten your login credentials, reset your password.

Verify Activity Audit Log: You can check the Workato activity audit log to confirm the addition of the user:

Activity audit log showing that a user has accepted an invitation Activity audit log showing that a user has accepted an invitation

# IdP-initiated SSO flow

To execute IdP-initiated flows (accepting SAML Responses directly generated by the IdP), the IdP may provide the team_id as a GET parameter. This allows Workato to identify the workspace the user is trying to access. If Workato does not have the team_id information, the SAML Response is ignored and Workato starts a fresh SP-initiated SSO flow.

So at the IdP, configure the following value:

ACS URL
Use the URL for your Workato data center
US data center: https://www.workato.com/saml/consume?team_id=TEAMID
EU data center: https://app.eu.workato.com/saml/consume?team_id=TEAMID
JP data center: https://app.jp.workato.com/saml/consume?team_id=TEAMID
SG data center: https://app.sg.workato.com/saml/consume?team_id=TEAMID
AU data center: https://app.au.workato.com/saml/consume?team_id=TEAMID

Where TEAMID is the Workspace ID configured in Workspace admin > Settings > Authentication & provisioning.


# Disable SSO for select users

In some situations you may need to disable SSO selectively for specific users in your workspace. For example, consider a situation where you must comply with your organization's SSO policies while also granting access to Workato to external users who do not have accounts in your identity provider. In such cases, it is possible to disable SSO for specific users without affecting the SSO settings for the entire workspace.

To disable SSO selectively:

1

Navigate to Workspace admin > Collaborators.

2

Click Invite collaborator to invite a new collaborator to your workspace. Alternatively, select an existing collaborator to edit their SSO settings.

3

Toggle Enable SAML for this collaborator to disable SAML SSO for this user.

Disable SSO selectivelyDisable SSO selectively

4

Click Send invitation or Save changes to save your settings. You can enable SSO for this user at any time by navigating to Workspace admin and adjusting this collaborator's SSO settings.


# Troubleshooting

# "Unable to switch workspace" error message

If you are a workspace account owner and you try to access the workspace by using SAML-based SSO, you will encounter the following error message:

Unable to switch workspace: the user doesn't belong to the workspace

This message means that you cannot authenticate with Workato using SAML-based SSO because you are the workspace account owner. Instead, you must log in to the workspace using your username and password.


Last updated: 1/2/2024, 4:18:25 PM