Enable Single Sign-On for a Workato workspace

Workato supports authentication using SAML-based Single Sign-On (SSO), allowing you to provide authorized access to Workato for multiple workspace members.

Along with just-in-time (JIT) provisioning, you can streamline onboarding by eliminating the need to pre-provision Workato accounts.

ENFORCE SAML AUTHENTICATION

You can enforce SAML SSO for your workspace. When you do so, all workspace members (except for the workspace account owner) must authenticate through your identity provider. They cannot access the workspace and its resources by logging in with a Workato username and password.

Note that the account owner of the workspace cannot use SAML-based SSO to authenticate with the workspace. They must sign in with their username and password instead.

---

Prerequisites

To fully configure SSO for Workato, you must have the following:

• SAML SSO privileges in Workato.

• Knowledge of which Workato data center supports your account. The values for some configuration settings vary depending on your account's data center.

  For the following data centers, the URLs for configuring a SAML app begin with:

  • US Data Center (USDC): https://www.workato.com
  • European Union Data Center (EUDC): https://app.eu.workato.com
  • Japan Data Center (JPDC): https://app.jp.workato.com
  • Singapore Data Center (SGDC): https://app.sg.workato.com
  • Australia Data Center (AUDC): https://app.au.workato.com

• Privileges in your SAML provider that enable you to complete the following actions:

  • Create and modify SAML applications.
  • Assign applications to users.

---

Step 1: Create a Workato SAML application

The first step to enabling SSO for Workato is to create a SAML application for Workato in your SAML provider.

To get started, locate the instructions for your SAML provider:

• Google G Suite
• Microsoft Azure Active Directory (AD)
• CyberArk Idaptive
• Okta
• OneLogin

KNOW YOUR WORKATO DATA CENTER?

Before proceeding, verify the data center your Workato account is in.

When setting up your SAML application, make sure to use the SSO URLs for your data center.

Google G Suite

VIEW GOOGLE G SUITE INSTRUCTIONS

Refer to the Google Workspace Admin documentation (opens new window) for more details.

In Workato

1

Navigate to Workspace admin > Settings > Login methods.

2

Fill in the following fields:

• Authentication method

• Select SAML based SSO.

• Workspace handle

• Provide a handle for the workspace. The maximum length is 20 characters.

• SAML provider

• Select Other SAML IdP.

3

Copy the Service provider (SP) entity ID.

Retrieve entity ID

In your Google Admin console

1

Navigate to Apps > Web and mobile apps.

2

Click Add App > Add custom SAML app.

3

In the Service Provider Details window, fill in the configuration details as follows:

• ACS URL
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume
• Entity ID
• Enter the Service provider (SP) entity ID obtained from Workato.
• Start URL
• Optional. This sets the RelayState parameter in a SAML request, which can be a URL to redirect users to after authentication. We recommend leaving this field empty, or providing the final destination to which you plan to direct users.

4

Finish configuring the app and defining settings as needed.

After you've finished the preceding steps, move on to the next step to complete the setup.

Microsoft Azure Active Directory (AD)

VIEW AZURE AD INSTRUCTIONS

Follow the Microsoft documentation for a complete step-by-step guide on configuring SAML-based SSO in Azure AD (opens new window).

In your Workato account

1

Navigate to Workspace admin > Settings > Login methods.

2

Select SAML based SSO in the Authentication method menu.

3

Fill in the Workspace handle field. The maximum length is 20 characters.

4

Select Azure Active Directory in the SAML provider menu.

5

Copy the Service provider (SP) entity ID:

Retrieve entity ID

In your Azure portal

1

Create a Non-gallery application to connect Azure AD SSO to Workato:

• Select Azure Active Directory > Enterprise applications.
• Create a New application and choose Non-gallery application.

Refer to the Azure documentation (opens new window) for more details.

2

Navigate to the new application's Single sign-on tab and select SAML.

3

Fill in the configuration details as follows:

• Identifier (Entity ID)

• Enter the Service provider (SP) entity ID obtained from Workato.

• Reply URL (Assertion Consumer Service URL)

• Use the URL for your Workato data center:

  • US Data center:

  • https://www.workato.com/saml/consume

  • EU Data center:

  • https://app.eu.workato.com/saml/consume

  • JP Data center:

  • https://app.jp.workato.com/saml/consume

  • SG Data center:

  • https://app.sg.workato.com/saml/consume

  • AU Data center:

  • https://app.au.workato.com/saml/consume

• Sign on URL

• Locate your Workspace handle in Workato. Then, configure the URL for the data center you use. Replace {WORKSPACE_HANDLE} in the following URL with your actual workspace handle:

  • US Data center:

  • https://www.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}

  • EU Data center:

  • https://app.eu.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}

  • JP Data center:

  • https://app.jp.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}

  • SG Data center:

  • https://app.sg.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}

  • AU Data center:

  • https://app.au.workato.com/saml/init?team_handle={WORKSPACE_HANDLE}

Azure SAML Configuration

4

Click Save.

Next, obtain your Azure AD Metadata URL. This is required to complete the SSO setup in Workato.

1

Navigate to the Single sign-on tab and locate the SAML Certificate details.

2

Copy the App Federation Metadata URL.

Azure AD metadata URL

After you've finished the preceding steps, proceed to the next step to complete the setup.

CyberArk Idaptive

VIEW CYBERARK IDAPTIVE INSTRUCTIONS

In CyberArk Idaptive

1

Sign in to your CyberArk Idaptive admin console.

2

Navigate to the Apps & Widgets sidebar and select Add custom SAML app.

3

Name the application Workato.

4

Click Trust to configure SAML Settings.

5

Navigate to the Service Provider Configuration section and select Manual Configuration.

6

Provide the SAML settings as follows:

• Audience
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/metadata
  • EU data center:
  • https://app.eu.workato.com/saml/metadata
  • JP data center:
  • https://app.jp.workato.com/saml/metadata
  • SG data center:
  • https://app.sg.workato.com/saml/metadata
  • AU data center:
  • https://app.au.workato.com/saml/metadata
• Recipient
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume
• ACS (Consumer) URL Validator
• Use the URL for your Workato data center:
  • US data center:
  • ^https:\/\/www.workato.com\/saml\/*$
  • EU data center:
  • ^https:\/\/app.eu.workato.com\/saml\/*$
  • JP data center:
  • ^https:\/\/app.jp.workato.com\/saml\/*$
  • SG data center:
  • ^https:\/\/app.sg.workato.com\/saml\/*$
  • AU data center:
  • ^https:\/\/app.au.workato.com\/saml\/*$
• ACS (Consumer) URL
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume

7

Select Assertion.

8

Leave other settings as the default unless otherwise specified by your Workato implementation details.

CyberArk Idaptive service provider configuration

9

Click Save.

10

Locate and copy the Metadata URL provided by CyberArk Idaptive. This is needed to complete the SSO setup in Workato.

CyberArk Idaptive metadata URL configuration

11

Obtain your Identity provider single sign-on URL, Identity provider issuer, and Signing certificate from CyberArk Idaptive. These values are required to complete the SSO setup in Workato.

12

Deploy the Workato SAML app to make it available to users within CyberArk Idaptive:

1. Sign in to your CyberArk Idaptive admin console.
2. Navigate to the Permissions section.
3. Click Add and select a user, typically a system administrator responsible for managing the app deployment.
4. Click Save to confirm the deployment.

13

Assign the Workato SAML app to role permissions in CyberArk Idaptive:

1. Sign in to your CyberArk Idaptive admin console.
2. Navigate to Core Services > Roles.
3. Select Add Role and name it Workato Users to define permissions for users using Workato.
4. Navigate to Assigned Applications, locate the Workato SAML app, select it, and click Add to associate it with the Workato Users role.
5. Click Save to confirm the role assignments and complete the setup process.

Assign the Workato SAML app to roles

14

Users assigned the Workato Users role can find the Workato SAML app in their CyberArk Idaptive user portal. Clicking this app enables them to sign in to Workato and automatically provisions their account.

After you've finished the preceding steps, continue to the next step to complete the setup in Workato.

Okta

VIEW OKTA INSTRUCTIONS

In Okta

1

Sign in to your Okta instance.

2

Navigate to Applications > Applications.

3

Click Create App Integration.

Add application on Okta

Refer to the Okta documentation (opens new window) for more information.

4

Select SAML 2.0 for the Sign on method in the window that displays.

Create a new application on Okta

5

Locate the Configure SAML tab and provide the Single Sign-On URL for your Workato data center:

• US data center: https://www.workato.com/saml/consume
• EU data center: https://app.eu.workato.com/saml/consume
• JP data center: https://app.jp.workato.com/saml/consume
• SG data center: https://app.sg.workato.com/saml/consume
• AU data center: https://app.au.workato.com/saml/consume

6

Set Application username to Custom and enter the following expression. This expression converts the user email to lowercase:

toLowerCase(user.email)

Set Application username to Custom

7

Select the Use this for Recipient URL and Destination URL check box.

8

Provide the Audience URI (SP Entity ID) for your Workato data center:

• Workato data centers
  • US data center:
  • https://www.workato.com/saml/metadata
  • EU data center:
  • https://app.eu.workato.com/saml/metadata
  • JP data center:
  • https://app.jp.workato.com/saml/metadata
  • SG data center:
  • https://app.sg.workato.com/saml/metadata
  • AU data center:
  • https://app.au.workato.com/saml/metadata

9

Click Other Requestable SSO URLs > Show Advanced Settings > Add Another and provide your Workato data center:

• Workato data centers
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume

10

Find your Identity provider single sign-on URL, Identity provider issuer, and X.509 certificate in Okta. These values are required to complete the SSO setup in Workato.

1. Sign in to your Okta account, navigate to Applications, and open the page for the newly created application.
2. Go to the Sign On interface.
3. Click View SAML setup instructions in the right sidebar.
4. Copy the following values for use in Workato:

• Identity provider single sign-on URL
• Identity provider issuer
• X.509 certificate

After you've finished the preceding steps, continue to the next step to complete the setup in Workato.

OneLogin

VIEW ONELOGIN INSTRUCTIONS

In OneLogin

1

Sign in to your OneLogin instance.

2

Navigate to Applications > Applications.

3

Click Add App.

Add application on OneLogin

4

Search for and select SAML Test Connector (IdP w/ attr w/ sign response).

SAML test connector

5

In the Application details, fill in the configuration details as follows:

• Audience
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/metadata
  • EU data center:
  • https://app.eu.workato.com/saml/metadata
  • JP data center:
  • https://app.jp.workato.com/saml/metadata
  • SG data center:
  • https://app.sg.workato.com/saml/metadata
  • AU data center:
  • https://app.au.workato.com/saml/metadata
• Recipient
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume
• ACS (Consumer) URL Validator
• Use the URL for your Workato data center:
  • US data center:
  • ^https:\/\/www.workato.com\/saml\/*$
  • EU data center:
  • ^https:\/\/app.eu.workato.com\/saml\/*$
  • JP data center:
  • ^https:\/\/app.jp.workato.com\/saml\/*$
  • SG data center:
  • ^https:\/\/app.sg.workato.com\/saml\/*$
  • AU data center:
  • ^https:\/\/app.au.workato.com\/saml\/*$
• ACS (Consumer) URL
• Use the URL for your Workato data center:
  • US data center:
  • https://www.workato.com/saml/consume
  • EU data center:
  • https://app.eu.workato.com/saml/consume
  • JP data center:
  • https://app.jp.workato.com/saml/consume
  • SG data center:
  • https://app.sg.workato.com/saml/consume
  • AU data center:
  • https://app.au.workato.com/saml/consume

6

Click Save.

7

Next, retrieve your OneLogin Metadata URL. This is needed to complete the SSO setup in Workato.

1. On the application's page, click More Actions.
2. Right-click SAML Metadata and select Copy link address:

OneLogin metadata URL

After you've finished the preceding steps, proceed to the next step to complete the setup.

---

Step 2: Finish setup in Workato

1

Sign in to Workato and navigate to Workspace admin > Settings > Login methods.

2

Fill in the following fields:

• Authentication method

• Select SAML based SSO.

• Workspace handle

• Provide a handle for the workspace. The maximum length is 20 characters.

• SAML provider

• Select your SAML provider from the SAML provider menu. If using Google G Suite, select Other SAML IdP.

• Do you have your identity provider metadata URL?

• OKTA

  If your identity provider is Okta, you must configure your SAML settings manually. Follow the instructions contained in I don't have my metadata URL.

  I have my metadata URL

  I have my metadata URL

  If you have the metadata URL from your SAML provider:

  1. Select Yes.
  2. Paste the metadata URL into the Metadata URL field.
  I don't have my metadata URL

  I don't have my metadata URL

  If you don't have your metadata URL or plan to configure your SAML settings manually, you must:

  1. Select No.
  2. Retrieve the following from your SAML provider:

  • Identity provider single sign-on URL
  • Identity provider issuer
  • X.509 certificate

• Enable JIT provisioning

• Refer to our Just-in-time provisioning guide for more information.

• Enforce SAML Authentication Enforce SAML SSO for all users. If you need to disable SSO for a few workspace collaborators while keeping SAML SSO for the majority, you can disable SSO selectively.

3

Click Validate settings.

VALIDATION ERROR

If you encounter a validation error, perform the following actions:

1. Verify that the certificate is valid with a tool like sslshopper (opens new window). Certificates must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
2. Verify that your IdP SSO URL/metadata URL is in a valid format. Refer to your identity provider's SAML configuration guide.

4

After successful validation, click Save.

---

Step 3: Assign SAML to users

After completing the SSO configuration, you can start assigning the SAML application to your workspace members.

The following example uses an Okta application:

1

Navigate to the newly created SAML application in Okta:

• Applications > Workato > Assignments > Assign Users to App.

2

Okta displays a list of workspace members. Use this list to assign workspace members to the application.

---

Sign in to an SSO-enabled Workato workspace

WORKSPACE ACCOUNT OWNERS

Workspace owners cannot use SAML-based SSO to authenticate with the workspace. They must use their username and password instead.

When you enable SSO in Workato, your SAML provider controls access to a Workato workspace. You must assign the SAML application to your workspace members to grant them access to a Workato workspace. Workspace members can then access their Workato accounts from the SAML provider, such as:

• Google G Suite
• Use your company or organization sign-in URL. For example, google.com/abc-example
• Microsoft Azure Active Directory (AD)
• https://myapps.microsoft.com/
• Okta
• Use your company or organization sign-in URL. For example, 123-example.okta.com
• OneLogin
• Use your company or organization sign-in URL. For example, xyz-example.onelogin.com

REQUEST THE SSO URL FROM YOUR ADMIN

Reach out to your admin to request the SSO URL for your company or organization.

The steps to sign in to an SSO-enabled Workato workspace can vary depending on the SAML provider and the configuration set by your administrator. For instance, Okta and OneLogin accounts usually provide dashboards that allow you to select Workato (and other) applications with SSO enabled. In the Okta dashboard, you can click the Workato application to sign in:

Workato app on Okta

When a workspace member switches from their personal account to an SSO-enabled workspace account, they must authenticate through the SAML provider. This process will vary depending on the SAML provider and the configuration selected by the administrator. The following example demonstrates this process:

Switch to workspace account with Okta authorization

Email verification for SAML JIT provisioning

For SAML JIT Provisioning, a user logging in for the first time through either SP-initiated SSO or IdP-initiated SSO must verify their email address.

When users attempt to access the workspace for the first time, Workato prompts them to verify their email before they can access it:

Receive Invitation Email: Workato sends an email invitation to the selected users. Instruct users to click the link in the email to verify their email address:

Email invitation to join a workspace

Once users receive the email, they need to access their email account and open the invitation.

The collaborator can then sign in to the assigned workspace with the roles you have configured.

TROUBLESHOOTING

If clicking on the invitation email redirects you to the Workato login page instead of your organization’s workspace, you likely already have a Workato account associated with the same email. Reset your password if you have forgotten your login credentials.

Verify Activity Audit Log: You can check the Workato activity audit log to confirm the addition of the user:

Activity audit log showing that a user has accepted an invitation

IdP-initiated SSO flow

To execute IdP-initiated flows (accepting SAML Responses directly generated by the IdP), the IdP may provide the team_id as a GET parameter. This allows Workato to identify the workspace the user is trying to access. If Workato does not have the team_id information, the SAML Response is ignored, and Workato starts a fresh SP-initiated SSO flow.

Configure the following value at the IdP:

• ACS URL: Use the URL for your Workato data center

  • US data center: https://www.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}
  • EU data center: https://app.eu.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}
  • JP data center: https://app.jp.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}
  • SG data center: https://app.sg.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}
  • AU data center: https://app.au.workato.com/saml/consume?team_id={WORKSPACE_HANDLE}

Where {WORKSPACE_HANDLE} is the Workspace handle configured in Workspace admin > Settings > Login methods.

---

Disable SSO for select users

In some situations, you may need to disable SSO selectively for specific users in your workspace. For example, consider a situation where you must comply with your organization's SSO policies while also granting access to Workato to external users who do not have accounts in your identity provider. In such cases, it is possible to disable SSO for specific users without affecting the SSO settings for the entire workspace.

Complete the following steps to disable SSO selectively:

1

Navigate to Workspace admin > Collaborators.

2

Click Invite collaborator to invite a new collaborator to your workspace. Alternatively, select an existing collaborator to edit their SSO settings.

3

Toggle Enable SAML for this collaborator to disable SAML SSO for this user.

Disable SSO selectively

4

Click Send invitation or Save changes to save your settings. You can enable SSO for this user anytime by navigating to Workspace admin and adjusting this collaborator's SSO settings.

---

Troubleshooting

Unable to switch workspace error message

If you are a workspace account owner attempting to access the workspace using SAML-based SSO, you will encounter the following error message:

Unable to switch workspace: the user doesn't belong to the workspace

This message means that you cannot authenticate with Workato using SAML-based SSO because you are the workspace account owner. Instead, you must sign in to the workspace using your username and password.