Workato Identity

Workato Identity is a unified identity and access management system that lets you control user and group access for Agent Studio, Workato GO, and MCP features across your entire Workato account. It enables you to sync and manage users and groups from your external identity provider (IdP), or manually define users and groups within Workato. Users and groups are managed independently of environments to provide fine-grained control over user access.

FEATURE AVAILABILITY

Workato Identity is available for Agent Studio, Workato GO, and MCP.

Workato Identity enables you to:

• Grant individual access for specific environments.
• Define groups at the environment level.
• Customize authentication methods for each environment. For example:
  • Dev: Password auth
  • Test: SSO
  • Prod: SSO
• Reuse your IdP across environments or define a customized setup for individual environments.
• Manually manage or sync users and user groups from your identity provider, such as Okta, Azure AD, or OneLogin.
• Assign access to specific groups, making it easy for builders to scope access securely.
• View and manage all user identities and group memberships from a centralized interface.

flowchart TD subgraph M[<h4>Identity management</h4>] direction TB subgraph D[&nbsp Register </br> user identity &nbsp] direction TB end subgraph DD[&nbsp Provision credentials &nbsp] direction LR end subgraph DX[Provide user </br> identity &nbsp] direction TB end subgraph DDX[&nbsp Enter credentials &nbsp] direction LR end end subgraph Q[<h4> Access management </h4>] direction LR subgraph RR[&nbsp Customized </br> access </br> authorization for </br> individual </br> users </br> and groups &nbsp] direction LR end subgraph U[" "] direction LR end subgraph UU[" "] direction LR end subgraph UUU[" "] direction LR end subgraph RRR[&nbsp User and </br> group access </br> with permission </br> control &nbsp] direction LR end end D --> DD DX --> DDX DD --Configuration </br> phase flow--> RR DDX --Operation </br> phase flow--> RRR classDef default fill:#fff,stroke:#67eadd,stroke-width:2px; classDef WorkatoTeal fill:#67eadd,stroke:#67eadd,stroke-width:2px,color:#000; classDef WorkatoPink fill:#fff,stroke:#f66,stroke-width:2px; classDef WorkatoBlue fill:#5159f6,stroke:#5159f6,stroke-width:2px,color:#fff; classDef SubgraphDash fill:#fff,stroke:#f66,stroke-width:2px,color:#000,stroke-dasharray: 5 5 classDef Stealth fill:#5159f6,stroke:#5159f6; class M WorkatoTeal class D,DD,RR,RRR,DX,DDX SubgraphDash class Q WorkatoBlue class U,UU,UUU Stealth

Authenticated user flows

Workato Identity includes the user’s identity as a signed JSON web token (JWT) at runtime in every interaction. This token is passed along with each message to allow components to verify identity and enforce access control. Each component is responsible for checking whether the authenticated user is authorized to perform the action, based on their group membership and the access policy for the platform feature. This ensures that the user is authorized to access specific functions and data.

SAML-based SSO

Workato Identity supports Security Assertion Markup Language (SAML)-based single sign-on (SSO). SAML-based SSO provides the following key features:

• Just-in-Time (JIT) Provisioning

• You can enable JIT provisioning to automatically create user accounts when they first sign in through SSO. This eliminates the need for administrators to manually create accounts, which saves time and ensures that user information is always current.

• Customizable attributes

• You can configure both your Identity Provider (IdP) and your Service Provider (SP) to exchange group information using specific SAML attributes custom attributes, such as group memberships.

• Selective enforcement

• Your organization can choose to enforce SAML-based authentication for all users or add users manually. This flexibility allows for compliance with organizational policies while accommodating common use cases for development and testing phases.