Identity provider user access

You can add users through your external identity provider (IdP). This enables you to authenticate end-user accounts for Agentic access. This authentication method doesn't grant end users access to Workato Orchestrate. You must configure a SAML-based SSO through your IdP before you can provide a user with access.

Set up authentication

You can configure Just-in-Time (JIT) provisioning and select which users require SAML-based authentication. You can customize authentication methods for each environment. For example:

• Dev: Password auth
• Test: SSO
• Prod: SSO

Complete the following steps to configure SAML settings for your environment authentication:

1

Sign in to your Workato account and go to Workspace admin.

2

Click Authentication & Groups in the sidebar.

3

Select the environment you plan to configure. The environment End-user group page displays by default.

ENVIRONMENT AVAILABILITY

Workspaces without Environments provisioned only have one environment available.

4

Select the Authentication tab.

5

Ensure that the SAML-based SSO authentication toggle is enabled.

Ensure the SAML-based SSO authentication toggle is enabled

6

Go to the Select an identity provider (IdP) section and click + Set up new provider.

7

Provide a name for your IdP in the Identity provider (IdP) name field. For example: Okta Prod.

Configure SAML authentication

8

Use the Enforce SAML authentication for drop-down menu to select who is required to use SAML-based authentication.

9

Click the Enable SAML Just-in-Time (JIT) provisioning toggle if you plan to automatically create accounts for new users who sign in using SAML-based SSO.

AUTOMATED ACCOUNT ENVIRONMENT ACCESS

User accounts are created with access to the environments you selected in the preceding steps by default.

10

Click the Enable user groups syncing toggle if you plan to update user groups from your identity provider. Refer to Enforce SAML-based SSO authentication for Okta for more information.

USER GROUP SYNCING ONLY SUPPORTED BY WORKATO GO

User group syncing is only available in Workato GO. The sync process triggers when users log in. Slack and Microsoft Teams users remain authenticated through their platform sessions without re-login prompts, preventing the user group sync from triggering.

11

Click Next.

12

Copy the Specify Single sign-on URL and Service provider (SP) entity ID values and paste each value into your IdP to enable access to Workato-powered apps and services.

Copy the Specify Single sign-on URL and Service provider (SP) entity ID values

13

Click Next.

14

Locate the Do you have your identity provider metadata URL? field and select Yes or No depending on whether you have access to your IdP metadata URL.

1

Provide your metadata URL in the Metadata URL field.

Provide your metadata URL

1

Provide your IdP SSO URL in the Identity provider single sign-on URL field.

Provide your IdP information

2

Provide the unique identifier of your IdP in the Identity provider issuer field.

3

Provide the IdP X.509 certificate your IdP uses for request validations in the X.509 certificate field.

15

Click Set up.

Configure your identity provider

Configure your external IdP to use your company-provided Single Sign-on (SSO), such as Okta, to authenticate user accounts.

Complete the following steps to configure your IdP:

1

Sign in to your Okta (opens new window) account.

2

Go to Applications > Applications and click Create App Integration.

Add application in Okta

Refer to the Okta documentation (opens new window) for more information.

3

Select SAML 2.0 as the Sign-in method and click Next.

Create a new application in Okta

4

Enter a name for the app in the App name field. For example, Workato Agentic or MCP Servers.

5

Click Next.

6

Paste your Workato Single Sign-On URL into the corresponding field in Okta.

7

Select the Use this for Recipient URL and Destination URL checkbox.

8

Paste the Service provider (SP) entity ID into the Audience URI (SP Entity ID) field.

9

Set Name ID format to EmailAddress.

10

Go to the Attribute Statements section and add the following attributes:

Name	Value
workato_end_user_name	user.displayName
workato_end_user_groups	appuser.workato_end_user_groups

11

Click Next.

12

Use the App type drop-down menu to choose This is an internal app that we have created.

13

Click Finish.

14

Go to Directory > People and add one or more users. You must complete the verification steps for each user.

15

Go to Applications > My App > Assignments.

16

Click Assign > Assign to People and add one or more users for My App.

17

Click Done.

18

Go to Applications > [Your App] > Sign On in Okta.

19

Copy the Metadata URL. You must use this URL in the Provide metadata from your IdP section of the Set up a new provider wizard in Workato. Refer to Set up environment authentication for more information.

20

Click Save changes.