SAML-based single sign-on authentication

Enforcing SAML-based single sign-on (SSO) authentication for your Apps portal enhances security and user experience.

With SAML SSO, a trusted identity provider (IdP) manages authentication, implementing robust security measures and reducing the risk of password-related breaches. Your organization can enforce SAML-based authentication to comply with internal security policies and regulatory requirements, ensuring only authorized users access sensitive Workflow apps.

SAML-based SSO also streamlines the user experience by allowing users to sign in once and access multiple applications without separate logins. Additionally, it allows centralized management of user identities and access controls through the IdP, ensuring consistent application of access policies.

Sign in to the Apps portal through SAML-based SSO

Key features of SAML-based SSO for Workflow apps

SAML-based SSO for Workflow apps offers the following key features:

• Just-in-Time (JIT) Provisioning

• When SAML-based SSO is enforced, you can enable JIT provisioning to automatically create user accounts in the Apps portal when they first sign in through SSO. This eliminates the need for administrators to manually create accounts, which saves time and ensures that user information is always current.

• Customizable attributes

• SAML-based SSO supports the inclusion of custom attributes, such as group memberships and timeout duration, to tailor user experiences and access levels in your Apps portal.

• Selective enforcement

• Your organization can choose to enforce SAML-based authentication for all users or only for specified domains. This flexibility allows for compliance with organizational policies while accommodating external users who may not have accounts with the identity provider.

Compatible identity providers

Workflow apps supports SAML-based SSO with various identity providers (IdPs), including but not limited to:

• Google G Suite
• Microsoft Entra ID
• CyberArk Identity
• Okta
• OneLogin

How it works

To enable SAML-based SSO authentication, your IdP and the Workflow apps portal must exchange SAML metadata. This involves setting up a SAML application in your IdP with specific values, such as the single sign-on URL and metadata URL. After configuring these values, users can authenticate through the IdP, which then communicates with the Workflow apps portal to grant access.

The process of enabling SSO can vary based on your specific IdP. Refer to the Enforce SAML-based SSO authentication for Okta guide to learn how to enable this capability for Okta. This guide includes instructions for enabling user groups sync, which allows you to sync group assignments between the Apps portal and your IdP.

Set up SAML-based authentication

1

In Workato, go to Platform > Workflow apps portal > Settings > Security.

2

In the Authentication method field, select SAML based SSO.

Workato SAML setup

3

After you select SAML based SSO, the portal settings display the Single Sign-On URL and Audience URI (SP Entity ID). Use these values to set up a SAML application in your IdP.

The Single Sign-On URL and Audience URI (SP Entity ID) formats vary and are unique to your Apps portal subdomain/domain and the data center in which your account is located.

If you are using the default domain, the Single Sign-On URL follows this format:

https://{subdomain}.workato.app/portal/sso/saml/acs

Where {subdomain} is your portal's subdomain.

If you are using the default domain, the Audience URI (SP Entity ID) follows this format:

https://{subdomain}.workato.app/portal/sso/saml/metadata

Where {subdomain} is your portal's subdomain.

If you are using a custom domain, the Single Sign-On URL follows this format:

https://{custom-domain}/portal/sso/saml/acs

Where {custom-domain} is your custom domain name.

If you are using a custom domain, the Audience URI (SP Entity ID) follows this format:

https://{custom-domain}/portal/sso/saml/metadata

Where {custom-domain} is your custom domain name.

4

Provide metadata from your IdP. In the Do you have your identity provider metadata URL field, select Yes or No.

The steps to obtain the Identity provider metadata URL can vary depending on your identity provider. Refer to your IdP's documentation to learn how to obtain this value.

1

Sign in to your IdP and locate your Identity provider metadata URL.

2

Copy and paste this value into its corresponding field in Workato.

The steps to obtain the Single Sign On URL, Identity provider issuer, and x509 certificate can vary depending on your IdP. Refer to your IdP's documentation to learn how to obtain these values.

1

Sign in to your IdP and locate the Single Sign On URL, Identity provider issuer, and x509 certificate.

2

Download the x509 certificate.

3

Open the downloaded file in a text editor and verify that the certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

4

Copy the Single Sign On URL, Identity provider issuer, and x509 certificate and paste them into their corresponding fields in Workato.

5

In the Enforce SAML authentication for field, decide whether to enforce SAML authentication for all Workflow apps users or only specific domains.

Users outside those domains can sign in using password authentication. This approach is useful for complying with organizational SSO policies while allowing external users without an identity provider account to access Workflow apps.

6

Optionally, click Enable JIT (Just-In-Time) provisioning to automatically add users to the portal after identity provider authentication.

When JIT is enabled, any user signing in to Workato through SSO for the first time is automatically added to the portal.

7

Optionally, click Enable user groups syncing to sync user groups from your IdP. This step is mandatory if you plan to manage user groups through your IdP.

If you plan to enable user groups syncing

1

Specify the following SAML attributes in your identity provider:

	Name	Value
Attribute 1	workato_app_user_name	user.displayName
Attribute 2	workato_app_user_groups	appuser.workato_app_user_groups

8

Optionally, customize the session duration for the Apps portal by modifying the SessionNotOnOrAfter parameter in your identity provider. Otherwise, the default session timeout is five minutes.

Refer to your IdP's documentation to learn how to enable this capability for your app integration.

9

Click Save changes.