# SAML authentication

To enable SAML authentication to work, your Identity provider and the Workflow apps portal must exchange SAML metadata.

# Set up SAML Authentication


Select SAML Authentication.


After you select SAML Authentication, the portal settings display:

  • Single sign-on URL

    • Sample value:
    • https://example.workato.app/portal/sso/saml/acs
  • Metadata URL, or Service provider (SP) Entity ID

    • Sample value:
    • https://example.workato.app/portal/sso/saml/metadata

Set up a SAML application in your identity provider with these values.


(Optional). Toggle Enable JIT (Just-In-Time) provisioning to automatically add users to the portal after identity provider authentication.

If JIT is turned on, every user logging into Workato using SSO for the first time is automatically added to the portal.


(Optional). You can specify the following SAML attributes in your identity provider:

  • workato_app_user_name

  • The user name of a particular user.

  • workato_app_user_groups

  • A comma-separated list of groups the users must be in.


Choose to enforce SAML authentication for all users, or only specified domains. See SAML enforcement for more information.

# SAML enforcement

You can enforce SAML authentication for all users or only for specified domains. Users not belonging to those domains will be able to log in using password authentication. Consider a situation where you must comply with your organization's policies for using SSO but also plan to allow external users that don't have an account with your identity provider access to Workato. In that situation, it is useful to enforce SAML authentication only for specified domains.

Last updated: 2/13/2024, 1:10:22 AM