Configuration Guides

Configuring SAML SSO with Workato and PingOne

Learn how to enable Workato sign-on from the PingOne console (IdP-initiated sign-on) and direct Workato sign-on using PingOne (SP-initiated sign-on).

Before you begin

  • Link PingOne to an identity repository containing the users requiring application access.

  • Populate Workato with at least one user to test access.

  • You must have administrative access to PingOne and an Admin account on Workato.

Add the Workato application to PingOne

  1. In PingOne, go to Connections → Applications and click the + icon.

    Screen capture of PingOne Applications page.

  2. When you’re prompted to select an application type, select WEB APP and then click Configure next to SAML for the chosen connection type.

  3. Enter Workato as the application name.

  4. Enter a suitable description.

  5. Optional: Upload an icon.

  6. For Provide App Metadata, select Enter from URL.

  7. In the Import URL field, enter https://www.workato.com/saml/metadata?id=your-Workato-ID.

    your-Workato-ID is a unique value to your Workato account and can be found in the Workato Portal.

  8. In the ACS URLS field, enter https://www.workato.com/saml/consume.

  9. Select the Signing Key to use and then click Download Signing Certificate to download as X509 PEM (.crt).

  10. Leave SLO Endpoint and SLO Response Endpoint blank.

  11. In the Subject NameID Format list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  12. Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.

  13. Click Save and Continue.

  14. Workato expects an email address to identify a user in the SSO security assertion:

    • If you use an email address to sign on through PingOne, click Save and Close.

    • If you sign on with a username, in the PingOne User Attribute list, select Email Address to map that to the SAML_SUBJECT, then click Save and Close.

  15. Click the toggle to enable the application.

  16. On the Configuration tab of the newly-created Workato application, copy and save the IDP Metadata URL value.

    You’ll need this when configuring SAML on Workato.

    Screen capture of PingOne Connection Details section.

Add PingOne as an identity provider (IdP) to Workato

  1. Sign on to the Workato console as an administrator.

  2. In the left navigation pane, click Tools.

  3. Click the Members tab.

  4. Select Team.

  5. Click the Settings tab.

    Screen capture of Workato Team page with Settings tab open.

  6. Enter a Team name for the team or company.

  7. In the Authentication method list, select SAML based SSO.

  8. In the SAML_provider list, select Other.

  9. Enter the Metadata URL for the Workato SP Connector in PingOne.

Test the PingOne IdP integration

  1. Go to the PingOne Application Portal and sign on with a user account.

    In the Admin console, go to Dashboard → Environment Properties to find the PingOne Application Portal URL.

  2. Click the Workato icon.

    You’re redirected to Workato and signed on with SSO.

Test the PingOne SP integration

  1. Go to https://app.workato.com/users/sign_in and enter your email address only.

  2. In the PingOne sign-on prompt, enter your PingOne username and password.

    Screen capture of PingOne sign-on page.

    You’re redirected back to Workato and signed on.