Learn how to enable Workato sign on from the PingOne console (IdP-initiated sign on) and direct Workato sign on using PingOne (SP-initiated sign on).
- Link PingOne to an identity repository containing the users requiring application access.
- Populate Workato with at least one user to test access.
- You must have administrative access to PingOne and an Admin account on Workato.
Add the Workato application to PingOne:
In PingOne, go to and click the + icon.
- When you’re prompted to select an application type, select WEB APP and then click Configure next to SAMLfor the chosen connection type.
- Enter Workato as the application name.
- Enter a suitable description.
- Optional: Upload an icon.
- For Provide App Metadata, select Enter from URL.
In the Import URL field, enter
<your Workato ID> is a unique value to your Workato account and can be found in the Workato Portal.
- In the ACS URLS field, enter https://www.workato.com/saml/consume.
- Select the Signing Key to use and then click Download Signing Certificate to download as X509 PEM (.crt).
- Leave SLO Endpoint and SLO Response Endpoint blank.
- In the Subject NameID Format list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.
- Click Save and Continue.
Workato expects an email address to identify a user in the SSO security
- If you use an email address to sign on through PingOne, click Save and Close.
- If you sign on with a username, in the PingOne User Attribute list, select Email Address to map that to the SAML_SUBJECT, then click Save and Close.
- Click the toggle to enable the application.
On the Configuration tab of the newly-created
Workato application, copy and save the IDP Metadata
You’ll need this when configuring SAML on Workato.
- In PingOne, go to and click the + icon.
Add PingOne as an identity
provider (IdP) to Workato:
- Sign on to the Workato console as an administrator.
- In the left navigation pane, click Tools.
- Click the Members tab.
- Select Team.
Click the Settings tab.
- Enter a Team name for the team or company.
- In the Authentication method list, select SAML based SSO.
- In the SAML_provider list, select Other.
- Enter the Metadata URL for the Workato SP Connector in PingOne.
Test the PingOne IdP
Go to the PingOne
Application Portal and sign on with a user account.
In the Admin console, go to PingOne Application Portal URL.to find the
Click the Workato icon.
You're redirected to the Workato web site and signed on with SSO.
- Go to the PingOne Application Portal and sign on with a user account.
Test the PingOne SP
- Go to https://app.workato.com/auth/login and enter your email address only.
In the PingOne
sign-on prompt, enter your PingOne username and password.
You’re redirected back to Workato and signed on.