Prerequisite
Please make sure you have a custom domain setup for your enterprise (setup under Settings > Enterprise > General > Domains).
This will be the dedicated login link for your company. If a user attempts to sign in from the generic login page, they will be redirected to this page to enter their credentials for SSO.
Getting Started
Navigate down to the Primary SSO Provider settings of the page:
You will need to provide three pieces of information:
Entity ID - A URL that uniquely identifies your SAML identity provider.
Single Sign-On URL - This is the SSO URL that WorkRamp will direct your users to when they access WorkRamp.
Certificate - This is the certificate WorkRamp will require to verify your users identity during the sign on process. This should be provided by your SSO provider, such as Okta or OneLogin. If you have any trouble finding this certificate, contact your SSO provider or the WorkRamp team.
SSO Label - This is optional. It will be used to label the Sign in buttons that users will be presented with, so they can choose which provider they will use credentials for. If this label is left blank, the button will read "Sign in with single sign on".
WorkRamp SP Settings
If you are using Okta you can skip this step. If you are manually setting up a SAML application in another system then you will need WorkRamp's SP settings. These can be found here: https://app.workramp.com/saml/metadata. Depending on the system you are using, you can either directly import that XML file or copy and paste the settings from that url.
If you are a customer on the EU instance, your settings can be found here: https://app.eu.workramp.com/saml/metadata.
You can check whether you are an EU instance customer by looking at your WorkRamp URL. If it contains "app.eu.workramp.com" you are on the EU instance.
Running an SSO Test
Once you have finished adding your SAML Settings, we recommend running a quick test to make sure it works.
To run this test, check the box beside "Enable SSO (SAML)."
IMPORTANT: Make sure you run this test in an incognito window or separate browser. Do NOT sign out of your account because you may be locked out of your account if the SSO setup is incorrect.
You should also run this test in non-peak hours or for a short period of time. This will lock out any users if the configuration is not set up properly.
To test, go to your custom domain (from the prerequisite section at the top):
The login flow should take you to your Identity Provider (i.e. Okta) as the next step and redirect you back to WorkRamp when completed. If this does not work, the setup was incorrect and you should toggle SSO off until fixed.
================
Additional SSO Settings
Multiple SSO Providers
You can configure more than one SSO provider, in the event that your Enterprise has learners who need to access your Employee LMS via different SAML SSO authentication methods.
Click "+ Add additional provider", and follow the same steps above to configure each additional provider:
This is what your users will see logging in at your custom domain:
Note: Only the Primary SSO provider allows syncing of groups.
External Users
You also have the ability to allow external users to sign in with a username and password. Users who do not have a domain listed in the Internal Domains field will be presented with a Username and Password login instead of being redirected to the SSO login page.
Note: If you want to allow external users to login with username and password, and you also want to allow users with various email domains to login with SSO, you will need to add those various email domains to the Internal Domains list to achieve this functionality.
Auto Provisioning
Accounts will be automatically provisioned for users signing in via SSO (SAML) if they don't already exist.
Note: This also applies to SSO with Google.
Note: WorkRamp will support SAML 2.0 based Single Sign On for select accounts.
For Okta, we are also listed in the Okta Application Network (OAN) that you can access via your Okta portal.