Setting Up SSO with Google Suite

Prerequisite

Please make sure you have a custom domain setup for your enterprise.
You can set it up under [Settings] > Enterprise > General > Domains.
This will be the dedicated login link for your company. If a user attempts to sign in from the generic login page, they will be redirected to this page to enter their credentials for SSO.

Scroll down to the Primary SSO Provider settings section:

You will need to provide three pieces of information:

Set-up within Google Suite
When configuring SSO for WorkRamp within Google Suite, please make sure to input the following Service Provider Details:

If you are a customer on the EU instance, please use the following values:

You can check whether you are an EU instance customer by looking at your WorkRamp URL. If it contains "app.eu.workramp.com" you are on the EU instance.

Running an SSO Test

Once you have finished adding your SAML Settings, we recommend running a quick test to make sure it works.

To run this test, check the box beside "Enable SSO (SAML)."

IMPORTANT: Make sure you run this test in an incognito window or separate browser. Do NOT sign out of your account because you may be locked out of your account if the SSO setup is incorrect. 

You should also run this test in non-peak hours or for a short period of time as this will lock out any users if the configuration is not set up properly.
​

To test, go to your custom domain (from the prerequisite section at the top):

The login flow should take you to your Identity Provider (i.e. Okta) as the next step and redirect you back to WorkRamp when completed. If this does not work, the setup was incorrect and you should toggle SSO off until fixed.

External User Login

You also have the ability to allow external users to sign in with a username and password. Users who do not have a domain listed in the Internal Domains field will be presented with a Username and Password login instead of being redirected to the SSO login page. 

Auto Provisioning

Accounts will be automatically provisioned for users signing in via SSO (SAML) if they don't already exist. 

Note: This also applies to SSO with Google.
​
​

Enable First and Last Name Mapping
To allow for first and last names to map from Google to our platform, you will need an administrator for your Google Suite to go to their Google Admin portal and navigate to Apps > SAML Apps and go into their WorkRamp Settings.
Once there, they will need to go to the Attribute Mapping section set up like below:

We are unable to map Manager value at this time.

Setting Up Group Sync

In Google Suite

Navigate to the SAML attribute mapping page and add the Groups in the Group membership section.

To sync groups, you’ll need to update 1 additional row in the Google Admin portal.

In the above row (which should be just below the “attribute mapping” fields), you’ll want to:

Your groups will be synced for users signing in via SSO. If groups don't already exist, they will be created automatically.

Google documentation: About group membership mapping - Google Workspace Admin Help

In WorkRamp

Once set up, check the Sync Groups option on the Settings > Enterprise page of WorkRamp.

Note: Since this is based on SSO, the information is only sent over and updated when the user logs in. If not seeing the user's Group data sync over, ask the user to log out and back in to WorkRamp.

Your groups will be synced for users signing in via SSO. If groups don't already exist, they will be created automatically.

By selecting Sync selective groups, only the group names you list will be synced and assigned to users.
​