Prerequisite
Please make sure you have a custom domain setup for your enterprise.
You can set it up under [Settings] > Enterprise > General > Domains.
This will be the dedicated login link for your company. If a user attempts to sign in from the generic login page, they will be redirected to this page to enter their credentials for SSO.
In this guide we will cover two configurations:
Azure SAML Configuration
1. From Microsoft Entra ID (pka Azure Active Directory), find “Enterprise Applications” or "All applications":
2. Click on “New application”
3. Click on “Create your own application”
4. Type in “WorkRamp” as the name and click on the “Create” button at the bottom of the drawer
5. From the next page click on “Set up single sign on”
6. Select “SAML”
7. Click on the edit icon under “Basic SAML Configuration”
8. Enter in the following information:
Identifier: https://app.workramp.com/saml/metadata
Reply URL: https://app.workramp.com/saml/consume
If you are a customer on the EU instance, please use the following values:Identifier: https://app.eu.workramp.com/saml/metadata
Reply URL: https://app.eu.workramp.com/saml/consume
You can check whether you are an EU instance customer by looking at your WorkRamp URL. If it contains "app.eu.workramp.com" you are on the EU instance.
Then click the “Save” button at the top left of the drawer:
9. From the same page as in step 7 above, scroll down to the “SAML Certificates” and “Set up WorkRamp” sections.
Here we are collecting three values we will need to add to WorkRamp settings:
Certificate: click "Download” next to “Certificate (Base64)”.
Open the corresponding downloaded file in a text editor and copy the text.
Single Sign-On URL: copy the value in the field labeled "Login URL"
Entity ID: copy the value in the field labeled "Microsoft Entra Identifier"
10. In WorkRamp, navigate to Settings > Enterprise > scroll down to SSO Settings:
Click the “Enable SSO (SAML)” checkbox
SSO Label is optional and only required if you have multiple SSO providers that employee users will be using to log into WorkRamp
Paste in the values for the three field you gathered from Microsoft in Step 9:
11. SAML SSO should now be set up.
You can test by going to your custom login page for WorkRamp (e.g. yourcustomdomain.workramp.com).
Tips: log out of WorkRamp before testing.
You also have to make sure to assign the WorkRamp application to actual users in Azure (otherwise you will get an error message on Azure saying this user does not have permission to access this application).
Microsoft Entra / Azure SCIM Configuration
1. From Microsoft Entra ID (pka Azure Active Directory), find “Enterprise Applications” or "All applications":
2. Click on the “WorkRamp” application (we created this above in the SAML instructions)
3. Click on “Provisioning” in the left-hand navigation:
4. Select "Automatic" Provisioning Mode.
5. Enter in the following information for the fields:
Tenant URL: https://app.workramp.com/scim/v2
If you are a customer in the EU instance, please use:
Tenant URL: https://app.eu.workramp.com/scim/v2
Secret Token: Follow the steps here to generate your API token.
Once you have filled out the form, click on the “Test Connection” button. If everything went well, then you should get a success message saying “The supplied credentials are authorized to enable provisioning”.
Click on the “Save” button at the top left of the page to finalize the settings.
6. After saving, a new section will appear on the page called "Mappings"
By default, Groups and Users will be enabled.
Everything should be set for provisioning now. Existing user/groups assignments should sync over. Any new users/groups that are assigned the WorkRamp application will also be synced over.
7. Attribute Mapping
In the Mappings section, click on "Provision Azure Active Directory Users":
Click on "objectID" in the Attribute Mappings list.
In the side window, check that:
Source attribute = objectId
Target attribute = externalId
To set up Manager sync, navigate back to the Attribute Mapping page and check the box for "Show advanced options."
In the Supported Attributes section, click on 'Edit attribute list for custommappsso'.
Add a new row add the following as a String:
urn:ietf:params:scim:schemas:extension:workramp:2.0:User:manager
Click Save and navigate back to the Attribute Mapping list.
In the Attribute Mapping list, check to see if you already have a Manager attribute.
If you do, click on Manager to check that it is mapped to Target attribute we just created.
If you do not have Manager in the list, add a new mapping for "manager" and for the Target attribute select the one just created. If you don't see it listed, try refreshing your page.
Adding Custom Attributes
To add custom attributes, click on 'Edit attribute list for custommappsso' in the Supported Attributes section of the Attribute Mapping page.
To create the Attribute String, use the following:
urn:ietf:params:scim:schemas:extension:workramp:2.0:User:WORKRAMP_CUSTOM_ATTR_API_NAME
Once the attribute has been created, navigate back to the Attribute Mapping list to create your custom attribute.
FAQ
Why isn't the Manager attribute syncing over to WorkRamp correctly?
Try adjusting the Target attribute to manager instead.