You will want to make sure you have a custom domain setup for your enterprise (setup link here: https://app.workramp.com/admin/settings/enterprise). This will be the dedicated login URL for your company. If a user lands on a generic login page, they will still get redirected to this page to enter their credentials for SSO.
Get started by navigating to your SSO settings page: https://app.workramp.com/admin/settings/enterprise
You will need to provide three pieces of information:
- Entity ID - A URL that uniquely identifies your SAML identity provider. For Okta customers, it is usually formatted as: http://www.okta.com/[ID from sso sign-in url]
- Single Sign-On URL - This is the SSO URL that WorkRamp will direct your users to when they access WorkRamp. For Okta, it could be formatted as: https://COMPANYNAME.okta.com/app/workramp/[ID]/sso/saml
- Certificate - This is the certificate WorkRamp will require to verify your users identity during the sign on process. This should be provided by your SSO provider, such as Okta or OneLogin. If you have any trouble finding this certificate, contact your SSO provider or the WorkRamp team.
Running an SSO Test
Once you have finished adding your SAML Settings, you will want to run a quick test to make sure it works
To run this test, flip on this setting and open up a new incognito tab or different browser:
IMPORTANT: Make sure you run this test in an incognito window or separate browser. Do NOT sign out of your account because you may be locked out of your account if the SSO setup is incorrect.
You should also run this test in non-peak hours or for a short period of time. This will lock out any users if the configuration is not set up properly.
Go to your custom domain (from the prerequisite section at the top):
The login flow should take you to your Identity Provider (ie Okta) as a next steps and redirect you to WorkRamp when completed. If this does not work, the setup was incorrect and you should toggle SSO off until fixed.
Additional SSO Settings
You also have the ability to allow external users to sign in with a username and password. Users who do not have a domain listed in the Internal Domains field will be presented with a Username and Password login instead of being redirected to the SSO login page.
Accounts will be automatically provisioned for users signing in via SSO (SAML/OAuth) if they don't already exist.
Note: This also applies to SSO with Google.
Your groups will be synced for users signing in via SSO. If groups don't already exist, they will be created automatically.
By selecting Sync selective groups, only the group names you list will be synced and assigned to users.
Note: WorkRamp will support SAML 2.0 based Single Sign On for select accounts. For Okta, we are also listed in the Okta Application Network (OAN) that you can access via your Okta portal.
To see if your account level offers SSO, please get in touch with your account representative.
If you have any questions, email firstname.lastname@example.org, or leverage your chat window in the bottom right-hand corner of your screen!