Prerequisite
Please make sure you have a custom domain setup for your enterprise.
You can set it up under [Settings] > Enterprise > General > Domains.
This will be the dedicated login link for your company. If a user attempts to sign in from the generic login page, they will be redirected to this page to enter their credentials for SSO.
Creating the WorkRamp App in OneLogin
In your OneLogin Admin Portal, under the “Applications” tab, click the [Add App] button in the top right corner of the screen.
In the search bar in the top left corner of the screen, search for “SCIM Provisioner with SAML (SCIM v2 Core)”. This is the type of application we’ll be looking to set up. Click on that search result:
Enter the desired information on the below screen, then click the “Save” button on the top right corner of the page to create your new WorkRamp application.
Congrats! You’ve successfully created your new WorkRamp SCIM and SAML SSO application in OneLogin. Now let’s set up the SAML SSO.
SAML SSO Setup
Open the WorkRamp application from your list of applications in OneLogin and click on the SSO tab on the left sidebar. This will bring you to the SSO configuration page for your application:
First, copy the certificate generated by OneLogin into your SSO settings in WorkRamp. To start, click the “View Details” link underneath the “X.509 Certificate” subsection on the above page. On the Certificate Details page, click the “Copy” icon next to the “X.509 Certificate” section:
Navigate to your SSO Settings page and enter the copied certificate into the Certificate field.
Back in OneLogin, navigate back to your new Application’s SSO configuration page. Click the “Copy” icon next to the “Issuer URL” section, this is the value we want to save in the “Entity ID” text field in the SSO Settings in WorkRamp. Similarly, click the “Copy” icon next to the “SAML 2.0 Endpoint (HTTP)” section, this is the value we want to save in the “Single Sign-On URL” text field in the SSO Settings in WorkRamp.
We’ve now entered all the information from OneLogin’s settings into WorkRamp’s SSO settings. To complete the set up in OneLogin, navigate to the “Configuration” tab in the left sidebar. Under the “Application details” section, enter the following values:
SAML Audience URL: https://app.workramp.com/saml/metadata
SAML Consumer URL: https://app.workramp.com/saml/consume
If you are a customer on the EU instance, please use the following values:
SAML Audience URL: https://app.eu.workramp.com/saml/metadata
SAML Consumer URL: https://app.eu.workramp.com/saml/consume
You can check whether you are an EU instance customer by looking at your WorkRamp URL. If it contains "app.eu.workramp.com" you are on the EU instance.
Once complete, click on the “Save” button in the top right corner of the page.
You are now ready to enable SSO and Auto Provisioning (if desired) in WorkRamp:
Your WorkRamp enterprise is now configured for SAML SSO with OneLogin!
Running an SSO Test
Once you have finished adding your SAML Settings, we recommend running a quick test to make sure it works.
To run this test, check the box beside "Enable SSO (SAML)."
IMPORTANT: Make sure you run this test in an incognito window or separate browser. Do NOT sign out of your account because you may be locked out of your account if the SSO setup is incorrect.
You should also run this test in non-peak hours or for a short period of time as this will lock out any users if the configuration is not set up properly.
To test, go to your custom domain (from the prerequisite section at the top):
The login flow should take you to your Identity Provider (i.e. Okta) as the next step and redirect you back to WorkRamp when completed. If this does not work, the setup was incorrect and you should toggle SSO off until fixed.
Additional SSO Settings
External Users
You also have the ability to allow external users to sign in with a username and password. Users who do not have a domain listed in the Internal Domains field will be presented with a Username and Password login instead of being redirected to the SSO login page.
Group Sync
To set up Group Sync, please see our help article here: http://help.workramp.com/en/articles/5243024-syncing-groups-from-onelogin-to-workramp
SCIM Provisioning
To set up SCIM Provisioning, please see our additional help article: http://help.workramp.com/en/articles/5236710-setting-up-scim-provisioning-with-onelogin