This guide provides the steps required to configure SAML SSO (Single Sign-On) with Okta for WorkRamp and includes the following sections:
Prerequisites
Supported features
Important note
Step-by-step configuration instructions
Running an SSO test
Additional SSO settings
SP-initiated flow
Prerequisites
The following prerequisites are required before you can configure provisioning:
Have an enterprise account set up in WorkRamp and have access to an admin user account.
Have a custom subdomain set up in WorkRamp ("Settings" → "Enterprise").
Supported features
High-level overview: This integration allows users to sign on to WorkRamp using their Okta account.
IdP-initiated SSO (Single Sign-On)
SP-initiated SSO
Auto-provisioning of accounts
The following SAML attributes are supported:
FirstName: user.firstName
LastName: user.lastName
Groups: This will be configured in the app UI; see "Group attribute" section below.
For more information on the listed features, visit the Okta Glossary.
Important note
NOTE: Enabling SAML affects all internal users who use this application. When SAML is enabled, users in your organization will not be able to sign in using their regular WorkRamp credentials. They will be able to access the app through the Okta service.
This guide will instruct you on how to test your configuration in a way that does not lock you out of the application if it is misconfigured. However, if you do become locked out, please contact the WorkRamp Support team (support@workramp.com) and ask them to disable SAML.
Step-by-step configuration instructions
1. If you don't already have a custom subdomain set up for your WorkRamp account:
Navigate to the "Settings" tab in the WorkRamp admin console.
Navigate to the "Enterprise" tab (note that the other tabs may differ from this screenshot depending on your user account's permissions) and enter the subdomain that users will use to access your enterprise.
2. In your Okta admin dashboard, navigate to the "Applications" tab, then the "Applications" subtab, then click "Browse App Catalog".
3. Enter "workramp" in the search bar, click the matching result, and click "Add Integration" on the page that comes up.
4. On the next screen, select a label for the application, select your region (if you don't know, select "US (default)") and click "Done".
Note: If your WorkRamp account is on the EU instance, please select "EU" for Region.
5. After you click the "Done" button, the WorkRamp application will be added to your account. The "Assignments" configuration section of the WorkRamp application will be selected. From here, navigate to the "Sign On" tab.
6. Scroll to the "SAML 2.0" section and click "More details" to expand the section.
7. Copy the values for "Sign on URL", "Issuer", and "Signing Certificate" to Notepad or a similar application where you can easily retrieve them.
8. Now, in the WorkRamp admin console, navigate to the "Settings" → "Enterprise" page as discussed in step 1, and scroll to the "SSO Settings" section. In the "Primary SSO Provider" sub-section, fill out the fields as follows:
SSO Label: Whatever you want – will be displayed to users on the login page.
Entity ID: The "Issuer" value you copied from Okta.
Single Sign-On URL: The "Sign on URL" value you copied from Okta.
Certificate: The "Signing Certificate" value you copied from Okta.
If desired, also check "Sync groups" and an option underneath.
9. When you've filled out all of these values, select "Enable SSO (SAML)", and if desired, also check "Allow external users to sign in with username and password". The Information icon next to the option offers an explanation of this setting. You can also refer to the "External users" section below for more information.
10. To ensure that you do not lock out users if your settings are incorrect, before navigating away from the page, we recommend running a test as described in the next section.
Running an SSO test
NOTE: Make sure you run this test in an incognito window or separate browser. Do NOT sign out of your account, as you may be locked out of your account if the SSO setup is incorrect.
You should also run this test during non-peak hours or for a short period of time. Otherwise, enabling SSO will lock out any users if the configuration is not set up properly.
In your incognito window or separate browser, navigate to your custom domain. You should see the SSO sign-in prompt:
The login flow should take you to Okta as the next step and redirect you back to WorkRamp when completed. If this does not work, the setup was incorrect and you should toggle SSO off until fixed.
Additional SSO settings
Multiple SSO providers
You can configure more than one SSO provider in the event that your Enterprise has learners who need to access your Employee LMS via different SAML SSO authentication methods.
Click "+ Add additional provider" and follow the steps above to configure each additional provider.
Now, if a user clicks "More sign-in options" on the login page, they will have this section in their sign-in prompt:
Note: Only the primary SSO provider allows syncing of groups.
External users
You also have the ability to allow external users to sign in with a username and password. Users who do not have a domain listed in the Internal Domains field will be presented with a Username and Password login instead of being redirected to the SSO login page. Check the "Allow external users to sign in with username and password" option for that functionality:
Note: If you want to allow external users to sign in with username and password and you also want to allow users with various email domains to login with SSO, you will need to add those email domains to the Internal Domains list ("Settings" → "Enterprise").
Auto provisioning
If you select the "Auto provision new users" option, WorkRamp accounts will be automatically created for users signing in via SAML if they don't already exist.
If desired, you can use the same integration to set up SCIM provisioning as described here.
Group attribute
If you have requested that your WorkRamp instance be configured to accept the group attribute:
In the Okta admin dashboard, navigate to the WorkRamp application and click the "Sign On" tab, then click "Edit".
Select your preferred group filter from the dropdown list. Use the "Matches Regex" rule with the value ".*" as seen in the screenshot to send all groups to the Workramp instance.
Click "Save".
SP-initiated flow
Single Sign-On initiated by WorkRamp is called "Service-Provider-Initiated" or "SP-initiated" flow. Here are the steps:
Go to:
https://[your-workramp-subdomain].app.workramp.com/login if your WorkRamp is hosted in the US region; or
https://[your-workramp-subdomain].app.eu.workramp.com/login if your WorkRamp is hosted in the EU region.
Enter your email address, then click Continue:
To setup SCIM with Okta, please see this help article.