Steps to configure SAML SSO for WorkOS

About WorkOS

WorkOS is a developer-focused API platform that lets SaaS apps add enterprise-grade features quickly, without building them from scratch. Its goal is to help companies become enterprise-ready by supplying things that large organizations typically require.

The following steps will help you enable SSO for WorkOS from Identity360.

Prerequisites

1. The MFA and SSO license for Identity360 is required to enable SSO for enterprise applications.
2. Log in to Identity360 as an Admin, Super Admin, or Technician with a role that has Application Integration and Single Sign-on permissions.
3. Navigate to Applications > Application Integration > Create New Application, and select WorkOS from the applications displayed.
   Note: You can also find WorkOS from the search bar located at the top.
4. Under the General Settings tab, enter the Application Name and Description.
5. Under the Choose Capabilities tab, select Single Sign-on and click Continue.
   General Settings of SSO configuration for WorkOS.
6. Under Integration Settings, navigate to the Single Sign On tab, click IdP Details. Copy the Login URL and Entity ID, and download the Signing Certificate which will be used during the configuration of WorkOS.
   Integration Settings of SSO configuration for WorkOS.

WorkOS (service provider) configuration steps

1. Log in to WorkOS with administrator's credentials.
2. Go to Settings > Authentication > Enable Single Sign-On.
   Portal view of WorkOS.
3. Click Custom SAML.
   Identity provider selection in WorkOS.
4. Name the configuration as Identity360 and click Continue.
   Naming the identity provider in WorkOS.
5. Copy the unique value from ACS URL that appears after /acs/, and Service provider entity ID values, which will be used during Identity360 configuration. Click Continue.
   Creating SAML app in WorkOS.
6. You can either choose dynamic configuration or manual configuration for metadata configuration.
   
   • • Choose Dynamic configuration
     • In the Identity provider metadata URL field, paste the Metadata URL value as instructed in these steps. Click Continue.
       Dynamic metadata configuration in WorkOS.
   • Choose Manual configuration.
     • In the Identity provider Single Sign-On URL field, paste the Login URL value copied from Step 6 of prerequisites.
     • In the Identity provider issue field, paste the Entity ID value copied from Step 6 of prerequisites.
     • In the X.509 field, upload the Signing Certificate value downloaded from Step 6 of prerequisites.
     • Click Continue.
       Manual metadata configuration in WorkOS.
7. On the Step 4 page, you will note that email is mapped as id in Identity360. Click Continue.
   IdP attribute mapping in WorkOS.
8. Assign a user in Identity360 and then click Continue to test the SSO configuration.
   Note:

   1. This step needs to be done after the Identity360 configuration mentioned below.
   2. The user testing SSO connection in WorkOS must be the same as the user being assigned in Identity360.
9. You will get a success screen once your SSO connection is activated.
   Connection successful in WorkOS.

Identity360 (identity provider) configuration steps

1. Switch to Identity360's application configuration page.
2. In the Unique ID field, paste the ACS URL value copied from Step 5 of WorkOS configuration.
3. In the Entity ID field, paste the Service provider entity ID value copied from Step 5 of WorkOS configuration.
4. Enter the Relay State parameter, if necessary.
   
   Note: Relay State is an optional parameter used with a SAML message to remember where you were or to direct you to a specific page after logging in.
5. Click Save.
   Integration Settings of SSO configuration for WorkOS.
6. To learn how to assign users or groups to one or more applications, refer to this page.

Your users will now be able to sign in to WorkOS through the Identity360 portal.