WorkOS Docs Homepage
Integrations

Rippling SAML

Learn how to configure a connection to Rippling via SAML.

Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a Rippling SAML Connection, you’ll need the Identity Provider metadata that is available from creating an app within the Rippling instance.

Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.

Select the organization you wish to configure a Rippling SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.

A screenshot showing where to select "Manually Configure Connection" in the WorkOS dashboard.

Select “Rippling SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.

A screenshot showing the "Create Connection" modal with options configured in the WorkOS dashboard.

WorkOS provides the ACS URL and SP Entity ID. They’re readily available in your Connection Settings in the WorkOS Dashboard

A screenshot showing the "ACS URL" and "SP Entity ID" in the WorkOS dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to.

The Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the Entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization’s Rippling instance.

In order to integrate you’ll need the Rippling IdP metadata.

Normally, this information will come from the organization’s IT Management team when they set up your application’s Rippling configuration. But, should that not be the case during your setup, here’s how to obtain them.

Log in to Rippling as an administrator and select “IT Management” then “Custom App” from the left-side navigation bar.

"A screenshot showing where to select "Custom App" in the Rippling dashboard.

Select “Create New App” to begin creating a new SAML application.

A screenshot showing where to select "Create New App" in the Rippling dashboard.

Give the app a descriptive name, select a category, and upload a logo file. Make sure to check the box for “Single Sign-On (SAML)”, then click “Continue”.

A screenshot showing where to configure the new app's "Name", "Categories", and app type in the Rippling dashboard.

Select the option confirming that you are the Application Admin. Rippling will display a new page with “SSO Setup Instructions” we will use in the next step.

A screenshot showing the configuration of the "Who should install the SAML App?" setting in the Rippling dashboard.

Rippling will present the SSO Setup instructions which will include the IdP Metadata XML file. Click to download the file from Rippling.

A screenshot showing where to download the IdP Metadata in the Rippling dashboard.

Save this file in a memorable place, as we will upload it to the WorkOS dashboard in a later step.

Scrolling down on the SSO Setup Instructions, Rippling will request the ACS URL and Service Provider Entity ID.

Input the ACS URL and SP Entity ID from the WorkOS dashboard into the respective fields.

Once complete, click the “Move to Next Step Button”.

A screenshot showing where to input the WorkOS ACS URL and SP Entity ID in the Rippling dashboard.

Select your desired Access Rules.

A screenshot showing where to select SSO Access Rules in the Rippling dashboard.

Select your desired Provision Time.

A screenshot showing where to select Provision Time in the Rippling dashboard.

Configure SSO for Admins if necessary.

A screenshot showing where to configure Admin SSO in the Rippling dashboard.

Configure Group Attributes if necessary.

A screenshot showing where to configure Group Attributes in the Rippling dashboard.

Verify your SSO integration if you want to test the connection.

A screenshot showing where to verify an SSO connection in the Rippling dashboard.

Click “Visit the app”. The application settings will be presented, here we will configure the SAML attribute mapping in the next step.

A screenshot showing where to select "Visit the app" in the Rippling dashboard.

Select the “Settings” tab then on the left navigation select “SAML Attributes” and use the “Create new” button. Add attributes as “Global attributes”.

A screenshot showing where to select "Create New" in the "SAML Attributes" in the Rippling dashboard.

Input the attributes as follows:

  • idUser’s ID
  • emailUser’s email address
  • firstNameUser’s Legal first name
  • lastNameUser’s Legal last name

Here is a screenshot showing the proper final configuration:

A screenshot showing the proper configuration of the "SAML Attributes" in the Rippling dashboard.

With identity provider role assignment, users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.

Create a new SAML attribute and select the “Group attribute” type. Click “Continue”.

A screenshot showing how to add a group attribute in the Rippling dashboard.

Enter groups for the “Group attribute name”.

A screenshot showing what to name a group attribute in the Rippling dashboard.

Select the attribute values to map to the group attribute. The example below shows two values, “Admins” and “Engineers”, that map to the “All Admins” user group and the “Engineering Department” user group, respectively.

A screenshot showing how to map the group attribute for Admins in the Rippling dashboard.

Finish role assignment set-up by navigating to the Connection page in the Organization section of the WorkOS Dashboard. Create connection groups referencing the group IdP ID. Then, assign roles to connection groups so users in those groups will automatically be granted roles within your application.

In the “Settings” tab, on the left navigation select “Advanced SAML Settings” and use the “Edit” button to set “Disable ‘InResponseTo’ field in assertions for IdP initiated SSO” to true by checking the box to enable the setting.

A screenshot showing where to enable the "Disable 'InResponseTo' field in assertions for IdP initiated SSO" setting in the Rippling dashboard.

The ‘InResponseTo’ field is primarily used for IdP-initiated SSO and enabling this setting allows WorkOS to accept both SP and IdP initiated SSO from Rippling.

Click the “Save” button to save this setting. In the next step, we will complete the integration by uploading the Metadata XML file to the WorkOS Dashboard.

Return to the Rippling connection in the WorkOS dashboard and select “Edit Metadata Configuration”.

A screenshot showing where to select "Edit Metadata Configuration" in the WorkOS dashboard.

Upload the XML metadata file from Rippling into the “Metadata File” field and select “Save Metadata Configuration”.

A screenshot showing where to select “Save Metadata Configuration” in the "XML File Metadata Configuration" modal in the WorkOS dashboard.

Your Connection will then be linked and good to go!