You must have:

  • PingOne for Enterprise for cloud integration or PingFederate 10.3 for on-premise integration
  • A Workday tenant

Follow these steps to configure Workday as a service provider (SP) through PingOne for Enterprise or PingFederate.

  1. Create a Workday public key and configure it for use in PingOne for Enterprise and PingFederate.
    When using single logout (SLO) or signed SP-Initiated single sign-on (SSO), you must create and configure an x509 key pair for the Workday tenant. Later in this task, you'll import the public key into PingOne for Enterprise or PingFederate.
    1. From the Workday tenant, search for the task Create x509 Private Key Pair.
    2. Enter a name for the key pair.
    3. Copy and paste the value for Public Key into a new text file.
    4. Assign Key Pair to SAML Configuration.
    5. From the Workday Tenant, search for the task edit tenant setup - security.
    6. Assign the Key Pair to the field x509 Private Key Pair, and click OK.
  2. For on-premise integration, configure Workday as a service provider using PingFederate.
    Note:

    Because of the complexity of setting up an SP connection, only the key configuration options are noted below.

    1. In PingFederate, go to Applications > SP Connections.
    2. Click Create Connection.
    3. On the Connection Template tab, leave the default selection and click Next.
    4. On the Connection Type tab, under Connection Template, select Browser SSO Profiles. Click Next.
    5. On the Connection Options tab, select Browser SSO. Click Next.
    6. On the Import Metadata tab, select None. Click Next.
    7. On the General Info tab, set the Partner's Entity ID (Connection ID) to http://www.workday.com and enter your desired value for Connection Name. Click Next.
    8. On the Browser SSO tab, click Configure Browser SSO.
    9. On the SAML Profiles tab, select your desired Single Sign-On (SSO) Profiles and Single Logout (SLO) Profiles. Click Next.
    10. On the Assertion Lifetime tab, leave the default values and click Next.
    11. On the Assertion Creation tab, click Configure Assertion Creation.
    12. Click Next until you reach the Authentication Source Mapping tab.
    13. To authenticate users to your SP, choose from:
    14. Click Next and on the Summary tab, click Done.
    15. On the Assertion Creation tab, click Next.
    16. On the Protocol Settings tab, click Configure Protocol Settings.
    17. Configure the following protocols.
      Note:

      workday-tenant-name is your Workday tenant name.

      Tab Binding Endpoint URL

      Assertion Consumer Service URL

      POST

      https://impl.workday.com/<workday-tenant-name>/login-saml.flex

      SLO Service URLs

      POST

      https://impl.workday.com/<workday-tenant-name>/logout-saml.htmld
    18. On the Allowable SAML Bindings tab, select POST. Click Next.
    19. On the Signature Policy tab, enable the following:
      • (Optional) Require AuthN Requests to Be Signed When Received via the POST or Redirect Bindings
      • Always Sign Assertion
      • Sign Response As Required
    20. On the Encryption Policy tab, leave the default values and click Next. Click Done.
    21. On the Protocol Settings tab, click Next. Click Done.
    22. On the Credentials tab, click Configure Credentials and provide the following credentials:
      1. On the Digital Signature Settings tab, in the Signing Certificate list, select your signing certificate.
      2. Select Include the Certificate in the Signature <keyinfo> Element.
      3. (Optional) On the Signature Verification Settings tab, if you're using SP-initiated SSO or SLO, import the Workday public key that you created previously from the text file.
      4. Click Done.
    23. On the Activation & Summary tab, click Save.
  3. For cloud integration, configure Workday as a service provider through PingOne for Enterprise. For general instructions, see Add an application from the Application Catalog
    1. In the PingOne for Enterprise admin console, go to Applications.
    2. In the Application Catalog, search for Workday.
    3. Select the Workday application, not the Sandbox or Preview application.
    4. Click Setup to configure SSO for the Workday tenant. Click Continue to Next Step.
    5. On the Connection Configuration page, enter the following values and click Continue to Next Step.
      Parameter Value

      ACS URL

      https://myworkday.com/<workday-tenant-name>/login-saml.flex

      Entity ID

      http://www.workday.com

      Target Resource

      https://www.myworkday.com/<workday-tenant-name>/fx/home.flex

      Single Logout Endpoint

      https://www.myworkday.com/<workday-tenant-name>/logout-saml.htmld

      Single Logout Response Endpoint

      		 https://www.myworkday.com/<workday-tenant-name>/logout-saml.htmld

      Primary Verification Certificate

      		 If using signed SP-initiated SSO or SLO, import the Workday public key that you created previously from the text file where you stored it.
    6. Map attributes as needed:
      • If the subject will contain the username that corresponds to the account within Workday, select SAML_SUBJECT.
      • If the subject is the email address, click Advanced and select the function GetLocalPartFromEmail.
    7. Perform additional application customizations as needed, then click Finish.
  4. Enable SAML and create an IdP provider in Workday:
    1. In the Workday tenant, search for edit tenant setup - security .
    2. Select Enable SAML Authentication.
    3. Under SAML Identity Providers, click the + to add a new IdP.
      Provide the following information:
      Parameter Value

      Identity Provider Name

      Enter a value that is useful within your environment.

      Issuer
      • For PingOne for Enterprise, the URL is available from the Workday Application Configuration. For example:https://pingone.com/idp/cd-nnn.pingidentity
      • For PingFederate, use the SAML 2.0 Entity ID that you can find from (Server Configuration > Server Settings > Federation Info).
      x509 Certificate Create a public key that will contain the key from your PingOne for Enterprise or PingFederate connection.
      Certificate Paste the contents of the PingOne for Enterpriseor PingFederate public certificate into the Certificate field.
      • For PingOne for Enterprise, download the Signing Certificate from the Workday Application Configuration.
      • For PingFederate, export the signing certificate that is used for the Workday SP Connection from Server Configuration > Signing & Decryption Keys & Certificates.
    4. To enable SP-initiated SSO, see step 5.
    5. To enable SLO, see step 7.
    6. In the PingOne for Enterprise admin console, edit the Workday Application and continue to the page Configure your connection.
    7. Upload the public key from your text file to the Primary Verification Certificate and save the configuration.
  5. Enable SP-initiated SSO for Workday:
    1. In the Workday tenant, search for the task edit tenant setup - security.
    2. Under SAML Identity Providers for the desired IdP, select SP Initiated.
    3. In the Service Provider ID field, enter http://www.workday.com.
    4. Select Do Not Deflate SP-initiated Request.
    5. Optional: Select Sign SP-initiated Request. If checked, refer to the section Workday x509 Public Key.
    6. Enter a value for IdP SSO Service URL:
      • For PingOne for Enterprise: From the Workday Application Configuration: Initiate Single Sign-On (SSO) URL.
      • For PingFederate: https://[host]:[port]/idp/SSO.saml2
  6. To test SP-init, open the following link to trigger SP-Init from Workday: https://impl.workday.com/workday-tenant-name/login-saml2.flex.
  7. Enable SLO for Workday:
    1. In the Workday tenant, search for the task edit tenant setup - security.
    2. Under SAML Identity Providers for the desired IdP, select Enable IdP Initiated Logout.
    3. Configure the following Logout Response URLs:
      • For PingOne for Enterprise: https://sso.connect.pingidentity.com/sso/SLO.saml2
      • For PingFederate: https://[host]:[port]/idp/SLO.saml2
    4. Under SAML Identity Providersfor the desired IdP, select Enable Workday Initiated Logout.
    5. Configure the following Logout Request URLs:
      • For PingOne for Enterprise: https://sso.connect.pingidentity.com/sso/SLO.saml2
      • For PingFederate: https://[host]:[port]/idp/SLO.saml2
  8. Optional: Redirect the Workday sign on page to PingOne for Enterprise or PingFederate, as appropriate.
    1. From the Workday tenant, search for the task edit tenant setup - security.
    2. In the Single Sign-on section, add a new Redirection URL.
    3. Enter the SSO URL for the following fields:
      • Login Redirect URL
      • Mobile App Login Redirect URL
      • Mobile Browser Login Redirect URL
      The SSO URL is: https://impl.workday.com/<workday-tenant-name/login-saml2.flex>
    4. Configure the Login Redirect URL:
      • For PingOne for Enterprise: https://sso.connect.pingidentity.com/sso/SLO.saml2
      • For PingFederate: https://host:port/idp/SLO.saml2
    5. Configure the environment as determined by the tenant URL:
      • If the subdomain for the Workday tenant URL starts with impl, then the Environment attribute is Implementation.
      • If the subdomain name starts with something else, contact the Workday support team to determine the Environment attribute.
  • If there is an issue with the login redirect URL, append ?redirect=n to the Workday login URL. For example, https://impl.workday.com/wday/authgwy/<workday-tenant-name>/login.htmld?redirect=n.
  • Workday provides a SAML message validator that can be used to debug SAML issues. Search for the task Validate SAML Message.