Enable Workday sign on from a PingFederate URL (IdP-initiated sign on) and direct Workday sign on using PingFederate (SP-initiated sign on), with single logout (SLO).
- Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
- Populate Workday with at least one user to test access.
- You must have administrative access to PingFederate and Workday.
-
Create a PingFederate
service provider (SP) connection for Workday:
- Sign on to the PingFederate administrative console.
- Create an SP connection for Workday in PingFederate.
- Set Partner’s Entity ID to http://www.workday.com.
- Enable the IdP-Initiated SSO and SP Initiated SSO SAML profiles.
- In Assertion Creation > Authentication Source Mapping > Attribute Contract Fulfillment, map SAML_SUBJECT.
-
In Protocol Settings > Assertion Consumer Service URL:
- Set Binding to POST.
- In the Endpoint URL field, enter https://<Your environment>.workday.com/<Your tenant name>/login-saml.flex
- In Protocol Settings > Allowable SAML Bindings, enable POST.
- In Credentials > Digital Signature Settings, select the PingFederate Signing Certificate.
- Click Save.
- Export the signing certificate.
-
Export the metadata file, open it in a text editor, and copy:
- The entityID
- The SSO Location entry
https://<your value>/idp/SSO.saml2
The SLO Location entry
https://<your value>/idp/SLO.saml2
-
Add the PingFederate IdP
Connection to Workday:
-
Sign on to Workday
as an administrator and click Account
Administration.
-
Click Edit Tenant Setup – Security.
- In the Single Sign On section, click the + icon under Redirection URLs.
-
Configure the redirection URL.
Redirect Type Single URL Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/login-saml2.flex
Logout Redirect URL
Single logout (SLO) location from above https://<your value>/idp/SLO.saml2
Mobile App Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/ login-saml2.flex
Mobile Browser Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/ login-saml2.flex
Environment
Select environment
-
In the SAML Setup section, select the
Enable SAML Authentication check box.
-
Click the + icon.
- Set the Identity Provider Name to PingFederate, and in the Issuer field, enter the entity ID value that you copied from PingFederate.
-
For SLO, in the x509 certificate section, click
Create x509 Public Key.
- In the Name field, enter a name for your PingFederate signing certificate, such as PingFederateCert.
-
Open the PingFederate signing certificate in a text editor, copy
the contents, and paste them into the Certificate
field.
- Click OK.
-
Use the following configuration.
Enable IdP Initiated Logout Selected Logout Response URL
Enter the SLO location that you copied from PingFederate. For example, https://<your value>/idp/SLO.saml2.
Enable Workday Initiated Logout
Selected
Logout Request URL
Enter the SLO location that you copied from PingFederate. For example, https://<your value>/idp/SLO.saml2.
Service Provider ID
Enter http://www.workday.com.
SP Initiated
Selected
Do Not Deflate SP-initiated Authentication Request
Selected
IdP SSO Service URL
Enter the SLO location you copied from PingFederate. For example, https://<your value>/idp/SLO.saml2.
- Click OK.
-
For SLO, in the x509 Private Key Pair menu,
select Create x509 Private Key Pair.
-
In the Name field, enter a name for the key
pair.
- Click OK.
-
Hover next to the key pair name and click the
... icon.
-
In x509 Private Key Pair, select View
Key Pair.
-
Copy the contents of the public key and save them in a text
editor.
-
Set the Authentication Request Signature Method
to SHA-256.
Note:
Leave all the other values in this section blank.
- Click Done.
-
Sign on to Workday
as an administrator and click Account
Administration.
-
Update the PingFederate
Workday IdP for SLO:
- Sign on to the PingFederate administrative console.
-
Edit the SP connection for Workday and add the following extra SAML profiles:
- IDP-Initiated SLO
- SP Initiated SLO
-
In Protocol Settings > SLO Service URL:
- Set Binding to POST
- Set Endpoint URL to https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld.
- Set Response URL to https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld.
- In Credentials > Signature Verification Settings, select the saved Workday public key.
-
Test the PingFederate
IdP-initiated SSO:
- Go to the PingFederate SSO Application Endpoint for the Workday SP connection.
-
Complete the PingFederate authentication.