• Link PingOne to an identity repository containing the users requiring application access.
  • Populate Workday with at least one user to test access.
  • You must have administrative access to PingOne and Workday.
  1. Setup the Workday application in PingOne:
    1. Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
    2. In the Application Catalog, search for Workday.
      A screen capture of the Application Catalog search section. There is a search bar and button with Workday entered. The Application search results are showing the results for Workday. The results are listed by the application icon, Application Name, Type, and the setup icon, which is a black triangle turned to the right.
    3. Expand the Workday entry and click Setup.
    4. Copy the Issuer and IdP ID values.
    5. Download the signing certificate.
      A screen capture of the 1. SSO Instructions section. zthere are fields for Signing Certificate with a Download link, Saas ID, IdP ID, Initiate Single Sign-On (SSO) URL, and Issuer.
    6. Click Continue to Next Step.
    7. Enter the following values.
      Field Entry

      ACS URL

      https://<Your environment>.workday.com/<Your tenant name>/login-saml.flex

      Entity ID

      http://www.workday.com

      Target Resource

      https://<Your tenant name>/fx/home.flex

      Single Logout Endpoint

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      Single Logout Response Endpoint

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

    8. Click Continue to Next Step.
    9. Map the SAML_SUBJECT attribute.
      A screen capture of the 3. Attribute Mapping section. The sentence introduction is Map your identity bridge to the attributes required by the application. The mapping attribute fields are Application Attribute, Description, and Identity Bridge Attribute or Literal Value. The fields have default entries for Application Attribute and Description. The Identity Bridge Attribute or Literal Value field requires an entry from the user and has a As Literal checkbox, which is cleared.
    10. Click Continue to Next Step twice.
    11. Click Add for each user group that should have access to Workday.
      A screen capture of the 5. Group Access section. The sentence introduction is Select all user groups that should have access to this application. Users that are members of the added groups will be able to SSO to this application and will see this application on their personal dock. There is a search bar with a Search button. The search results are listed by Group Name. One entry has a Add button and the other entry has a Remove button.
    12. Click Continue to Next Step.
    13. Click Finish.
  2. Add the PingOne identity provider (IdP) connection to Workday:
    1. Sign on to Workday as an administrator and click Account Administration.
      A screen capture of the Workday administrator home page/dashboard. The intro section sentence is Welcome, Ping and to the right has a gear icon. The page is split into two halves, the Inbox and Applications sections. The left or Inbox section contains a mail icon and the Inbox items. At the bottom center of this section is a Go to Inbox link. In the Applications or right section, is a puzzle icon. 7 icons and their corresponding application names are pictured. The Account Administration application of a person from the shoulders up with a gear icon is highlighted.
    2. Click Edit Tenant Setup – Security.
      A screen capture of the Account Administration application configuration with 3 separate sections of Audit, View, and Actions. Audit and View sections are sitting side-by-side, splitting the page in half, and the Actions section is below them filling the whole page. The Actions section has the options Edit Tenant Setup – Security, which is highlighted, Disable Workday Accounts, Enable/Disable Account Data Masking, and Create Workday Account for Supplier Contact.
    3. In the Single Sign On section, click the + icon under Redirection URLs.
    4. Set the following.
      Field Entry

      *Redirect Type

      Single URL

      Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/login-saml2.flex

      Logout Redirect URL

      https://sso.connect.pingidentity.com/sso/SLO.saml2.workday.com/<Your tenant name>/login-saml2.flex

      Mobile App Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      Mobile Browser Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      *Environment

      Select your environment.

    5. In the SAML Setup section, select the Enable SAML Authentication check box.
      A screen capture of the SAML Setup section. The section contains two checkboxes: Enable SAML Authentication, which is selected and highlighted and a Enable Native Multi-Factor Authentication cleared checkbox.
    6. Click the + icon.
      A screen capture of the SAML Identity Providers section. The row entry has a plus icon, which is highlighted, Identity Provider, Disabled, Identity Provider Name, Issuer, and x509 Certificate.
    7. Set the Identity Provider Name to PingOne and enter the Issuer value you copied previously.
    8. In the *x509 Certificate section, click Create x509 Public Key.
      A screen capture of the expanded *x509 Certificate field. In the menu list, the Create x509 Public Key option is highlighted.
    9. Enter a name for your PingOne signing certificate, such as PingOneCert.
    10. Open the PingOne signing certificate in a text editor and paste the contents of the certificate into the Certificate field.