Enable Workday sign on from the PingOne console (IdP-initiated sign on) and direct Workday sign on using PingOne (SP-initiated sign on), with single logout (SLO).
- Link PingOne to an identity repository containing the users requiring application access.
- Populate Workday with at least one user to test access.
- You must have administrative access to PingOne and Workday.
-
Setup the Workday
application in PingOne:
- Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
- In the Application Catalog, search for Workday.
- Expand the Workday entry and click Setup.
- Copy the Issuer and IdP ID values.
- Download the signing certificate.
- Click Continue to Next Step.
-
Enter the following values.
Field Entry ACS URL
https://<Your environment>.workday.com/<Your tenant name>/login-saml.flex
Entity ID
http://www.workday.com
Target Resource
https://<Your tenant name>/fx/home.flex
Single Logout Endpoint
https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld
Single Logout Response Endpoint
https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld
- Click Continue to Next Step.
- Map the SAML_SUBJECT attribute.
- Click Continue to Next Step twice.
- Click Add for each user group that should have access to Workday.
- Click Continue to Next Step.
- Click Finish.
-
Add the PingOne identity
provider (IdP) connection to Workday:
- Sign on to Workday as an administrator and click Account Administration.
- Click Edit Tenant Setup – Security.
- In the Single Sign On section, click the + icon under Redirection URLs.
-
Set the following.
Field Entry *Redirect Type
Single URL
Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/login-saml2.flex
Logout Redirect URL
https://sso.connect.pingidentity.com/sso/SLO.saml2.workday.com/<Your tenant name>/login-saml2.flex
Mobile App Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld
Mobile Browser Login Redirect URL
https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld
*Environment
Select your environment.
- In the SAML Setup section, select the Enable SAML Authentication check box.
- Click the + icon.
- Set the Identity Provider Name to PingOne and enter the Issuer value you copied previously.
- In the *x509 Certificate section, click Create x509 Public Key.
- Enter a name for your PingOne signing certificate, such as PingOneCert.
- Open the PingOne signing certificate in a text editor and paste the contents of the certificate into the Certificate field.
- Click OK.
-
Set the following.
Enable IdP Initiated Logout
Selected
Logout Response URL
https://sso.connect.pingidentity.com/sso/SLO.saml2
Enable Workday Initiated Logout
Selected
Logout Request URL
https://sso.connect.pingidentity.com/sso/SLO.saml2
Service Provider ID
http://www.workday.com
SP Initiated
Selected
Do Not Deflate SP-initiated Authentication Request
Selected
IdP SSO Service URL
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<‘IdP ID’ value from PingOne>
- Click OK.
- For SLO, in the x509 Private Key Pair menu, select Create x509 Private Key Pair.
- Enter a name for the key pair.
- Click OK.
- Hover next to the key pair name and click the Menu icon.
- Click View Key Pair.
- Copy the contents of the public key and save them in a text editor.
-
Set Authentication Request Signature Method to
SHA-256.
Note:
Leave all other values in this section blank.
- Click Done.
-
Complete the Workday SLO setup in PingOne:
-
Go to PingOne for Enterprise and continue editing the Workday entry.
Note:
If the session has timed out, complete the initial steps to the point of clicking Setup.
- Click Continue to Next Step.
- Click Choose File, and select the saved Workday public key file.
- Click Continue to Next Step until the final screen. Click Finish.
-
Go to PingOne for Enterprise and continue editing the Workday entry.
-
Test the PingOne
IdP-initiated SSO integration:
-
Go to to your Ping desktop as a user with Workday access.
Note:
To find the Ping desktop URL in the admin console, go to Setup > Dock > PingOne Dock URL.
-
Complete the PingOne authentication.
You are redirected to your Workday environment.
-
Click Sign Out.
You are signed out.
-
Go to to your Ping desktop as a user with Workday access.
-
Test the PingOne
SP-initiated SSO integration:
-
Go to your Workday
URL.
For example, https://Your environment.workday.com/Your tenant/login-saml2.flex.
-
After you're redirected to PingOne, enter your PingOne username and
password.
After successful authentication, you are redirected back to Workday. -
Click Sign Out.
You are signed out.
-
Go to your Workday
URL.