• Link PingOne to an identity repository containing the users requiring application access.
  • Populate Workday with at least one user to test access.
  • You must have administrative access to PingOne and Workday.
  1. Setup the Workday application in PingOne:
    1. Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
    2. In the Application Catalog, search for Workday.
      A screen capture of the Application Catalog search section. There is a search bar and button with Workday entered. The Application search results are showing the results for Workday. The results are listed by the application icon, Application Name, Type, and the setup icon, which is a black triangle turned to the right.
    3. Expand the Workday entry and click Setup.
    4. Copy the Issuer and IdP ID values.
    5. Download the signing certificate.
      A screen capture of the 1. SSO Instructions section. zthere are fields for Signing Certificate with a Download link, Saas ID, IdP ID, Initiate Single Sign-On (SSO) URL, and Issuer.
    6. Click Continue to Next Step.
    7. Enter the following values.
      Field Entry

      ACS URL

      https://<Your environment>.workday.com/<Your tenant name>/login-saml.flex

      Entity ID

      http://www.workday.com

      Target Resource

      https://<Your tenant name>/fx/home.flex

      Single Logout Endpoint

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      Single Logout Response Endpoint

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld
    8. Click Continue to Next Step.
    9. Map the SAML_SUBJECT attribute.
      A screen capture of the 3. Attribute Mapping section. The sentence introduction is Map your identity bridge to the attributes required by the application. The mapping attribute fields are Application Attribute, Description, and Identity Bridge Attribute or Literal Value. The fields have default entries for Application Attribute and Description. The Identity Bridge Attribute or Literal Value field requires an entry from the user and has a As Literal checkbox, which is cleared.
    10. Click Continue to Next Step twice.
    11. Click Add for each user group that should have access to Workday.
      A screen capture of the 5. Group Access section. The sentence introduction is Select all user groups that should have access to this application. Users that are members of the added groups will be able to SSO to this application and will see this application on their personal dock. There is a search bar with a Search button. The search results are listed by Group Name. One entry has a Add button and the other entry has a Remove button.
    12. Click Continue to Next Step.
    13. Click Finish.
  2. Add the PingOne identity provider (IdP) connection to Workday:
    1. Sign on to Workday as an administrator and click Account Administration.
      A screen capture of the Workday administrator home page/dashboard. The intro section sentence is Welcome, Ping and to the right has a gear icon. The page is split into two halves, the Inbox and Applications sections. The left or Inbox section contains a mail icon and the Inbox items. At the bottom center of this section is a Go to Inbox link. In the Applications or right section, is a puzzle icon. 7 icons and their corresponding application names are pictured. The Account Administration application of a person from the shoulders up with a gear icon is highlighted.
    2. Click Edit Tenant Setup – Security.
      A screen capture of the Account Administration application configuration with 3 separate sections of Audit, View, and Actions. Audit and View sections are sitting side-by-side, splitting the page in half, and the Actions section is below them filling the whole page. The Actions section has the options Edit Tenant Setup – Security, which is highlighted, Disable Workday Accounts, Enable/Disable Account Data Masking, and Create Workday Account for Supplier Contact.
    3. In the Single Sign On section, click the + icon under Redirection URLs.
    4. Set the following.
      Field Entry

      *Redirect Type

      Single URL

      Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/login-saml2.flex

      Logout Redirect URL

      https://sso.connect.pingidentity.com/sso/SLO.saml2.workday.com/<Your tenant name>/login-saml2.flex

      Mobile App Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      Mobile Browser Login Redirect URL

      https://<Your environment>.workday.com/<Your tenant name>/logout-saml.htmld

      *Environment

      Select your environment.
    5. In the SAML Setup section, select the Enable SAML Authentication check box.
      A screen capture of the SAML Setup section. The section contains two checkboxes: Enable SAML Authentication, which is selected and highlighted and a Enable Native Multi-Factor Authentication cleared checkbox.
    6. Click the + icon.
      A screen capture of the SAML Identity Providers section. The row entry has a plus icon, which is highlighted, Identity Provider, Disabled, Identity Provider Name, Issuer, and x509 Certificate.
    7. Set the Identity Provider Name to PingOne and enter the Issuer value you copied previously.
    8. In the *x509 Certificate section, click Create x509 Public Key.
      A screen capture of the expanded *x509 Certificate field. In the menu list, the Create x509 Public Key option is highlighted.
    9. Enter a name for your PingOne signing certificate, such as PingOneCert.
    10. Open the PingOne signing certificate in a text editor and paste the contents of the certificate into the Certificate field.
      A screen capture of the Create x509 Public Key configuration section. There are fields for Name, which is highlighted, Valid From, Valid To, and Certificate, which is highlighted.
    11. Click OK.
    12. Set the following.

      Enable IdP Initiated Logout

      Selected

      Logout Response URL

      https://sso.connect.pingidentity.com/sso/SLO.saml2

      Enable Workday Initiated Logout

      Selected

      Logout Request URL

      https://sso.connect.pingidentity.com/sso/SLO.saml2

      Service Provider ID

      http://www.workday.com

      SP Initiated

      Selected

      Do Not Deflate SP-initiated Authentication Request

      Selected

      IdP SSO Service URL

      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<‘IdP ID’ value from PingOne>
    13. Click OK.
    14. For SLO, in the x509 Private Key Pair menu, select Create x509 Private Key Pair.
      A screen capture of the expanded *x509 Private Key Pair field. The menu icon is highlighted. In the menu list, Create x509 Private Key is highlighted.
    15. Enter a name for the key pair.
      A screen capture of the Create x509 Private Key configuration section. There are fields for Name which is highlighted, Description, and a Do Not Allow Regeneration checbox box.
    16. Click OK.
    17. Hover next to the key pair name and click the Menu icon.
      A screen capture of the Create x509 Private Key configuration section. The x509 Private key pair name has the entry of workday with a menu icon. The menu icon is highlighted.
    18. Click View Key Pair.
      A screen capture of the expanded menu for the x509 Private key pair field. In the menu list, there are options for View Key Pair, which is highlighted, Edit Key Pair, and Regenerate Key Pair.
    19. Copy the contents of the public key and save them in a text editor.
      A screen capture of the Create x509 Private Key configuration section. There are fields for Description, Valid From, Valid To, and Public Key, which has the PingOne signing certificate details and is highlighted.
    20. Set Authentication Request Signature Method to SHA-256.
      Note:

      Leave all other values in this section blank.

    21. Click Done.
  3. Complete the Workday SLO setup in PingOne:
    1. Go to PingOne for Enterprise and continue editing the Workday entry.
      Note:

      If the session has timed out, complete the initial steps to the point of clicking Setup.

    2. Click Continue to Next Step.
    3. Click Choose File, and select the saved Workday public key file.
      A screen capture of the Workday SLO setup, in the Certificate Verification upload section. Ther are fields for Primary Verification Certificate with a Choose File button that is highlighted, and Secondary Verification Certificate. Both fields have a Choose File button.
    4. Click Continue to Next Step until the final screen. Click Finish.
  4. Test the PingOne IdP-initiated SSO integration:
    1. Go to to your Ping desktop as a user with Workday access.
      Note:

      To find the Ping desktop URL in the admin console, go to Setup > Dock > PingOne Dock URL.

    2. Complete the PingOne authentication.
      A screen capture of the PingIdentity Sign On page. The page has Username and Password fields, a Remember Me checkbox, a Sign On button, and the Forgot Password link.
      You are redirected to your Workday environment.
      A screen capture of the Workday administrator home page/dashboard. The intro section sentence is Welcome, Ping and to the right has a gear icon. The page is split into two halves, the Inbox and Applications sections. The left or Inbox section contains a mail icon and the Inbox items. At the bottom center of this section is a Go to Inbox link. In the Applications or right section, is a puzzle icon and a list of all Applications by their name and a icon.
    3. Click Sign Out.
      You are signed out.
      A screen capture of the expanded cloud icons or the administrator account profile menu. The Ping View Profile at the top of the menu is highlighted. The Sign Out button,which is the last of the menu options, is highlighted.
  5. Test the PingOne SP-initiated SSO integration:
    1. Go to your Workday URL.
      For example, https://Your environment.workday.com/Your tenant/login-saml2.flex.
    2. After you're redirected to PingOne, enter your PingOne username and password.

      A screen capture of the PingIdentity Sign On page. The page has Username and Password fields, a Remember Me checkbox, a Sign On button, and the Forgot Password link.
      After successful authentication, you are redirected back to Workday.
      A screen capture of the Workday administrator home page/dashboard. The intro section sentence is Welcome, Ping and to the right has a gear icon. The page is split into two halves, the Inbox and Applications sections. The left or Inbox section contains a mail icon and the Inbox items. At the bottom center of this section is a Go to Inbox link. In the Applications or right section, is a puzzle icon and a list of all Applications by their name and a icon.
    3. Click Sign Out.
      A screen capture of the expanded cloud icon or the administrator account profile menu. The Ping View Profile menu is highlighted. The Sign Out button, which is the last of the menu options, is highlighted.
      You are signed out.
      A screen capture of the Sign Off Complete page. The page has the text, "Single sign-off is complete."