--- title: Configuring Workday SSO with PingOne for Enterprise or PingFederate description: You must have: component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_config_workday_sso_p14e_pf canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_config_workday_sso_p14e_pf.html revdate: December 4, 2023 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps troubleshooting: Troubleshooting related-links: Related links --- # Configuring Workday SSO with PingOne for Enterprise or PingFederate ## Before you begin You must have: * PingOne for Enterprise for cloud integration or PingFederate 10.3 for on-premise integration * A Workday tenant ## About this task Follow these steps to configure Workday as a service provider (SP) through PingOne for Enterprise or PingFederate. ## Steps 1. Create a Workday public key and configure it for use in PingOne for Enterprise and PingFederate. When using single logout (SLO) or signed SP-Initiated single sign-on (SSO), you must create and configure an x509 key pair for the Workday tenant. Later in this task, you'll import the public key into PingOne for Enterprise or PingFederate. 1. From the Workday tenant, search for the task `Create x509 Private Key Pair`. 2. Enter a name for the key pair. 3. Copy and paste the value for **Public Key** into a new text file. 4. Assign **Key Pair** to **SAML Configuration**. 5. From the Workday Tenant, search for the task `edit tenant setup - security`. 6. Assign the **Key Pair** to the field **x509 Private Key Pair**, and click **OK**. 2. For on-premise integration, configure Workday as a service provider using PingFederate. | | | | - | ------------------------------------------------------------------------------------------------------------- | | | Because of the complexity of setting up an SP connection, only the key configuration options are noted below. | 1. In PingFederate, go to **Applications → SP Connections**. 2. Click **Create Connection**. 3. On the **Connection Template** tab, leave the default selection and click **Next**. 4. On the **Connection Type** tab, under **Connection Template**, select **Browser SSO Profiles**. Click **Next**. 5. On the **Connection Options** tab, select **Browser SSO**. Click **Next**. 6. On the **Import Metadata** tab, select **None**. Click **Next**. 7. On the **General Info** tab, set the **Partner's Entity ID (Connection ID)** to `http://www.workday.com` and enter your desired value for **Connection Name**. Click **Next**. 8. On the **Browser SSO** tab, click **Configure Browser SSO**. 9. On the **SAML Profiles** tab, select your desired **Single Sign-On (SSO) Profiles** and **Single Logout (SLO) Profiles**. Click **Next**. 10. On the **Assertion Lifetime** tab, leave the default values and click **Next**. 11. On the **Assertion Creation** tab, click **Configure Assertion Creation**. 12. Click **Next** until you reach the **Authentication Source Mapping** tab. 13. To authenticate users to your SP, choose from: * Mapping a **New Adapter Instance**, as described in [Configuring an IdP adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_idp_adapter_instance.html). * Mapping a **New Authentication Policy**, as described in [Mapping an authentication policy](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_mapp_auth_policy.html). 14. Click **Next** and on the **Summary** tab, click **Done**. 15. On the **Assertion Creation** tab, click **Next**. 16. On the **Protocol Settings** tab, click **Configure Protocol Settings**. 17. Configure the following protocols. | | | | - | -------------------------------------------------- | | | *workday-tenant-name* is your Workday tenant name. | | Tab | Binding | Endpoint URL | | ---------------------------------- | -------- | ----------------------------------------------------------------- | | **Assertion Consumer Service URL** | **POST** | `https://impl.workday.com/workday-tenant-name/login-saml.flex` | | **SLO Service URLs** | **POST** | https\://impl.workday.com/*workday-tenant-name*/logout-saml.htmld | 18. On the **Allowable SAML Bindings** tab, select **POST**. Click **Next**. 19. On the **Signature Policy** tab, enable the following: * (Optional) **Require AuthN Requests to Be Signed When Received via the POST or Redirect Bindings** * **Always Sign Assertion** * **Sign Response As Required** 20. On the **Encryption Policy** tab, leave the default values and click **Next**. Click **Done**. 21. On the **Protocol Settings** tab, click **Next**. Click **Done**. 22. On the **Credentials** tab, click **Configure Credentials** and provide the following credentials: 1. On the **Digital Signature Settings** tab, in the **Signing Certificate** list, select your signing certificate. 2. Select **Include the Certificate in the Signature \ Element**. 3. (Optional) On the **Signature Verification Settings** tab, if you're using SP-initiated SSO or SLO, import the Workday public key that you created previously from the text file. 4. Click **Done**. 23. On the **Activation & Summary** tab, click **Save**. 3. For cloud integration, configure Workday as a service provider through PingOne for Enterprise. For general instructions, see [Add an application from the Application Catalog](https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_application_application_catalog.html) 1. In the PingOne for Enterprise admin console, go to **Applications**. 2. In the **Application Catalog**, search for `Workday`. 3. Select the **Workday** application, not the Sandbox or Preview application. 4. Click **Setup** to configure SSO for the Workday tenant. Click **Continue to Next Step**. 5. On the **Connection Configuration** page, enter the following values and click **Continue to Next Step**. | Parameter | Value | | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | | **ACS URL** | `https://myworkday.com/workday-tenant-name/login-saml.flex` | | **Entity ID** | `http://www.workday.com` | | **Target Resource** | `https://www.myworkday.com/workday-tenant-name/fx/home.flex` | | **Single Logout Endpoint** | `https://www.myworkday.com/workday-tenant-name/logout-saml.htmld` | | **Single Logout Response Endpoint** | `https://www.myworkday.com/workday-tenant-name/logout-saml.htmld` | | **Primary Verification Certificate** | If using signed SP-initiated SSO or SLO, import the Workday public key that you created previously from the text file where you stored it. | 6. Map attributes as needed: * If the subject will contain the username that corresponds to the account within Workday, select **SAML\_SUBJECT**. * If the subject is the email address, click **Advanced** and select the function **GetLocalPartFromEmail**. 7. Perform additional application customizations as needed, then click **Finish**. 4. Enable SAML and create an IdP provider in Workday: 1. In the Workday tenant, search for `edit tenant setup - security`. 2. Select **Enable SAML Authentication**. 3. Under **SAML Identity Providers**, click the **[icon: plus, set=fa]**to add a new IdP. Provide the following information: | Parameter | Value | | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Identity Provider Name** | Enter a value that is useful within your environment. | | **Issuer** | * For PingOne for Enterprise, the URL is available from the Workday Application Configuration. For example:`https://pingone.com/idp/cd-nnn.pingidentity` * For PingFederate, use the SAML 2.0 Entity ID that you can find from (**Server Configuration → Server Settings → Federation Info**). | | **x509 Certificate** | Create a public key that will contain the key from your PingOne for Enterprise or PingFederate connection. | | **Certificate** | Paste the contents of the PingOne for Enterpriseor PingFederate public certificate into the **Certificate** field.* For PingOne for Enterprise, download the Signing Certificate from the Workday Application Configuration. * For PingFederate, export the signing certificate that is used for the Workday SP Connection from **Server Configuration → Signing & Decryption Keys & Certificates**. | 4. To enable SP-initiated SSO, continue to Step 5. 5. To enable SLO, go to Step 7. 6. In the PingOne for Enterprise admin console, edit the Workday Application and continue to the page **Configure your connection**. 7. Upload the public key from your text file to the **Primary Verification Certificate** and save the configuration. 5. Enable SP-initiated SSO for Workday: 1. In the Workday tenant, search for the task `edit tenant setup - security`. 2. Under **SAML Identity Providers** for the desired IdP, select `SP Initiated`. 3. In the **Service Provider ID** field, enter `http://www.workday.com`. 4. Select `Do Not Deflate SP-initiated Request`. 5. **Optional:** Select `Sign SP-initiated Request`. If checked, refer to the section Workday x509 Public Key. 6. Enter a value for **IdP SSO Service URL**: * For PingOne for Enterprise: From the Workday Application Configuration: Initiate Single Sign-On (SSO) URL. * For PingFederate: https\://*host*:*port*/idp/SSO.saml2 6. To test SP-init, open the following link to trigger SP-Init from Workday: `https://impl.workday.com/workday-tenant-name/login-saml2.flex`. 7. Enable SLO for Workday: 1. In the Workday tenant, search for the task `edit tenant setup - security`. 2. Under **SAML Identity Providers** for the desired IdP, select **Enable IdP Initiated Logout**. 3. Configure the following **Logout Response URLs**: * For PingOne for Enterprise: https\://sso.connect.pingidentity.com/sso/SLO.saml2 * For PingFederate: https\://*host*:*port*/idp/SLO.saml2 4. Under **SAML Identity Providers**for the desired IdP, select **Enable Workday Initiated Logout**. 5. Configure the following Logout Request URLs: * For PingOne for Enterprise: https\://sso.connect.pingidentity.com/sso/SLO.saml2 * For PingFederate: https\://*host*:*port*/idp/SLO.saml2 8. **Optional:** Redirect the Workday sign on page to PingOne for Enterprise or PingFederate, as appropriate. 1. From the Workday tenant, search for the task `edit tenant setup - security`. 2. In the **Single Sign-on** section, add a new **Redirection URL**. 3. Enter the SSO URL for the following fields: * **Login Redirect URL** * **Mobile App Login Redirect URL** * **Mobile Browser Login Redirect URL** The SSO URL is: https\://impl.workday.com/*\ 4. Configure the **Login Redirect URL**: * For PingOne for Enterprise: `https://sso.connect.pingidentity.com/sso/SLO.saml2` * For PingFederate: `https://host:port/idp/SLO.saml2` 5. Configure the environment as determined by the tenant URL: * If the subdomain for the Workday tenant URL starts with `impl`, then the **Environment** attribute is **Implementation**. * If the subdomain name starts with something else, contact the Workday support team to determine the **Environment** attribute. ## Troubleshooting * If there is an issue with the login redirect URL, append `?redirect=n` to the Workday login URL. For example, `https://impl.workday.com/wday/authgwy/workday-tenant-name/login.htmld?redirect=n`. * Workday provides a SAML message validator that can be used to debug SAML issues. Search for the task `Validate SAML Message`. ## Related links * [PingFederate 9.2 Administrator's Manual](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-92.pdf#page=62) * [PingID Administration Guide](https://docs.pingidentity.com/pingid/pid_landing_page.html) * [Workday Community](https://resourcecenter.workday.com/en-us/wrc/home.html) * [Workday Support](https://www.workday.com/en-us/services/support.html)