Read this before you enable SAML
Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page, if you enable SP initiated SSO. Users will only be able to access the app through the Okta service.
Backup URL: Workday provides a backup log-in url where users can sign-in using their normal username and password in the following format:[Your Workday URL]/login.flex?redirect=n
If you log into: https://acme.workday.com/login-auth.html, [Your Workday URL] is: https://acme.workday.com.
These SAML instructions contain Single Log-Out (SLO) and Force Authentication configuration steps that are optional. If you are not going to use SLO or Force Authentication, skip the steps that are marked as [Optional SLO] or [Optional Force Authentication], and highlighted in blue font.
Contents
- Supported Features
- URL Variable
- Configuration Steps
- Notes
Supported Features
The Okta/Workday SAML integration currently supports the following features:
- IdP-initiated SSO
- SP-initiated SSO
- SLO (Single Log Out)
- Force Authentication
For more information on the listed features, visit the Okta Glossary.
URL Variable
You will need to copy and paste the following variable throughout the following configuration steps:
IdP SSO Service URL
Sign into the Okta Admin dashboard to generate this value.
Configuration Steps
Sign in to Workday with administrator privileges.
Navigate to the Edit Tenant Setup - Security page. To do this search for Edit Tenant Setup in the home screen search box, then click the Edit Tenant Setup - Security link in the search results:
Scroll down to the Single Sign On section and expand it, if not already expanded.
Click on the plus icon underneathRedirection URLsto add a row. Then enter the following (see screenshot at end of step for reference):
Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexLogout Redirect URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Mobile App Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexMobile Browser Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexEnter an Environment.
Scroll down to the SAML Setup section.
Check the Enable SAML Authentication box:
Click on the plus (+) icon underneath SAML Identity Providers to add a row, then enter the following:
Identity Provider Name: Enter Okta.
Issuer: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
x509 Certificate: Do the following:
Click the icon in the x509 Certificate field.
Click Create x509 Public Key in the dialog box.
In the Create x509 Public Key screen, enter a unique name for your certificate, for example,okta.cert.
Copy and paste the certificate listed below into theCertificatefield:
Sign into the Okta Admin dashboard to generate this value.
ClickOKto save your certificate and return to the Edit Tenant Setup - Security screen.
[Optional SLO]: Check the Enable Workday Initiated Logout option in order to enable SLO.
[Optional SLO]: Logout Request URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.
[Optional SLO]: For x509 Private Key Pair, do the following:
Click the icon in the x509 Private Key Pair field.
Click Create x509 Private Key Pair in the dialog box:
Enter a unique name for your certificate, for example, workday_key.
Click OK.
Service Provider ID: Enter the following value: http://www.workday.com.
- [Optional] We recommend checking Enable SP Initiated SAML Authentication. Be sure to read the Before you begin section above. Also check the SP Initiated option for your IdP in the SAML Identity Providers section:
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.
[Optional Force Authentication]: Always Require IdP Authentication – check the option and select the ForceAuthn Only radio button in order to enable Force Authentication. This step should be used in conjunction with the Force Authentication option in step 19.
Authentication Request Signature Method: Select SHA256.
ClickOK:
[Optional Force SLO]: Select the Actions menu near the workday_key x509 Private Key Pair:
Select x509 Private Key Pair > View Key Pair:
On the View x509 Private Key Pair screen, copy the Public Key value and save as workday_key.cert file:
[Optional]: In Okta, select the Sign On tab for the Workday app, then click Edit.
[Optional Force Authentication]: Uncheck Disable Force Authentication in order to enable Force Authentication. This step should be used in conjunction with step 15.
[Optional SLO]: Check Enable Single Logout.
[Optional SLO]: Click Browse to select the workday_key.cert.
[Optional SLO]: Click Upload.
Click Save.
Done!
Notes
Make sure that you entered the correct value in the Your Workday site URL field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Workday.
For SP-initiated Flows
Open your Login Redirect URL (step 4):
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flex
FAQs
Use the following SAML configuration for Workday. Go to Dashboard > Applications > Applications and either create a new application or click the name of an application to update. Go to the Addons tab and enable the SAML2 Web App toggle.
Does Workday support SAML? ›
Use the following SAML configuration for Workday. Go to Dashboard > Applications > Applications and either create a new application or click the name of an application to update. Go to the Addons tab and enable the SAML2 Web App toggle.
How to configure SSO in Workday? ›
Configure SSO in Workday
Navigate to the Edit Tenant Setup - Security page by searching for Edit Tenant Setup in the home screen search box and then click the Edit Tenant Setup - Security option in the search results. Scroll down to the Single Sign-On section and expand it, if not already expanded.
What is the URL for SAML 2.0 SSO service? ›
The SAML 2.0 SSO service URL format should be https://<your-mattermost-url>/login/sso/saml where <your-mattermost-url> matches your Mattermost Site URL. Then choose Next. This string must match the Service Provider Identifier string.
How to configure SAML 2.0 for IAM Identity Center? ›
Step 1: Setup your identity provider (IdP)
- Sign in to your AWS account.
- From the main menu, search for IAM Identity Center (successor to AWS Single Sign-On).
- Once in IAM Identity Center, select Applications.
- Next, select Add application.
- In the next screen, select Add custom SAML 2.0 application then Next.
Workday relies on the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits for encryption at rest. Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery.
Is SAML required for SSO? ›
SAML is one of the protocols that enable SSO.
It's an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).
Where is SSO configured? ›
Choose Single sign-on from the application's left-hand menu. Choose SAML as the SSO method. For the Basic SAML Configuration section you will need an Identifier (Entity ID) and a Reply URL (ACS URL). Both of these are provided by Resource Guru in Settings > SSO > Configure SSO.
How do I activate my SSO profile? ›
Configure the SSO profile for your organization
- Sign in to your Google Admin console. ...
- In the Admin console, go to Menu Security Authentication. ...
- In Third-party SSO profile for your organization, click Add SSO profile.
- Check the Set up SSO with third-party identity provider box.
miniOrange allows Workday to act as an IDP (Identity Provider), which allows users to Single Sign-On (SSO) into Shopify using Workday Credentials. Our application is compatible with all the SAML / OAuth-compliant Identity Providers.
SAML 2.0 name identifier formats control how the users at identity providers are mapped to users at service providers during single sign-on. Use the email address name identifier format if you want a user to log in at the service provider as the same user that they use to log in at the identity provider.
What is SAML 2.0 and how does it work? ›
SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.
How to implement SSO using SAML? ›
Implementation of SAML SSO follows 5 simple steps outlined in detail below.
- Step 1: Exchange of metadata information. ...
- Step 2: Identity provider configuration. ...
- Step 3: Enable SAML in Configuration. ...
- Step 4: Test the single sign-on connection. ...
- Step 5: Go live.
Test Your SAML Configuration
- In Setup, select Users.
- Select the user, and click Edit.
- Select Single Sign-On Enabled.
- For Federation ID, enter the shared identifier. Note This ID is passed in the <NameID> tag in the SAML assertions that are sent to Marketing Cloud Engagement. ...
- Click Save.
Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
How to configure SAML in Active Directory? ›
To set up SAML, follow the steps below:
- Access your AD FS management console.
- Expand the Trust Relationships folder.
- Right-click Relying Party Trust and click Add Relying Party Trust…. ...
- Click Start on the wizard's Welcome screen.
- Choose Enter data about the relying party manually. ...
- Enter a display name, such as "KnowBe4".
SAML is one of the most widely used standards to provide users with secure, one-click access to multiple cloud applications via single sign-on (SSO). All major cloud applications support SAML, including Office 365, Google Workspace (formerly G Suite), Salesforce, Dropbox, and ServiceNow.
Can Workday act as an IdP? ›
miniOrange allows Workday to act as an IDP (Identity Provider), which allows users to Single Sign-On (SSO) into Shopify using Workday Credentials. Our application is compatible with all the SAML / OAuth-compliant Identity Providers.
What authenticator does Workday use? ›
Download the Google Authenticator app from your device's app store, launch the app, click the plus button to add an account, choose enter a setup key, enter Workday for the account name, copy the secret key from the Workday app, paste the key into Google Authenticator, click Add, tap on Workday in Google Authenticator ...
Does Office 365 support SAML? ›
Microsoft supports this sign-on experience as the integration of a Microsoft cloud service, such as Microsoft 365, with your properly configured SAML 2.0 profile-based IdP.
