Read this before you enable SAML
Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page, if you enable SP initiated SSO. Users will only be able to access the app through the Okta service.
Backup URL: Workday provides a backup log-in url where users can sign-in using their normal username and password in the following format:[Your Workday URL]/login.flex?redirect=n
If you log into: https://acme.workday.com/login-auth.html, [Your Workday URL] is: https://acme.workday.com.
These SAML instructions contain Single Log-Out (SLO) and Force Authentication configuration steps that are optional. If you are not going to use SLO or Force Authentication, skip the steps that are marked as [Optional SLO] or [Optional Force Authentication], and highlighted in blue font.
Contents
- Supported Features
- URL Variable
- Configuration Steps
- Notes
Supported Features
The Okta/Workday SAML integration currently supports the following features:
- IdP-initiated SSO
- SP-initiated SSO
- SLO (Single Log Out)
- Force Authentication
For more information on the listed features, visit the Okta Glossary.
URL Variable
You will need to copy and paste the following variable throughout the following configuration steps:
IdP SSO Service URL
Sign into the Okta Admin dashboard to generate this value.
Configuration Steps
Sign in to Workday with administrator privileges.
Navigate to the Edit Tenant Setup - Security page. To do this search for Edit Tenant Setup in the home screen search box, then click the Edit Tenant Setup - Security link in the search results:
Scroll down to the Single Sign On section and expand it, if not already expanded.
Click on the plus icon underneathRedirection URLsto add a row. Then enter the following (see screenshot at end of step for reference):
Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexLogout Redirect URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
Mobile App Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexMobile Browser Login Redirect URL: Enter the following:
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flexEnter an Environment.
Scroll down to the SAML Setup section.
Check the Enable SAML Authentication box:
Click on the plus (+) icon underneath SAML Identity Providers to add a row, then enter the following:
Identity Provider Name: Enter Okta.
Issuer: Copy and paste the following:
Sign into the Okta Admin Dashboard to generate this variable.
x509 Certificate: Do the following:
Click the icon in the x509 Certificate field.
Click Create x509 Public Key in the dialog box.
In the Create x509 Public Key screen, enter a unique name for your certificate, for example,okta.cert.
Copy and paste the certificate listed below into theCertificatefield:
Sign into the Okta Admin dashboard to generate this value.
ClickOKto save your certificate and return to the Edit Tenant Setup - Security screen.
[Optional SLO]: Check the Enable Workday Initiated Logout option in order to enable SLO.
[Optional SLO]: Logout Request URL: Copy and paste the following:
Sign into the Okta Admin dashboard to generate this value.
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.
[Optional SLO]: For x509 Private Key Pair, do the following:
Click the icon in the x509 Private Key Pair field.
Click Create x509 Private Key Pair in the dialog box:
Enter a unique name for your certificate, for example, workday_key.
Click OK.
Service Provider ID: Enter the following value: http://www.workday.com.
- [Optional] We recommend checking Enable SP Initiated SAML Authentication. Be sure to read the Before you begin section above. Also check the SP Initiated option for your IdP in the SAML Identity Providers section:
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.
[Optional Force Authentication]: Always Require IdP Authentication – check the option and select the ForceAuthn Only radio button in order to enable Force Authentication. This step should be used in conjunction with the Force Authentication option in step 19.
Authentication Request Signature Method: Select SHA256.
ClickOK:
[Optional Force SLO]: Select the Actions menu near the workday_key x509 Private Key Pair:
Select x509 Private Key Pair > View Key Pair:
On the View x509 Private Key Pair screen, copy the Public Key value and save as workday_key.cert file:
[Optional]: In Okta, select the Sign On tab for the Workday app, then click Edit.
[Optional Force Authentication]: Uncheck Disable Force Authentication in order to enable Force Authentication. This step should be used in conjunction with step 15.
[Optional SLO]: Check Enable Single Logout.
[Optional SLO]: Click Browse to select the workday_key.cert.
[Optional SLO]: Click Upload.
Click Save.
Done!
Notes
Make sure that you entered the correct value in the Your Workday site URL field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Workday.
For SP-initiated Flows
Open your Login Redirect URL (step 4):
[org URL]/login-saml2.flex
Example: https://impl.workday.com/acme/login-saml2.flex
FAQs
Use the following SAML configuration for Workday. Go to Dashboard > Applications > Applications and either create a new application or click the name of an application to update. Go to the Addons tab and enable the SAML2 Web App toggle.
Does Workday support SAML? ›
Use the following SAML configuration for Workday. Go to Dashboard > Applications > Applications and either create a new application or click the name of an application to update. Go to the Addons tab and enable the SAML2 Web App toggle.
How to configure SSO in Workday? ›
Configure SSO in Workday
Navigate to the Edit Tenant Setup - Security page by searching for Edit Tenant Setup in the home screen search box and then click the Edit Tenant Setup - Security option in the search results. Scroll down to the Single Sign-On section and expand it, if not already expanded.
How to configure SAML 2.0 for Duo admin panel? ›
Configuration Steps
- Login to your Duo Admin Panel instance.
- Navigate to Administrators > Admin Login Settings.
- Authentication with SAML: Select a required option. We used Optional in our example. ...
- Enter the following: ...
- In Okta, select the Sign On tab for the Duo Admin Panel SAML app, then click Edit. ...
- Done!
miniOrange allows Workday to act as an IDP (Identity Provider), which allows users to Single Sign-On (SSO) into Shopify using Workday Credentials. Our application is compatible with all the SAML / OAuth-compliant Identity Providers.
What is the authentication policy of Workday? ›
Workday's authentication policy allows you to restrict access to your system by: Only allowing users to access from a list of approved IP addresses or ranges. Limiting access to users based upon method of authentication.
How do I use SAML for authorization? ›
SAML Example
SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access.
Is SAML SSO? ›
Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
How do I enable SSO login? ›
Configure the SSO profile for your organization
- Sign in to your Google Admin console. ...
- In the Admin console, go to Menu Security Authentication. ...
- In Third-party SSO profile for your organization, click Add SSO profile.
- Check the Set up SSO with third-party identity provider box.
One-click SSO configuration steps
- Add the application from the Azure Marketplace.
- Select Single sign-on.
- Select Enable single sign-on.
- Populate the mandatory configuration values in the Basic SAML Configuration section.
SAML is an XML-based authentication protocol in which Identity Providers (IdP) -- entities that manage and store user credentials -- exchange digitally signed XML documents (SAML Assertions) allowing an end-user to access a **Service Provider **(SP), such as the collection of apps that you use every day at work or a ...
How to configure SAML in Active Directory? ›
To set up SAML, follow the steps below:
- Access your AD FS management console.
- Expand the Trust Relationships folder.
- Right-click Relying Party Trust and click Add Relying Party Trust…. ...
- Click Start on the wizard's Welcome screen.
- Choose Enter data about the relying party manually. ...
- Enter a display name, such as "KnowBe4".
To set up your own SAML 2.0 application
- Open the IAM Identity Center console .
- Choose Applications.
- Choose the Customer managed tab.
- Choose Add application.
- On the Select application type page, under Setup preference, choose I have an application I want to set up.
- Under Application type, choose SAML 2.0.
- Choose Next.
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator. Browse to Identity > Applications > Enterprise applications > Workday application integration page, find the Manage section and select Single sign-on.
Does Workday integrate with e verify? ›
E-Verify Connector: Complements Workday HCM with employment eligibility verification results from the E-Verify employment verification service provided by the United States Citizenship and Immigration Services (USCIS).
How to connect Duo and Workday? ›
Create the Workday Application in Duo
Log on to the Duo Admin Panel and navigate to Applications. Click Protect an Application and locate the entry for Workday with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Workday.
What apps are supported by SAML? ›
SAML is one of the most widely used standards to provide users with secure, one-click access to multiple cloud applications via single sign-on (SSO). All major cloud applications support SAML, including Office 365, Google Workspace (formerly G Suite), Salesforce, Dropbox, and ServiceNow.
Is SAML still in use? ›
While SAML has been in use since 2005, it remains popular for identity federation in B2B and B2E applications. This wide adoption has led to its self-perpetuating success. Generally, if you want to provide seamless SSO between businesses and enterprises, you need to be able to handle SAML.
Does Office 365 support SAML? ›
Microsoft supports this sign-on experience as the integration of a Microsoft cloud service, such as Microsoft 365, with your properly configured SAML 2.0 profile-based IdP.
Does SSO use SAML? ›
SAML is the technical standard used by SSO providers to communicate that a user is authenticated.
