Workday SAML Single Sign-On (SSO)

Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through theWorkday web application). You can configure Workday for either or both types of SSO.

Workday requirements for SSO

Before you configure the Workday web application for SSO, you need the following:

  • An active Workday account with administrator rights for your organization.
  • A signed certificate.

    You can either download one from the Admin Portal or use your organization’s trusted certificate.

Configure Workday in the Admin Portal

To add and configure the Workday application in the Admin Portal:

  1. In the Admin Portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

  2. On the Search tab, enter Workday in the Search field and click the search icon.

  3. Next to Workday, click Add.

  4. In the Add Web App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The Workday application opens to the Settings page.

Configure Workday for SSO

The following steps are specific to the Workday application and are required in order to enable SSO for Workday. For information on optional configuration settings available in the Idaptive the Admin Portal, see Configure optional application settings.

It is helpful to open the web application and the Admin Portal simultaneously to copy and paste settings between the two browser windows.

To configure Workday for SSO

  1. In your web browser, go to the URL for Workday and log in with your Workday administrator credentials.

    The URL should take the form https://www.myworkday.com/Your-Workday-Tenant/login-saml.flex where Your-Workday-Tenant is your tenant name.

  2. Navigate to Workbench > Account Administration.

    The Workbench menu is available under the user account picture at the top right of the page.

  3. In the Actions area, click Edit Tenant Setup - Security and scroll down to SAML Setup.

    If Edit Tenant Setup - Security is not available, you might not have the proper permissions to access it.

  4. In SAML Setup, select Enable SAML Authentication.
  5. Click +(the plus sign) next to Identity Providers and then configure the following.

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Workday website and paste it into the corresponding field in the CyberArk Identity the Admin Portal.

    Admin Portal >Trust

    Copy/Paste

    Direction

    Workday web application

    What you do

    N/A

    N/A

    Identity Provider Name

    Enter CyberArk as the Identity Provider Name.

    Issuer

    Issuer

    Copy the contents of the Issuer field on the Trust page in the Admin Portal and paste it here. The contents of this field must exactly match the Issuer field in the Admin Portal for this application.

    N/A

    N/A

    Enable IdP Initiated Logout

    Remove the check mark.

    N/A

    N/A

     

    Leave blank.

    N/A

    N/A

    Enable Workday Initiated Logout

    Select if you want the Workday application to initiate a logout as defined in the Logout Request URL option below.

    Logout Request URL

    Logout Request URL

    Copy the contents of the Logout Request URL field ion the Trust page in the Admin Portal and paste it here. This field is required only if Enable Workday Initiated Logout is selected.

    Configuring this option signs users out of the CyberArk Identity User Portal when they sign out of the Workday application.

    Download Signing Certificate

     

    X.509 Certificate

    Click the icon to open the menu, select Create Certificate, and enter the following information:

    Enter a name for the certificate.

    Enter dates in the Valid From and Valid To fields.

    Download the Signing Certificate from the Trust page in the Admin Portal and paste it into the this field.

    Click OK to save your certificate.

    N/A

    N/A

    Enable Dynamic Deep Links for IdP Initiated SAML

    Remove the check mark.

    N/A

    N/A

    Enable Dynamic Certificate Pinning

    Remove the check mark.

    N/A

    N/A

    Trusted Domain Certificates

    Leave this option blank.

    N/A

    N/A

    Service Provider ID

    Enter workdaygms.

    N/A

    N/A

    Enable SP Initiated SAML Authentication

    Do not select for IdP-initiated only configurations.

    Select to also enable SP-initiated configurations.

    Idp SSO service URL

    IdP SSO service URL

    Copy the contents of the IdP SSO Service URL field on the Trust page in the Admin Portal and paste it here.

    N/A

    N/A

    Sign SP-initiated Authentication Request

    Make sure this is selected if you want Workday to sign the SAML requests it sends to the CyberArk Identity using the SAML public key.

    N/A

    N/A

    Do not Deflate SP-Initiated Authentication Request

    Select to disable deflate compression of SAML requests sent by Workday to a SAML IdP endpoint.

    Do not select to use deflate compression and Base64 encoding when sending SAML requests.

    CyberArk recommends that you do not select this option (remove the check mark).

    N/A

    N/A

    Always Require IdP Authentication

    Remove the check mark unless you want t o force users to authenticate, even if they have an existing IdP session (see SP-initiated SAML authentication above).

    N/A

    N/A

    Authentication Request Signature Method

    Set to SHA1.

    N/A

    N/A

    Enable Signature KeyInfo Validation

    Remove the check mark.

    N/A

    N/A

    Additional Negative Skew (in minutes)

    Leave this option blank.

    N/A

    N/A

    Additional Positive Skew (in minutes)

    Leave this option blank.

  6. For SP-initiated configurations, in addition to selecting Enable SP Initiated SAML Authentication you also configure the following:

    • Click + (the plus sign) next to Redirection URLs.
    • Copy the IdP SSO Service URL from the Admin Portal Trust page and paste it into the Workday Login Redirect URL field.

      Add ?redirect=n to the end of the URL in the Workday Login Redirect field to allow users to log in to Workday using their local Workday user name and password.
  7. Click OK to save your configuration.
  8. Log out of your Workday account.
  9. On the Trust page in the Admin Portal, specify the following:

    Field

    Required or optional

    Set it to

    What you do

    Your Workday SAML ACS URL

    Required

    https://www.myworkday.com/YOUR-WORKDAY-TENANT/login-saml.flex

    Replace YOUR-WORKDAY-TENANT with the tenant name for your organization.

  10. Click Save.

Workday inbound provisioning

You can provision users from your enterprise source directories (CyberArk Cloud Directory or any source Active Directory instances connected to CyberArk Identity) to one or more target Active Directory instances and assign the right set of access based on roles.

Source Target
Workday

AD

CyberArk Cloud Directory

CyberArk Cloud Directory

AD

The following users are considered for provisioning:
Users created in CyberArk Cloud Directory.
Users created in AD directory which are configured to CyberArk Identity.

You can define synchronization schedules to synchronize user data from source directory to target Active Directories.

Refer to Inbound Provisioning from Workday for more information about inbound provisioning from Workday.

Workday specifications

Each SAML application is different. The following table lists features and functionality specific to Workday.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

Yes

iOS and Android

SAML 2.0

Yes

 

SP-initiated SSO

Yes

If SP-initiated is enabled, IdP-initiated SSO is still supported.

IdP-initiated SSO

Yes

 

Force user login via SSO only

No

After SSO is enabled, users can continue to log in to Workday with their local user name and password.

 

Workday also provides a URL parameter that stops the SP-initiated redirect and allows users to access the standard Workday login screen. To do this add ?redirect=n to the end of the URL in the Workday Login Redirect field. Note that if SP-initiated and redirect are both enabled, and the ?redirect=n is not present, users are redirected to the CyberArk Identity User Portal.

Separate administrator login
after SSO is enabled

Yes

After SSO is enabled, administrators can continue to log in to Workday with their local user name and password.

User lockout

No

 

Administrator lockout

No

 

User provisioning through SAML

No

 

Multiple User Types

Yes

Refer to Workday documentation for details.

Self-service password

Yes

Users can reset their own passwords. Note that administrators cannot reset a user’s password.

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.