Workday SAML Configuration

system

Introduction

This article outlines the information and steps you need to take in order to configure Workday to use the LogonBox SAML Identity Provider. Once configured your users will be redirected to your LogonBox Server to authenticate. 

Note: Once SAML is enabled, users will not be able to sign in through their Workday login page and must access Workday through LogonBox. There is a backup login URL to bypass SAML and sign in with your regular username and password. That URL is [Your Workday URL]/login.flex?redirect=n.

Step 1 - Create the Resource from the Template

Log into your server as your admin and navigate to Identity Services->SAML. Select Search Templates and select the Workday SAML template and click Next.

 

You will be asked for two items:

  • Entity Id
  • Workday URL

The entity Id uniquely identifies your connection with Workday e.g. workday.logonbox.com.

The workday URL is what you login to when accessing Workday, for example, https://impl.workday.com/logonbox/login.flex. You will need everything upto and including your tenant, in this example you would enter, https://impl.workday.com/logonbox.

Note: Your Workday URL may look different from the one above, Workday offers several different types of instances, implementation, sandbox, and production with each using a its own domain name.

 

Click Next. At this point click close the templates window so that you can return to the list of SAML resources where your Workday SAML resource should now be present.

 

Edit the resource and in the Assignment tab, add users, groups or roles who will have permission to use this resource.

You can add the Everyone role to add all users then click Update.

 

Step 2 - Download SAML metadata

You will need a couple of things from your server in order to configure Workday.

First you will need to download the SAML metadata.

In the table of SAML resources locate the Workday SAML resource, and click the options icon to activate the dropdown. Select Download Metadata; this is an XML file that contains information about the Identity Provider and its access points.

 

Open the XML file containing the metadata and locate the logon URL and logoff URL. These are located towards the end of the document and will look like

https://demo.logonbox.com/app/api/sso/logon/123456

https://demo.logonbox.com/app/api/sso/logout/123456

Copy the entire URL we will need these in the next step.

Next, navigate to Certificates and locate the SAML RSA certificate. Again using the options icon to activate the dropdown, select Download Certificate

 

Step 3 - Configuring Workday

Log into your organization’s Workday account as administrator, in the search bar, type “edit tenant security”. Select Edit Tenant Setup – Security from the search results.

 

Navigate to the Single Sign-On section. Click the plus icon under Redirection URLs to add a new configuration.

Enter the Redirect URL identified in the previous step into the Login Redirect URL, the Logout URL into the Logout Redirect URL and then choose an Environment such as, Implementation. When completed, your section should resemble the example below.

 

Navigate to the SAML Setup section and select the Enable SAML Access checkbox.

Click the plus icon underneath SAML Identity Providers to add a new configuration then create a name to identify your LogonBox IdP in Identity Provider Name.

Enter your Entity ID as used in Step 1 under Issuer URL, then finally under the x509 Certificate heading, select the dialogue bubble on the right of the field and proceed to Create > Create x.509 Public Key.

 

Step 4 - Create x.509 Public Key

Give your certificate a a name, then, define a period of time for which the key is valid.

Open the SAML RSA certificate you downloaded earlier into a text editor and paste the content, including the BEGIN and END CERTIFICATE strings, into the Certificate field.

 

Proceed down to provide values for:

  • Service Provider ID - a name to identify this service e.g. workday.com
  • IdP SSO Service URL - enter the logon URL found in the earlier step
  • Enable SP Initiated SAML Authentication - enable this
  • Authentication Request Signature Method, use ‘SHA256’.

 

When completed select OK at the bottom of the page to confirm your settings.

 

Step 5 - Final Checks

Once access is assigned log out of Workday and then access LogonBox as a user with the rights to use the new resource. In My Resources->Browser Resources click the launch icon to access Workday.