Workday SAML Configuration

Introduction

This article outlines the information and steps you need to take in order to configure Workday to use the Hypersocket SAML Identity Provider. Once configured your users will be redirected to your Hypersocket Server to authenticate. 

Note: Once SAML is enabled, users will not be able to sign in through their Workday login page and must access Workday through Hypersocket. There is a backup login URL to bypass SAML and sign in with your regular username and password. That URL is [Your Workday URL]/login.flex?redirect=n.

Step 1 - Create the Resource from the Template

Log into your server as admin and navigate to Single Sign On -> SAML. Select Search Templates and select the Workday SAML template and click Next.

You will be asked for two items:

  • Entity Id
  • Workday URL

The entity Id uniquely identifies your connection with Workday e.g. workday.hypersocket.com.

The workday URL is what you login to when accessing Workday, for example, https://impl.workday.com/hypersocket/login.flex. You will need everything upto and including your tenant, in this example you would enter, https://impl.workday.com/hypersocket.

Note: Your Workday URL may look different from the one above, Workday offers several different types of instances, implementation, sandbox, and production with each using a its own domain name.

 

At this point click on the Goto Article link to open this article in a separate browser window so that you can return to the SAML list of resources where your Workday SAML resource should now be present.

 

Step 2 - Download SAML metadata

You will need a couple of things from your server in order to configure Workday.

First you will need to download the SAML metadata.

In the table of SAML resources locate the Workday SAML resource, and click the options icon  to activate the dropdown. Select Download Metadata; this is an XML file that contains information about the Identity Provider and its access points.

Open the XML file containing the metadata and locate the logon service URL and redirect URL. These are located towards the end of the document and will look like

https://demo.hypersocket.com/hypersocket/api/sso/logon/123456

https://demo.hypersocket.com/hypersocket/api/sso/logout/123456

Copy the entire URL we will need these in the next step.

Next, navigate to Configuration->Certificates and locate the SAML RSA certificate. Again using the options icon  to activate the dropdown, select Download Certificate

 

 

Step 3 - Configuring Workday

Log into your organization’s Workday account as administrator, in the search bar, type “edit tenant security”. Select Edit Tenant Setup – Security from the search results.

 

Navigate to the Single Sign-On section. Click the plus icon under Redirection URLs to add a new configuration.

Enter the Redirect URL identified in the previous step into the Login Redirect URL, the Logout URL into the Logout Redirect URL and then choose an Environment such as, Implementation. When completed, your section should resemble the example below.

 

Navigate to the SAML Setup section and select the Enable SAML Access checkbox.

Click the plus icon underneath SAML Identity Providers to add a new configuration then create a name to identify your Hypersocket IdP in Identity Provider Name.

Enter your Entity ID as used in Step 1 under Issuer URL, then finally under the x509 Certificate heading, select the dialogue bubble on the right of the field and proceed to Create > Create x.509 Public Key.

 

Step 4 - Create x.509 Public Key

Give your certificate a a name, then, define a period of time for which the key is valid.

Open the SAML RSA certificate you downloaded earlier into a text editor and paste the content, including the BEGIN and END CERTIFICATE strings, into the Certificate field.

 

 

Proceed down to provide values for:

  • Service Provider ID - a name to identify this service e.g. workday.com
  • IdP SSO Service URL - enter the logon URL found in the earlier step
  • Enable SP Initiated SAML Authentication - enable this
  • Authentication Request Signature Method, use ‘SHA256’.

 

 

When completed select OK at the bottom of the page to confirm your settings.

 

Step 4 - Final Checks

One final step before you start using your Workday resource, ensure that you have assigned some Roles to it so that its available for users to use. 

Once access is assigned log out of Workday and then access Hypersocket as a user with the rights to use the new resource. In Browser Resources section under My Resources click the launch icon  to access Workday.

 

Have more questions? Submit a request

Comments