How to Configure SAML 2.0 for Workday

Read this before you enable SAML

Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page, if you enable SP initiated SSO. Users will only be able to access the app through the Okta service.
Backup URL: Workday provides a backup log-in url where users can sign-in using their normal username and password in the following format: [Your Workday URL]/login.flex?redirect=n
If you log into: https://acme.workday.com/login-auth.html, [Your Workday URL] is: https://acme.workday.com.
These SAML instructions contain Single Log-Out (SLO) and Force Authentication configuration steps that are optional. If you are not going to use SLO or Force Authentication, skip the steps that are marked as [Optional SLO] or [Optional Force Authentication], and highlighted in blue font.

Supported Features
URL Variable
Configuration Steps
Notes

Supported Features

The Okta/Workday SAML integration currently supports the following features:

IdP-initiated SSO
SP-initiated SSO
SLO (Single Log Out)
Force Authentication

For more information on the listed features, visit the Okta Glossary.

URL Variable

You will need to copy and paste the following variable throughout the following configuration steps:

IdP SSO Service URL

Sign into the Okta Admin dashboard to generate this value.

Configuration Steps

Sign in to Workday with administrator privileges.
Navigate to the Edit Tenant Setup - Security page. To do this search for Edit Tenant Setup in the home screen search box, then click the Edit Tenant Setup - Security link in the search results:
Scroll down to the Single Sign On section and expand it, if not already expanded.
Click on the plus icon underneath Redirection URLs to add a row. Then enter the following (see screenshot at end of step for reference):
- Login Redirect URL: Enter the following:
  [org URL]/login-saml2.flex Example: https://impl.workday.com/acme/login-saml2.flex
- Logout Redirect URL: Copy and paste the following:
  
  Sign into the Okta Admin dashboard to generate this value.
- Mobile App Login Redirect URL: Enter the following:
  [org URL]/login-saml2.flex Example: https://impl.workday.com/acme/login-saml2.flex
- Mobile Browser Login Redirect URL: Enter the following:
  [org URL]/login-saml2.flex Example: https://impl.workday.com/acme/login-saml2.flex
- Enter an Environment.
Scroll down to the SAML Setup section.
Check the Enable SAML Authentication box:
Click on the plus (+) icon underneath SAML Identity Providers to add a row, then enter the following:
- Identity Provider Name: Enter Okta.
- Issuer: Copy and paste the following:
  
  Sign into the Okta Admin Dashboard to generate this variable.
- x509 Certificate: Do the following:
  - Click the icon in the x509 Certificate field.
  - Click Create x509 Public Key in the dialog box.
  - In the Create x509 Public Key screen, enter a unique name for your certificate, for example, okta.cert.
  - Copy and paste the certificate listed below into the Certificate field:
```
Sign into the Okta Admin dashboard to generate this value.
```
  - Click OK to save your certificate and return to the Edit Tenant Setup - Security screen.
[Optional SLO]: Check the Enable Workday Initiated Logout option in order to enable SLO.
[Optional SLO]: Logout Request URL: Copy and paste the following:

Sign into the Okta Admin dashboard to generate this value.
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.

[Optional SLO]: For x509 Private Key Pair, do the following:
- Click the icon in the x509 Private Key Pair field.
- Click Create x509 Private Key Pair in the dialog box:
- Enter a unique name for your certificate, for example, workday_key.
- Click OK.
Service Provider ID: Enter the following value: http://www.workday.com.
[Optional] We recommend checking Enable SP Initiated SAML Authentication. Be sure to read the Before you begin section above. Also check the SP Initiated option for your IdP in the SAML Identity Providers section:
IdP SSO Service URL: Copy and paste the variable generated at the top of these instructions, here.
[Optional Force Authentication]: Always Require IdP Authentication – check the option and select the ForceAuthn Only radio button in order to enable Force Authentication. This step should be used in conjunction with the Force Authentication option in step 19.
Authentication Request Signature Method: Select SHA256.
Click OK:

[Optional Force SLO]: Select the Actions menu near the workday_key x509 Private Key Pair:
- Select x509 Private Key Pair > View Key Pair:
- On the View x509 Private Key Pair screen, copy the Public Key value and save as workday_key.cert file:
[Optional]: In Okta, select the Sign On tab for the Workday app, then click Edit.
- [Optional Force Authentication]: Uncheck Disable Force Authentication in order to enable Force Authentication. This step should be used in conjunction with step 15.
- [Optional SLO]: Check Enable Single Logout.
- [Optional SLO]: Click Browse to select the workday_key.cert.
- [Optional SLO]: Click Upload.
- Click Save.
Done!

Notes

Make sure that you entered the correct value in the Your Workday site URL field under the General tab in Okta. Using the wrong value will prevent you from authenticating via SAML to Workday.

For SP-initiated Flows

Open your Login Redirect URL (step 4):

[org URL]/login-saml2.flex Example: https://impl.workday.com/acme/login-saml2.flex