Integrate Workday SSO with Microsoft Entra ID (IdP) via Proxy

Create the Workday Private Certificate

1. Log in to your Workday instance as an admin and search for the task Create x509 Private Key Pair. 
   
   
    
2. Name the private certificate you want to create and click OK. For example, Workday-SP-Cert. 
3. Workday will show you the generated cert in the next screen. Copy the content FROM  -----BEGIN CERTIFICATE-----   TO -----END CERTIFICATE----- and save that into a file. For example, Workday-SP-Cert.cer. (Make sure that the copied content is clean, and there is nothing before the BEGIN section and after the END section.) This is your SP cert.

Add the Workday App to Azure

1. Log in to Azure as an admin, and go to Microsoft Entra ID > Enterprise Applications.
2. Search for Workday and add it.
   
   
    
3. If you do not find the Workday app, follow the steps below to add it to Azure:
   • On the Microsoft Entra ID > Enterprise Applications > All applications > click + New application.
   • Search for Workday in the search bar, select the Workday app, and then click Create.
     
     
     
     The Workday app has been added to Azure.
4. Open the Workday app and select Set up single sign on > SAML to configure the SSO.
   
   
   
   
    
5. Configure according to the following screen:
   
   
    
6. Click the Edit icon corresponding to the SAML Certificate.
7. In the SAML Certificate section, from the Signing Option menu, select Sign SAML response and assertion, and then click Save.
   
   
    
8. From the SAML Signing Certificate section, to download the IdP (Azure) certificate, click the Certificate (Base64) Download link. 
9. You will see the downloaded cert as Workday.cer. Rename this file as Azure-IDP-Cert-for-Workday.cer. This is your IdP Cert.
10. From the Setup Workday section, note the Login URL and Logout URL to use on the Workday side.

Configure Workday SSO

1. Log in to Workday as an admin and search for the task Edit Tenant Setup - Security.  
   
   
    
2. Go to Single Sign-On and under Redirection URLs, add a new Redirection URL. Configure as follows:
   • Redirect Type. Single URL. 
   • Login Redirect URL. Enter the Login URL from Microsoft Entra ID > SSO > Setup Workday.
   • Mobile Redirect URL. Enter the Login URL from Microsoft Entra ID > SSO > Setup Workday.
   • Logout Redirect URL. Enter the Logout URL from Microsoft Entra ID > SSO > Setup Workday.
     
     
3. Go to the SAML Setup Section to configure Identity Provider. 
4. Activate the checkbox Enable SAML Authentication.
5. Click + to create a new Identity Provider and configure:
   
   
   • Identity Provider Name. Enter a name. For example, Microsoft Entra ID-IDP. 
   • Issuer.  Enter Microsoft Entra ID Identifier, as copied from Microsoft Entra ID > SSO > Setup Workday.
   • *x509 Certificate. Add the Microsoft Entra ID (IdP) certificate you downloaded from Azure.
   • Logout Response URL. Add the Logout URL from Microsoft Entra ID > SSO > Setup Workday.
   • Activate the checkbox SP Initiated.
   • Service Provider ID. Enter http://www.workday.com. 
     
     
      
   • Activate the checkbox Sign SP-initiated Request.
   • Activate the checkbox Do Not Deflate SP-initiated Request.
   • Idp SSO Service URL. Enter the Login URL from Microsoft Entra ID > SSO > Setup Workday.
   • Used for Environments. Select the Implementation type environment. 
6. Click OK to save. 
7. Configure the Identity Provider section as follows:
   
   
    
8. x509 Private Key Pair. Select the Workday-SP-Cert that you created.

Verify the SSO Integration

Access the following:

1. Workday login URL: https://impl.workday.com/<tenant-name>/login-saml2.htmld . (This is the SP-initiated login flow.)
2. Log in to the Azure portal (portal.azure.com) as a non-admin user and access the Workday app. (This is IdP-initiated login flow.)

The assumption is that the Azure non-admin user is present in Workday as well and activated.

Skyhigh CASB

1. Log in to Skyhigh CASB to manage Workday. 
2. Enable SSO Configuration and upload both IDP (Entra ID) and SP (Workday) certificates. 
3. Download the proxy cert and keep it handy.
4. Add the service level property as remove.shnsaml.from.uri=true.

Microsoft Entra ID IdP

1. Log in to Entra ID as an admin and access the Workday app Single Sign-On section.
2. Edit the Basic SAML Configuration section and change the Reply URL and Sign on URL with the proxy version, then Save.
   
   

Workday SP

1. Log in to Workday as an admin, search for the task Edit Tenant Setup - Security. Go to the SSO config section.
2. Go to the SAML Identity Provider section. 
3. Under x509 Certificate, remove the existing IdP (Microsoft Entra ID) certificate and add the Proxy certificate that you previously downloaded. 
4. Click OK and save the configuration. 
   
   

Validate the SSO Flow via Proxy

To validate the SSO flow via proxy, access the Workday SSO URL: https://impl.workday.com/<workday instance>/login-saml2.flex

Configure Workday Mobile App via Proxy

To configure the Workday Mobile App via proxy:

1. Log in to the Workday Mobile app. 
2. Change the Redirect URLs section as shown. 
   
   
    
3. For Mobile App Login Redirect URL enter https://impl.workday.com/<tenant_name>.
4. For Mobile Browser Login Redirect URL enter https://impl.workday.com/<tenant_name>/login-saml2.flex.
5. Enable the checkbox Enable Mobile Browser SSO for Native Apps. 
   
   
    
6. Now open the Workday app on your mobile phone. Click the Settings icon to configure the URLs as the first step, and it should look like the following screenshots. 
7. Provide the Web Address and Tenant (name) values and click Save.
    
   
    
8. Once saved, the login process starts, and you will be redirected to the Microsoft Entra ID login page. Upon successful authentication with your Microsoft Entra ID non-admin user, you will be logged into the Workday app successfully.