Integrate Workday SSO with Okta and Mobile App via Proxy
Use this procedure to integrate Workday SSO with Okta and the mobile app via the proxy.
Configure the IdP
- Log in to your Workday instance as an admin. Then search for the task Edit Tenant Setup - Security.
- Go to Single Sign-On. Click +, then enter the following:
- Login Redirect URL. Enter the Login Redirect URL. For example, https://impl.workday.com/<instance_name>/login-saml2.flex.
- Logout Redirect URL. Log into the Okta Admin dashboard to generate this value. For example, https://dev-165501.oktapreview.com/a...dK0h7/sso/saml.
- Mobile App Login Redirect URL. Enter the Mobile App Login Redirect URL. For example, https://impl.workday.com/<instance_name>.
- Mobile Browser Login Redirect URL. Enter the Mobile Browser Login Redirect URL. For example, https://impl.workday.com/<instance_name>/login-saml2.flex
- Environment. Enter an environment.
- Activate the checkbox Enable SAML Authentication.
- Under SAML Identity Providers, click +, then enter the following:
- Identity Provider Name. Enter Okta.
- Issuer. Log into the Okta admin dashboard for this value. For example, https://dev-165501.oktapreview.com/a...dK0h7/sso/saml.
- Click Create x509 Public Key.
- In the Create x509 Public Key dialog, enter a unique name for your certificate. For example, okta.cert.
- Copy and paste the certificate into the Certificate field. Log into the Okta admin dashboard for this value.
- Click OK to save your certificate.
- Return to Edit Tenant Setup - Security.
- IdP SSO Service URL. Log into the Okta admin dashboard for this value. For example, https://dev-165501.oktapreview.com/a...dK0h7/sso/saml.
- Click Create x509 Private Key Pair.
- Enter a unique name for your certificate. For example, workday_key. Then click OK.
- Service Provider ID. Enter http://www.workday.com.
- Enable Always Require IdP Authentication. Select ForceAuthn Only to enable Force Authentication.
- Authentication Request Signature Method. Select SHA256. Click OK.
- Select the Actions menu near the workday_key x509 Private Key Pair.
- Select x509 Private Key Pair > View Key Pair. Copy the Public Key value and save as workday_key.cert.
- In Okta, for the Workday app, select the Sign On tab. Then click Edit.
- Configure the following settings:
- Deactivate the checkbox Disable Force Authentication.
- Activate the checkbox Enable Single Logout.
- To select workday_key.cert, click Browse.
- Click Upload, then click Save.
- Select the General tab and specify the Reverse Proxy URL.
Workday Mobile App Flow
As the Workday mobile app does not allow any path in a web address other than hostname, specify the web address such as https://impl.workday.com. For example, https://impl.workday.com/<instance_name>/login-saml2.flex.
- Start the Workday mobile app. In Settings, specify your tenant name and web address.
- You are navigated to SSO. Enter your credentials.
- After a successful login, the Workday mobile app opens in an embedded browser.
LIMITATION: If you click the Workday mobile app View button, you see an "Invalid web address" message, because the app does not support any URL except the direct URL. (For example, impl.workday.com or myworkday.com.). Workday doesn't support SAML SSO links are not mobile accessible refer this link for more details, https://community.workday.com/brainstorms/123076 and you can ask Workday to provide support and provide your comment in this links or raise request with Workday. It is observed with R2,2020 (Sept 12,2020) Workday release the embedded browser also doesn't work due to same reason.