Integrate Workday SSO with Ping (IdP) via Proxy
The following steps describe how to configure Workday to integrate with the Ping IdP via a proxy connection. For more information about Ping, see the Ping Identity Help Site.
Prerequisites
Make sure you have the following before integrating with Ping:
- Admin access to a Workday instance
- Admin access to PingFederate IDP. (PingOne trial accounts are not supported.)
- Access to Skyhigh CASB account and appropriate admin rights to manage your organization's Workday environment
Step 1: Create a Workday Private Cert (SP Cert)
- Log in to Workday instance as admin and search for the Create x509 Private Key Pair task.
- Give a name to the private cert that you want to generate and click OK.
- Workday displays the generated cert in the next screen. Copy the content FROM -----BEGIN CERTIFICATE----- TO -----END CERTIFICATE----- and save that into a file (for example, wd-sp-cert.crt). Make sure that the copied content is clean, nothing should be there before BEGIN and after END section.
Step 2: Add the Workday App to Ping
- Log in to Ping as admin and search for Workday under Applications section.
- Choose the Workday app (or Workday Sandbox if it's a sandbox instance of workday) and go to the Setup section.
- Download the Ping (IDP) cert from the setup SSO Instructions section.
- Copy the Initiate Single Sign-On (SSO) URL and Issuer and keep them for later use.
- Go to the Connection Configuration section and configure following:
- ACS URL: Your Workday Login URL (for example:
https://impl.workday.com/wday/authgw...s1/login.htmld
) -
Entity ID:
http://www.workday.com
-
Target Resource: Same as ACS URL (or
https://your-instance.workday.com/wo...e/fx/home.flex
)
- ACS URL: Your Workday Login URL (for example:
- Next, go to Attribute mapping and add a SAML_SUBJECT Attribute with custom value, similar to:
GetLocalPartFromEmail(SAML_SUBJECT) + "@" + GetDomainPartFromEmail(SAML_SUBJECT)}
- Under Group Access, make sure the appropriate user/groups were added for this app.
- Move to next section to Review the config and click Finish to save the configuration.
Step 3: Configure SSO in Workday
- Log in to Workday as admin and search for edit tenant setup - security to configure SSO.
- Go to the Single Sign-On section and add a Redirection URL under Redirection URLs. If a Redirection URL exists, validate/modify it with correct values:
- Choose Single URL for Redirect Type
- Enter Login Redirect URL value as the Workday default login URL (for example: https://impl.workday.com/skyhighsecurity_gms1/login-saml2.flex)
- Provide "Logout Redirect URL" value as needed. Configure Ping Login URL if you want the user to see the IDP login page once logged out.
- Under the SAML Setup Section, select the Enable SAML Authentication checkbox.
- Click the + sign to create an Identity Provider.
- Enter a name for Identity Provider Name as you need (for example: Ping-IDP).
- Provide an Issuer value as copied before from Ping SSO Instructions section.
- For x509 certificate, add the Ping (IDP) cert previously downloaded from Ping.
- Turn on the Enable Workday Initiated Logout option.
- Select SP Initiated.
- For Service Provider ID, enter https://www.workday.com.
- Enable Do Not Deflate SP-initiated Request.
- Turn on Always Require IdP Authentication option and select the ForceAuthn Only sub option.
- For Idp SSO Service URL, provide the Initiate Single Sign-On (SSO) URL value copied from Ping SSO.
- Add the appropriate environment name for User for Environments option (such as Sandox or Production).
- Click OK to Save the Identity Provider Configuration.
- Verify the SSO integration by accessing Workday login URL https://impl.workday.com/workday-ten...gin-saml2.flex