Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Workday SSO with ADFS (IdP) via Proxy

Use this procedure to configure Active Directory Federation Services (ADFS), configure Workday, and integrate the proxy. 

Prerequisites 

Before you begin, you will need:

  • Admin access to your Workday instance.
  • Admin access to ADFS.
  • Access to Skyhigh CASB and appropriate role/rights to manage the Workday service.
  • Access to functional direct SSO setup between Workday and ADFS. 

Step 1: Configure ADFS

Create the Workday Private Certificate

  1. Login to your Workday instance as admin and search for the task Create x509 Private Key Pair
  2. Name the private certificate you want to create and click OK. For example, Workday-SP-Cert. 
    clipboard_e67ff08516b10958e47b9a7bafc8c556c.png
     
  3. Workday will show you the generated cert on the next screen. Copy the content FROM  -----BEGIN CERTIFICATE-----   TO -----END CERTIFICATE----- and save that into a file. For example, Workday-SP-Cert. cer. (Make sure that the copied content is clean, and do not copy the content before BEGIN and after the END section.) This is your SP certificate. Later, you can use this SP certificate to integrate proxy in Skyhigh CASB.  

Configure the Relying Party in ADFS

To create a relying party trust using federation metadata:

  1. Create the Workday metadata file and save it in an .xml file. Later, you can upload this metadata file on the last step.
  2. Open Server Manager and under Tools, select ADFS Management.
  3. Click ADFS Management and expand the Trust Relationships folder. Right-click the Relying Party Trusts folder and select Add Relying Party Trust.
    Add Relying Party Trust.png
  4. On the Select Data Source page, choose Import data about the relying party from a file, and click Browse to select the metadata file created in the first step.
    Add Relying Party Trust Wizard.png
  5. Click Next and perform the required steps.
  6. Click Save.

Configuring the Relying Party Trust Claim Rules

  1. Go to Relying Party Trust > Workday, and right-click Edit Claim Rules.
    Claim Rules1.png
  2. Click Add Rule.
  3. Configure the following options:
    • Claim rule name. Enter the name of the claim rule.
    • Attribute store. Select the attribute store to extract LDAP attributes.
    • Mapping of LDAP attributes to outgoing claim types. Select the LDAP attributes against outgoing claim types.
  4. Once the rule has been added, click Finish
  5. To close the window, click OK.

Download the Token Signing Certificate

To download the Token Signing Certificate:

  1. Under the ADFS Management page, expand the Service folder and select the Certificates folder.
  2. Click the Token signing to download the token signing certificate.
    IdP Certificate.png

This is your IdP certificate. Later, you can use this IdP certificate to integrate proxy in Skyhigh CASB.  

Step 2: Configure Workday 

Configure Workday SSO Integration

  1. Log in to Workday as an admin and search for the task Edit Tenant Setup - Security.  
    clipboard_e03ec440d2fda2b8398f078e4deb63499.png
  2. Go to Single Sign-on and under Redirection URLs, add a new Redirection URL. Configure as follows:
    • Redirect Type. Select Single URL
    • Login Redirect URL. Enter the Login URL from ADFS > SSO > Setup Workday.
    • Mobile Redirect URL. Enter the Login URL from ADFS > SSO > Setup Workday.
    • Logout Redirect URL. Enter the Logout URL from ADFS > SSO > Setup Workday.
      clipboard_ebd17241f852c8b1152dfc6a5e1a9743d.png
  3. Go to the SAML Setup section to configure Identity Provider
  4. Activate the checkbox Enable SAML Authentication.
  5. Click + to create a new Identity Provider and configure:
    1. Identity Provider Name. Enter a name. For example, ADFS. 
    2. Issuer.  Enter ADFS Identifier, as copied from ADFS > SSO > Setup Workday.
    3. *x509 Certificate. Add the ADFS (IdP) certificate you downloaded from ADFS.
    4. Logout Response URL. Add the Logout URL from ADFS > SSO > Setup Workday.
    5. Activate the checkbox SP Initiated.
    6. Service Provider ID. Enter http://www.workday.com
    7. Activate the checkbox Sign SP-initiated Request.
    8. Activate the checkbox Do Not Deflate SP-initiated Request.
    9. IdP SSO Service URL. Enter the Login URL from ADFS > SSO > Setup Workday.
    10. Used for Environments. Select Implementation type environment.
      clipboard_e05505b2da002a4a0841021b85d8c4ce3.png
  6. Click OK to save. 
  7. Configure the Identity Provider section as follows:
    • x509 Private Key Pair. Select the Workday-SP-Cert that you created.
      clipboard_e11f77f586a4696ef2a46b325852bd8cb.png
    • Under Mobile Authentication, activate the checkbox Enable Biometric Authentication.
    • Max Mobile Authentication Age (in days). Enter the number of days.
      clipboard_e46c6a524224719ada477b96f8061e482.png
    • Under Trusted Devices, activate the checkbox Disable Trusted Devices.
    • Under Multi-Factor Authentication Settings, configure:
      • Maximum Grace Signin Count. Select the maximum number of logins allowed per user once their password has expired.
        clipboard_e5eec9625fe9a22b6adffdd7b117710f2.png

Validate the SSO Integration

Access the following:

  1. Workday login URL: https://impl.workday.com/<tenant-name>/login-saml2.htmld . (This is the SP-initiated login flow.)
  2. Login to the ADFS login URL for Workday and input your credentials to authenticate with ADFS. (This is IdP-initiated login flow.)

The assumption is that the ADFS user is present in Workday as well and activated.

Step 3: Integrate the Proxy

Once you know the direct SSO configuration between ADFS and Workday is working, now configure the Proxy in between.

Prerequisites

Before integrating proxy, collect the following information:

  1. Workday Domain or Workday URL.
  2. Workday Tenant Name.
  3. ADFS and Workday Certificates.

Skyhigh CASB

  1. Log in to Skyhigh CASB.
  2. Go to Service Management and find your Workday instance. 
  3. To manage the proxy service for Workday, go to the Setup tab and under Proxy, click Configure.
  4. If you a custom domain other than workday.com, enter the Target Host (Hostname) under Identify Service Instance with custom domain information. For example, if your custom domain is wd3-impl.workday.com, the hostname is “wd3-impl.workday.com”.
  5. On the Setup tab, under Proxy > Configure SAML, click Configure.
  6. Upload the SP (Workday) and IdP (ADFS) certificates. You can get these certificates from Step 1.
  7. To download the Proxy Server Certificate, click Export Proxy Server Certificate. For example, proxy.crt. Save this certificate to use in Workday SP.
  8. Go to Service Management > your Workday instance > Actions >  Edit Properties and add the service level property as remove.shnsaml.from.uri=true. Click Save.

ADFS IdP 

  1. Log in to ADFS as admin and edit the Workday app.
    clipboard_e4938511e818907c19342c337dc6f55c2.png
  2. Under ADFS Management > Trust Relationships > Relying Party Trust, modify the SAML Assertion Consumer Endpoint (ACS URL) with https://www<proxy_virtual_host>/<tenant_name>/login-saml.flex?shnsam. For example, ACS URL: https://wwwworkday.dpt1.skyhighlab.myshn.net/skyhigh_dpt1/login-saml.flex?shnsaml.
    clipboard_ea80b26fbf718541df28dfec35170c397.png
  3. Click Apply.

Workday SP

  1. Log in to Workday as an admin and search for the task Edit Tenant Setup - Security. Go to the SSO config section.
  2. Go to the SAML Identity Provider section.
  3. Under x509 Certificate, remove the existing IdP (ADFS) certificate and add the Proxy certificate downloaded earlier in the Skyhigh CASB section.
    clipboard_ec6fe5ed624a089a19abde1fc8e3f003f.png
  4. Click OK and save the configuration.

Validate the SSO Flow via Proxy

To validate the SSO flow via proxy, access the Workday SSO URL: https://<workday_domain>/<tenant_name>/login-saml2.flex.

  • Was this article helpful?