Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Workday SSO with Ping (IdP) via Proxy

The following steps describe how to configure Workday to integrate with the Ping IdP via a proxy connection. For more information about Ping, see the Ping Identity Help Site.


Make sure you have the following before integrating with Ping:

  • Admin access to a Workday instance
  • Admin access to PingFederate IDP. (PingOne trial accounts are not supported.)
  • Access to Skyhigh CASB account and appropriate admin rights to manage your organization's Workday environment

Step 1: Create a Workday Private Cert (SP Cert)

  1. Log in to Workday instance as admin and search for the Create x509 Private Key Pair task.
  2. Give a name to the private cert that you want to generate and click OK.
  3. Workday displays the generated cert in the next screen. Copy the content FROM  -----BEGIN CERTIFICATE-----   TO -----END CERTIFICATE----- and save that into a file (for example, wd-sp-cert.crt). Make sure that the copied content is clean, nothing should be there before BEGIN and after END section.

Step 2: Add the Workday App to Ping

  1. Log in to Ping as admin and search for Workday under Applications section.
  2. Choose the Workday app (or Workday Sandbox if it's a sandbox instance of workday) and go to the Setup section.
  3. Download the Ping (IDP) cert from the setup SSO Instructions section.
  4. Copy the Initiate Single Sign-On (SSO) URL and Issuer and keep them for later use.
  5. Go to the Connection Configuration section and configure following:
  6. Next, go to Attribute mapping and add a SAML_SUBJECT Attribute with custom value, similar to: GetLocalPartFromEmail(SAML_SUBJECT) + "@" + GetDomainPartFromEmail(SAML_SUBJECT)}
  7. Under Group Access, make sure the appropriate user/groups were added for this app.
  8. Move to next section to Review the config and click Finish to save the configuration.


Step 3: Configure SSO in Workday 

  1. Log in to Workday as admin and search for edit tenant setup - security to configure SSO.
  2. Go to the Single Sign-On section and add a Redirection URL under Redirection URLs. If a Redirection URL exists, validate/modify it with correct values:
    • Choose Single URL for Redirect Type
    • Enter Login Redirect URL value as the Workday default login URL (for example:
    • Provide "Logout Redirect URL" value as needed. Configure Ping Login URL if you want the user to see the IDP login page once logged out.
  3. Under the SAML Setup Section, select the Enable SAML Authentication checkbox.
  4. Click the + sign to create an Identity Provider.
  5. Enter a name for Identity Provider Name as you need (for example: Ping-IDP).
  6. Provide an Issuer value as copied before from Ping SSO Instructions section.
  7. For x509 certificate, add the Ping (IDP) cert previously downloaded from Ping.
  8. Turn on the Enable Workday Initiated Logout option.
  9. Select SP Initiated.
  10. For Service Provider ID, enter
  11. Enable Do Not Deflate SP-initiated Request.
  12. Turn on Always Require IdP Authentication option and select the ForceAuthn Only sub option.
  13. For Idp SSO Service URL, provide the Initiate Single Sign-On (SSO) URL value copied from Ping SSO.
  14. Add the appropriate environment name for User for Environments option (such as Sandox or Production).
  15. Click OK to Save the Identity Provider Configuration.
  16. Verify the SSO integration by accessing Workday login URL


  • Was this article helpful?