saml workday a - centrify - centrify product documentation · pdf file37 workday workday...

8
37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile applications) and SP-initiated SAML SSO (for SSO access directly through theWorkday web application). You can configure Workday for either or both types of SSO. Workday requirements for SSO Before you configure the Workday web application for SSO, you need the following: An active Workday account with administrator rights for your organization. A signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate. Continue with Configuring Workday in Admin Portal. Configuring Workday in Admin Portal To add and configure the Workday application in Admin Portal: 1 In Admin Portal, click Apps, then click Add Web Apps. The Add Web Apps screen appears.

Upload: ngongoc

Post on 23-Mar-2018

251 views

Category:

Documents


5 download

TRANSCRIPT

Page 1: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

Workday

Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile applications) and SP-initiated SAML SSO (for SSO access directly through theWorkday web application). You can configure Workday for either or both types of SSO.

Workday requirements for SSOBefore you configure the Workday web application for SSO, you need the following: An active Workday account with administrator rights for your organization.

A signed certificate.

You can either download one from Admin Portal or use your organization’s trusted certificate.

Continue with Configuring Workday in Admin Portal.

Configuring Workday in Admin Portal

To add and configure the Workday application in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

37

Page 2: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.

• 38

Page 3: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

7 Continue with Configuring Workday for single sign on.

Configuring Workday for single sign onThe following steps are specific to the Workday application and are required in order to enable SSO for Workday. For information on optional configuration settings available in the Centrify Admin Portal, see Optional configuration settings.

Tip It is helpful to open the web application and Admin Portal simultaneously to copy and paste settings between the two browser windows.

Admin Portal user’s guide 39

Page 4: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

To configure Workday for SSO:

1 In your web browser, go to the URL for Workday and log in with your Workday administrator credentials.

The URL should take the form https://www.myworkday.com/Your-Workday-Tenant/login-saml.flex where Your-Workday-Tenant is your tenant name.

2 Navigate to Workbench > Account Administration.

The Workbench menu is available under the user account picture at the top right of the page.

3 In the Actions area, click Edit Tenant Setup - Security and scroll down to SAML Setup.

If Edit Tenant Setup - Security is not available, you might not have the proper permissions to access it.

4 In SAML Setup, select Enable SAML Authentication.

• 40

Page 5: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

5 Click +(the plus sign) next to Identity Providers and then configure the following.

The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Workday website and paste it into the corresponding field in the Centrify Identity Services Admin Portal.

Admin Portal >Application Settings

Copy/Paste

Direction

Workday web application What you do

N/A N/A Identity Provider Name Enter Centrify as the Identity Provider Name.

Issuer Issuer Copy the contents of the Issuer field on the Application Settings page in Admin Portal and paste it here. The contents of this field must exactly match the Issuer field in Admin Portal for this application.

N/A N/A Enable IdP Initiated Logout Remove the check mark.

N/A N/A Logout Response URL Leave blank.

N/A N/A Enable Workday Initiated Logout

Select if you want the Workday application to initiate a logout as defined in the Logout Request URL option below.

Logout Request URL Logout Request URL Copy the contents of the Logout Request URL field ion the Application Settings page in Admin Portal and paste it here. This field is required only if Enable Workday Initiated Logout is selected.

Configuring this option signs users out of the Centrify user portal when they sign out of the Workday application.

Download Signing Certificate

X.509 Certificate Click the icon to open the menu, select Create Certificate, and enter the following information:

• Enter a name for the certificate.

• Enter dates in the Valid From and Valid To fields.

• Download the Signing Certificate from the Application Settings page in Admin Portal and paste it into the this field.

• Click OK to save your certificate.

N/A N/A Enable Dynamic Deep Links for IdP Initiated SAML

Remove the check mark.

N/A N/A Enable Dynamic Certificate Pinning

Remove the check mark.

N/A N/A Trusted Domain Certificates Leave this option blank.

N/A N/A Service Provider ID Enter workdaygms.

N/A N/A Enable SP Initiated SAML Authentication

Do not select for IdP-initiated only configurations.

Select to also enable SP-initiated configurations.

Admin Portal user’s guide 41

Page 6: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

Tip For SP-initiated configurations, in addition to selecting Enable SP Initiated SAML Authentication you also configure the following:

Click + (the plus sign) next to Redirection URLs.

Copy the IdP SSO Service URL from the Admin Portal Application Settings page and paste it into the Workday Login Redirect URL field.

Note Add ?redirect=n to the end of the URL in the Workday Login Redirect field to allow users to log in to Workday using their local Workday user name and password.

6 Click OK to save your configuration.

7 Log out of your Workday account.

Idp SSO service URL IdP SSO service URL Copy the contents of the IdP SSO Service URL field on the Application Settings page in Admin Portal and paste it here.

N/A N/A Sign SP-initiated Authentication Request

Make sure this is selected if you want Workday to sign the SAML requests it sends to the Centrify Directory Service using the SAML public key.

N/A N/A Do not Deflate SP-Initiated Authentication Request

Select to disable deflate compression of SAML requests sent by Workday to a SAML IdP endpoint.

Do not select to use deflate compression and Base64 encoding when sending SAML requests.

Centrify recommends that you do not select this option (remove the check mark).

N/A N/A Always Require IdP Authentication

Remove the check mark unless you want t o force users to authenticate, even if they have an existing IdP session (see SP-initiated SAML authentication above).

N/A N/A Authentication Request Signature Method

Set to SHA1.

N/A N/A Enable Signature KeyInfo Validation

Remove the check mark.

N/A N/A Additional Negative Skew (in minutes)

Leave this option blank.

N/A N/A Additional Positive Skew (in minutes)

Leave this option blank.

Admin Portal >Application Settings

Copy/Paste

Direction

Workday web application What you do

• 42

Page 7: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

8 On the Application Settings page in Admin Portal, specify the following:

9 Click User Access in the Admin Portal and see Allow access to the application for configuration details.

After you assign roles to the application, the application state changes to deployed and the assigned users can access the application.

10 Click Account Mapping in the Admin Portal and see Map user accounts for configuration details.

11 Click Save.

12 (Optional) To configure the Workday application for automatic provisioning, see Workday provisioning.

Workday provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Setting up generic SCIM provisioning.

Workday specificationsEach SAML application is different. The following table lists features and functionality specific to Workday.

Field Required or optional

Set it to What you do

Your Workday SAML ACS URL Required https://www.myworkday.com/YOUR-WORKDAY-TENANT/login-

saml.flex

Replace YOUR-WORKDAY-TENANT with the tenant name for your organization.

Admin Portal user’s guide 43

Page 8: SAML Workday a - Centrify - Centrify Product Documentation · PDF file37 Workday Workday offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile

Capability Supported? Support details

Web browser client Yes

Mobile client Yes iOS and Android

SAML 2.0 Yes

SP-initiated SSO Yes If SP-initiated is enabled, IdP-initiated SSO is still supported.

IdP-initiated SSO Yes

Force user login via SSO only No After SSO is enabled, users can continue to log in to Workday with their local user name and password.

Workday also provides a URL parameter that stops the SP-initiated redirect and allows users to access the standard Workday login screen. To do this add ?redirect=n to the end of the URL in the Workday Login Redirect field. Note that if SP-initiated and redirect are both enabled, and the ?redirect=n is not present, users are redirected to the Centrify user portal.

Separate administrator login after SSO is enabled

Yes After SSO is enabled, administrators can continue to log in to Workday with their local user name and password.

User lockout No

Administrator lockout No

User provisioning through SAML No

Multiple User Types Yes Refer to Workday documentation for details.

Self-service password Yes Users can reset their own passwords. Note that administrators cannot reset a user’s password.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

• 44