Workday - SSO Configuration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Workday using Multi-Pass. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To set up Multi-Pass with Workday, ensure you meet the following requirements:
- Workday admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Workday are registered in your IdP and have the necessary permissions to access Workday.
Important: Custom elements in URLs (like tenant names) are case sensitive. Make sure to match the exact casing from your environment.
Workday - SSO Configuration
Step 1 — Create a Custom SAML Application in Multi-Pass (IdP)
- Select the correct tenant and go to Integrations, click on Applications.
- Select SAML in the custom integration section.
- Complete the form with the following information:
| Field | Value |
|---|---|
| Client ID (=SP Entity ID) | <TENANT_NAME>.workday.com |
| Name | Workday |
| Description | Workday SSO integration |
| Assertion Consumer Service URL | <TENANT_NAME>.workday.com/saml2/acs |
| NameID Policy Format |
- Select Download under Tenant XML Data and save the file locally.
- Click on the Advanced Console on the right side of the screen.
- Click on Clients and search for Workday.
- Make sure all the fields are populated as shown below:
General settings (Multi-Pass)
| Field | Value |
|---|---|
| Client ID | <TENANT_NAME>.workday.com |
| Name | Workday |
| Description | Workday SSO integration |
| Always display in UI | ON |
Access settings (Multi-Pass)
| Field | Value |
|---|---|
| Home URL (IdP-initiated) | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/<APP_NAME> |
| Valid Redirect URIs (ACS) | Paste Workday’s ACS URL |
| IDP-Initiated SSO URL Name | <APP_NAME> |
| Valid post logout redirect URIs | Paste Workday’s Single Logout URL if used (Optional) |
SAML Capabilities
| Setting | Value |
|---|---|
| Name ID Format | |
| Force Name ID Format | ON |
| Force POST Binding | ON |
| Include AuthnStatement | ON |
Signature & Encryption
| Setting | Value |
|---|---|
| Sign Documents | OFF |
| Sign Assertions | ON |
- Go to the tab Keys and ensure that both parameters are set to OFF.
- Go to the Advanced tab and set the Assertion Consumer Service POST Binding URL equal to the Valid Redirect URI under Access Settings:
https://<TENANT_NAME>.workday.com/saml2/acs
Step 2 — Configure Workday as the Service Provider
- Log in to Workday as a Security Admin.
- In the search bar, search for Edit Tenant Setup – Security.
- In the SAML Setup section, select Import Identity Provider.
- Enter
Multi-Passas the Identity Provider Name. - Select the correct environment.
- Upload the metadata file you downloaded earlier from Multi-Pass.
- Click OK — a new row will be added in the SAML Identity Providers table.
- For the new entry, configure the following:
- Select Enable IDP Initiated Logout checkbox.
- Set Logout Response URL
- Select Enable Workday Initiated Logout checkbox.
- Set Logout Request URL
- Select SP Initiated checkbox.
- Set Service Provider ID
- Select Don’t Deflate SP-initiated Authentication Request.
- Click OK.
Related Articles
D2L Brightspace - SSO Integration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...Mulesoft - SSO Integration
This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mulesoft using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Miro - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Miro using MPAS. SSO simplifies user authentication by allowing access to multiple ...Pipedrive – SSO configuration
This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Pipedrive using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...