Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

This is not a replacement for the actual documentation and you cannot cut and paste your way to a working system. The examples are not usable without taking into consideration your local needs and requirements.

...

  • Identity Provider Name (descriptive label)
  • Issuer (your entityID)
  • x509 Certificate (your signing key certificate, typically in credentials/idp-signing.crt)

...

Workday does not appear to support XML Encryption. You may disable encryption explicitly (example below), or you may disable it generally for any SPs for which no encryption keys are available by setting the idp.encryption.optional property.

Workday's SAML Setup includes a number of options that influence how it interacts with the IdP. Most of them relate to signing of requests or including the ForceAuthn option (the latter would bypass SSO for all users if the IdP is properly configured).

...

Example Shibboleth Configuration

Tip

Refer to the RelyingPartyConfiguration topic and be cognizant that creating overrides for every service is generally an inefficient use of the software. Consider identifying common requirements across services and create overrides tied to multiple services that share those requirements, or that reference profile configuration beans containing common settings.

...

Optional Profile Configurations

SAML2.Logout

The example shown demonstrates turning off encryption (and shows why it's more advisable in most cases to simply set the property to make encryption optional).

...

languagexml
titleExample relying-party.xml override
collapsetrue

...

Refer to the SecurityConfiguration topic for examples on disabling encryption in different ways.

Account Provisioning

Most sites will create identities in Workday directly as part of business processes, or possibly provision accounts into Workday using integration APIs or batch feeds if using only, e.g., the Financials portion. The only field relevant for SSO is the primary ID field in the record. There are fields available for storing alternate identifiers, but all information obtained indicates that SSO can only be based on the primary ID.

...

Example Shibboleth Configuration

Tip

Refer to the NameIDGenerationConfiguration topic for a full treatment of NameID features.

Continuing with the example above, if you have an attribute definition named "employeeNumber" produced by your AttributeResolverConfiguration, release it to the Workday SP in your AttributeFilterConfiguration (example below).

Since Workday metadata must be manually supplied to the IdP, the usual way of producing the right <NameID> format is by including a <NameIDFormat> element in the metadata, which is illustrated in the example metadata shown earlier.

...