Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

This information was last reviewed in SeptemberNovember, 2016, by Scott Cantor.

Change Log:

Nov 3, 2016 – Added more information about Logout.

Sep 19, 2016 – Added explicit advice to separate tenants by entityID due to lack of ACS in SAML request.


Having done this, you can reliably trigger a login method by setting the defaultAuthenticationMethods property on the "SAML2.SSO" profile configuration bean.


SAML Logout seems to be broken (bug was reported), but there There is a way to configure simple redirect-based logout by setting the Logout Redirect URL to the IdP's simple logout endpoint (https://hostname/idp/profile/Logout).

The SAML Single Logout support within Workday is broken, at least on the initiating side. Regardless of the contents of the assertion used, Workday creates a <LogoutRequest> message containing one of two hard-coded <NameID> format values, either the X.509 or unspecified constants. This is a violation of the standard, which requires a strongly matching identifier (meaning the formats have to match) for the IdP to proceed with a logout.

It's possible that Workday may be able to process incoming logout requests from the IdP by virtue of violating the standard in the opposite direction (ignoring the format itself), but it's not safe to enable the feature since you can't prevent it from initiating broken requests itself.

The bug has been reported to Workday, but they have so far been unwilling to accept that what they have implemented is simply incorrect and are treating it as an enhancement request rather than a bug.

Example Shibboleth Configuration