Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

This information was last reviewed in NovemberJune, 20162018, by Scott Cantor.

Change Log:

Jun 11, 2018 – Removed superfluous signed request material, this isn't good advice at this point.

Nov 3, 2016 – Added more information about Logout.

Sep 19, 2016 – Added explicit advice to separate tenants by entityID due to lack of ACS in SAML request.


A checkbox labeled "Enable Signature KeyInfo Validation" is unclear, but from its description it should probably be checked.

In most cases you'll want to let Workday push users to your IdP and back, by checking the "Enable SP Initiated SAML Authentication" checkbox.


Signed Requests

Signing requests is not something most sites will require, but a common case for using it involves forcing use of particular authentication methods (typically MFA) for all users. Workday is apparently working on various approaches for "step-up" interactions, but at present it is all or nothing because it doesn't support any SAML features for requesting authentication types.

A practical way to overcome this is to configure the IdP to default to a particular authentication context class, and to require signed requests to prevent a malicious user from overriding this. Enabling signed requests requires:

  • Configuring a keypair in the x509 Private Key Pair setting
  • Adding that key to the SP's metadata with use="signing" (see partial example above)
  • Choosing an Authentication Request Signature Method (SHA256 suggested, though that's a digest method, not a signature method)
  • Checking Sign SP-initiated Authentication Request
  • Adding AuthnRequestsSigned="true" inside the SP metadata in the <SPSSODescriptor> element

Having done this, you can reliably trigger a login method by setting the defaultAuthenticationMethods property on the "SAML2.SSO" profile configuration beanadvisable and turning this off avoides the need to bother managing a keypair on behalf of the IdP.


There is a way to configure simple redirect-based logout by setting the Logout Redirect URL to the IdP's simple logout endpoint (https://hostname/idp/profile/Logout).


Workday does not appear to support SAML Attributes.