| Info |
|---|
This information was last reviewed in NovemberJune, 20162018, by Scott Cantor. Change Log:
|
...
A checkbox labeled "Enable Signature KeyInfo Validation" is unclear, but from its description it should probably be checked.
In most cases you'll want to let Workday push users to your IdP and back, by checking the "Enable SP Initiated SAML Authentication" checkbox.
...
Signed Requests
Signing requests is not something most sites will require, but a common case for using it involves forcing use of particular authentication methods (typically MFA) for all users. Workday is apparently working on various approaches for "step-up" interactions, but at present it is all or nothing because it doesn't support any SAML features for requesting authentication types.
A practical way to overcome this is to configure the IdP to default to a particular authentication context class, and to require signed requests to prevent a malicious user from overriding this. Enabling signed requests requires:
- Configuring a keypair in the x509 Private Key Pair setting
- Adding that key to the SP's metadata with
use="signing"(see partial example above) - Choosing an Authentication Request Signature Method (SHA256 suggested, though that's a digest method, not a signature method)
- Checking Sign SP-initiated Authentication Request
- Adding
AuthnRequestsSigned="true"inside the SP metadata in the<SPSSODescriptor>element
Having done this, you can reliably trigger a login method by setting the defaultAuthenticationMethods property on the "SAML2.SSO" profile configuration beanadvisable and turning this off avoides the need to bother managing a keypair on behalf of the IdP.
Logout
There is a way to configure simple redirect-based logout by setting the Logout Redirect URL to the IdP's simple logout endpoint (https://hostname/idp/profile/Logout).
...
Workday does not appear to support SAML Attributes.
