Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure SSO from Salesforce to Workday

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure SSO from Salesforce to Workday

            When you set up your org as an identity provider and Workday as a connected app, users can access Workday using their Salesforce login credentials.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions

            Workday supports the SAML protocol for both identity provider–initiated and service provider–initiated SSO. Follow these high-level steps to configure SSO for Salesforce to Workday.

            Set Up Your Org as an Identity Provider

            With the My Domain feature, your Salesforce org is enabled as an identity provider. My Domain is required for all orgs. If you don’t like your org’s My Domain name, you can change it.

            The My Domain feature also creates a certificate and key pair. The certificate establishes trust between your Salesforce org and ADP. Optionally, you can use another self-signed certificate or import a CA-signed certificate.

            To download the Salesforce self-signed certificate:

            1. From Setup, enter Identity Provider in the Quick Find box, and select Identity Provider.
            2. Click Download Certificate.

              The Identity Provider page lists details about the certificate, such as its name, creation date, and expiration date. Save these values. You provide them and the certificate to Workday in a later step.

            Configure SAML Settings in Workday

            1. Log in to your Workday account as an administrator.
            2. Click Workbench.

              workbench

            3. Under Account Administration, select the option to set up tenant security.

              set up tenant security

            4. Under SAML Setup, configure your Salesforce settings.
              1. Enable SAML authentication.
              2. Enter a URL for your org that’s the identity provider. For example, https://MyDomainName.my.salesforce.com.
              3. Next to x509 Public Key, click the prompt icon. Select the option to create a x509 public key and certificate pair.

                configure saml settings

              4. Enter the certificate name and date values from the certificate details you saved. Copy the certificate’s contents into Certificate.

                copy in certificate

              5. Next to x509 Private Key Pair, click the prompt icon. Select the option to create a x509 private key pair.

                create a x509key pair

              6. Enter a name for the private key pair, and click OK.
              7. Enter a URL for the Service Provider ID, for example, http://www.workday.com.
              8. Select the option to enable service provider–initiated authentication.
              9. For IdP SSO Service URL, enter the endpoint for your Salesforce org. For example, https://MyDomainName.my.salesforce.com/idp/endpoint/HttpPost.
              10. Select Do Not Deflate SP-initiated Authentication Request.
              11. For the authentication request method, select SHA1.
              12. Select Enable Signature Keyinfo Validation.

                configure saml settings for Salesforce in workday

              13. Save the settings.

            Create a Connected App in Salesforce

            1. In Salesforce, create a connected app.
              • In Lightning Experience, from Setup, enter App in the Quick Find box, and select App Manager. Click New Connected App.
              • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, and select Apps. Under Connected Apps, click New.
            2. Configure the connected app Basic Information settings.
              1. Enter a name for the Workday connected app. Salesforce uses this name to populate API Name.
              2. Enter your email address in case Salesforce must contact you or your support team.
              3. Optionally, upload or specify a logo and icon to represent your Workday application in the Salesforce App Launcher.

                basic settings for the connected app

            3. Configure the connected app Web App Settings.
              1. Select Enable SAML.
              2. For Entity Id, enter the local provider name that you saved earlier.
              3. For ACS URL, enter https://www.myworkday.com/workday_tenant_name/login-saml.flex, where workday_tenant_name is the name of your tenant. For example, https://www.myworkday.com/acme/login-saml.flex.
              4. For Subject Type, select Username. Subjects in a SAML request must match the identity of the Workday user account ID.
              5. For Name ID Format, keep the default value (unspecified).
              6. For Issuer, keep the default value, which is your My Domain login URL.
              7. For IdP Certificate, keep the default (Default IdP Certificate).
              8. Save the settings.

              web app settings for the connected app

            4. Save the settings.
            5. Configure profiles and permission sets for the connected app.
              1. From Setup, enter Apps in the Quick Find box.
                • If you’re using Lightning Experience, select Manage Connected Apps.
                • If you’re using Salesforce Classic, under Manage Apps, select Connected Apps.
              2. Click the name of your connected app for Workday. The connected app detail page appears.
              3. Click Manage Profiles or Manage Permission Sets, and add profiles or permission sets for users who can access this app.
            6. In Salesforce, enter the Start URL for the connected app.
              1. On the connected app detail page, under SAML Login Information, copy the IdP-Initiated Login URL.
              2. On the connected app detail page, click Edit Policies.
              3. Under Basic Information, for Start URL, enter your Workday URL, for example, https://MyDomainName.my.salesforce.com/idp/login?app=0spR000000000Dg.
              4. Save the settings.

            Test the Connected App

            1. In Salesforce, from the App Launcher, find and open the Workday app. If you configured the Workday logo and icon for the connected app, the App Launcher displays them. If identity provider–initiated SSO is configured properly, Salesforce creates an application session.

              select the workday logo from the App Launcher

            2. To test service provider–initiated SSO, enter the URL for the Workday login page, for example, https://www.myworkday.com/yourdomain/login-saml2.flex. If SSO is configured properly, you’re prompted to log in to your Salesforce org. After you log in successfully with your Salesforce credentials, Salesforce redirects you to your initial request URL. You’re logged in to your Workday account.

            See Also

             
            Loading
            Salesforce Help | Article