Tutorial: Azure Active Directory integration with Workday
In this tutorial, you learn how to integrate Workday with Azure Active Directory (Azure AD).
Integrating Workday with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Workday.
- You can enable your users to automatically get signed-on to Workday (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
To configure Azure AD integration with Workday, you need the following items:
- An Azure AD subscription
- A Workday single-sign on enabled subscription
To test the steps in this tutorial, we do not recommend using a production environment.
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial.
In this tutorial, you test Azure AD single sign-on in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Workday from the gallery
- Configuring and testing Azure AD single sign-on
Adding Workday from the gallery
To configure the integration of Workday into Azure AD, you need to add Workday from the gallery to your list of managed SaaS apps.
To add Workday from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Workday, select Workday from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Workday based on a test user called "Britta Simon".
For single sign-on to work, Azure AD needs to know what the counterpart user in Workday is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Workday needs to be established.
In Workday, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
To configure and test Azure AD single sign-on with Workday, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Create a Workday test user - to have a counterpart of Britta Simon in Workday that is linked to the Azure AD representation of user.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Workday application.
To configure Azure AD single sign-on with Workday, perform the following steps:
In the Azure portal, on the Workday application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Workday Domain and URLs section, perform the following steps:
a. In the Sign-on URL textbox, type a URL using the following pattern:
b. In the Identifier textbox, type a URL:
Check Show advanced URL settings and perform the following step:
In the Reply URL textbox, type a URL using the following pattern:
These values are not the real. Update these values with the actual Sign-on URL and Reply URL. Your reply URL must have a subdomain for example: www, wd2, wd3, wd3-impl, wd5, wd5-impl). Using something like "http://www.myworkday.com" works but "http://myworkday.com" does not. Contact Workday Client support team to get these values.
On the SAML Signing Certificate section, click Certificate (Base64) and then save the certificate file on your computer.
Click Save button.
On the Workday Configuration section, click Configure Workday to open Configure sign-on window. Copy the Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL from the Quick Reference section.
In a different web browser window, log in to your Workday company site as an administrator.
In the Search box search with the name Edit Tenant Setup – Security on the top left side of the home page.
In the Redirection URLs section, perform the following steps:
a. Click Add Row.
b. In the Login Redirect URL textbox and the Mobile Redirect URL textbox, type the Sign-on URL you have entered on the Workday Domain and URLs section of the Azure portal.
c. In the Azure portal, on the Configure sign-on window, copy the Sign-Out URL, and then paste it into the Logout Redirect URL textbox.
d. In Used for Environments textbox, select the environment name.
The value of the Environment attribute is tied to the value of the tenant URL:
-If the domain name of the Workday tenant URL starts with impl for example: https://impl.workday.com/<tenant>/login-saml2.htmld), the Environment attribute must be set to Implementation.
-If the domain name starts with something else, you need to contact Workday Client support team to get the matching Environment value.
In the SAML Setup section, perform the following steps:
a. Select Enable SAML Authentication.
b. Click Add Row.
In the SAML Identity Providers section, perform the following steps:
a. In the Identity Provider Name textbox, type a provider name (for example: SPInitiatedSSO).
b. In the Azure portal, on the Configure sign-on window, copy the SAML Entity ID value, and then paste it into the Issuer textbox.
c. In the Azure portal, on the Configure sign-on window, copy the Sign-Out URL value, and then paste it into the Logout Response URL textbox.
d. In the Azure portal, on the Configure sign-on window, copy the SAML Single Sign-On Service URL value, and then paste it into the IdP SSO Service URL textbox.
e. In Used for Environments textbox, select the environment name.
f. Click Identity Provider Public Key Certificate, and then click Create.
g. Click Create x509 Public Key.
In the View x509 Public Key section, perform the following steps:
a. In the Name textbox, type a name for your certificate (for example: PPE_SP).
b. In the Valid From textbox, type the valid from attribute value of your certificate.
c. In the Valid To textbox, type the valid to attribute value of your certificate.
You can get the valid from date and the valid to date from the downloaded certificate by double-clicking it. The dates are listed under the Details tab.
d. Open your base-64 encoded certificate in notepad, and then copy the content of it.
e. In the Certificate textbox, paste the content of your clipboard.
f. Click OK.
Perform the following steps:
a. In the Service Provider ID textbox, type http://www.workday.com.
b. Select Do Not Deflate SP-initiated Authentication Request.
c. As Authentication Request Signature Method, select SHA256.
d. Click OK.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
In the Azure portal, in the left pane, click the Azure Active Directory button.
To display the list of users, go to Users and groups, and then click All users.
To open the User dialog box, click Add at the top of the All Users dialog box.
In the User dialog box, perform the following steps:
a. In the Name box, type BrittaSimon.
b. In the User name box, type the email address of user Britta Simon.
c. Select the Show Password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Create a Workday test user
In this section, you create a user called Britta Simon in Workday. Work with Workday Client support team to add the users in the Workday platform. Users must be created and activated before you use single sign-on.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Workday.
To assign Britta Simon to Workday, perform the following steps:
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
In the applications list, select Workday.
In the menu on the left, click Users and groups.
Click Add button. Then select Users and groups on Add Assignment dialog.
On Users and groups dialog, select Britta Simon in the Users list.
Click Select button on Users and groups dialog.
Click Assign button on Add Assignment dialog.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the Workday tile in the Access Panel, you should get automatically signed-on to your Workday application. For more information about the Access Panel, see Introduction to the Access Panel.