Online Help

SafeNet Trusted Access for Workday

Overview

The application template provides the ability to enable single sign-on for users accessing the Workday application through SafeNet Trusted Access.

The following use cases can be configured for Workday:

SP-initiated SSO

IdP-initiated SSO

Configuring SafeNet Trusted Access for Workday is a three-step process:

1.Workday setup

2.SafeNet Trusted Access setup

3.Verify authentication

Workday Setup

As a prerequisite, download the Identity Provider certificate from the SafeNet Trusted Access console by clicking the Download X.509 certificate button.

You will need this certificate in one of the steps below.

Note:  To bypass IDP Single Sign-on (SSO), you can log in with Workday user name and password using the Backup URL, <Workday Organization URL>/login.flex?redirect=n

Where, <Workday Organization URL> is your organization URL registered with Workday.

For example, https://wd3-impl.workday.com/safenet/login.flex?redirect=n

Perform the following steps to configure SafeNet Trusted Access as your identity provider in Workday:

1.Log in to Workday as an administrator using your Workday Organization URL.

For example, https://wd3-impl.workday.com/safenet

2.On the home page, on the top left-hand side corner, in the search box, enter Edit Tenant Setup - Security.

3.Click on the Edit Tenant Setup – Security link in the search results.

4.Under Edit Tenant Setup – Security, scroll down to the Single Sign-on section.

5.Under Redirection URLs, perform the following steps:

a.Click on the plus icon to add a new row.

b.In the Redirect Type column, select the Single URL option.

c.In the Login Redirect URL column, enter <Workday Organization URL>/login-saml2.flex.

Where, <Workday Organization URL> is your organization's URL registered with Workday.

For example, https://wd3-impl.workday.com/safenet/login-saml2.flex

d.In the Environment column, select an environment (for example, Implementation).

6.Scroll down to the SAML Setup section, and select the Enable SAML Authentication checkbox.

7.Under SAML Identity Providers, perform the following steps:

a.Click on the plus icon to add a new row.

b.In the Identity Provider Name column, enter the name of the identity provider (for example, SafeNet IDP).

c.In the Issuer column, enter the Issuer/Entity ID that is available on the SafeNet Trusted Access console.

On the STA console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the Issuer/Entity ID field.

d.In the x509 Certificate column, perform the following steps:

Click the icon.

Click Create x509 Public Key.

On the Create x509 Public Key window, in the Name field, enter a unique name for the IDP certificate (for example, Safenet IDP Cert).

In a text editor, open the identity provider certificate that you downloaded earlier from the STA console and copy the entire certificate text.

In the Certificate field, paste the identity provider certificate that you copied in the previous step.

Click OK.

e.In the SP Initiated column, select the given checkbox.

f.In the Service Provider ID column, enter the entity ID for Workday in the format, http://www.workday.com/<Tenant Name>

Where <Tenant Name> is the instance of your Workday account.

For example, http://www.workday.com/safenet

g.In the Sign SP-initiated Request column, select the given checkbox.

h.In the Do not Deflate SP-initiated Authentication Request column, select the given checkbox.

i.In the IdP SSO Service URL column, enter the SingleSignOnService URL that is provided on the SafeNet Trusted Access console.

On the STA console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the SingleSignOnService field.

j.In the Used for Environments column, select the environment, which you selected earlier in Step 5(d) (for example, Implementation).

8. In the x509 Private Key Pair field, perform the following steps:

a.Click the icon.

b.Click Create x509 Private Key Pair.

c.On the Create x509 Private Key Pair window, in the Name field, enter a unique name for the Workday certificate (for example, Workday Cert).

d.Click OK.

9.Scroll down, in the Authentication Request Signature Method field, select SHA256.

10.Click OK.

11.Perform the following steps to obtain the Workday Signature certificate:

a.Scroll down, in the x509 Private Key Pair field, click on the Actions icon.

b.Click x509 Private Key Pair > View Key Pair.

c.On the View x509 Private Key Pair window, from the Public Key field, copy the entire certificate text including the BEGIN CERTIFICATE and END CERTIFICATE statements.

d.In a text editor, paste the certificate text that you copied in the previous step and save it is as a .crt format. You will need this certificate while configuring Workday in SafeNet Trusted Access.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Workday, the second step is to activate the Workday application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Workday application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Workday) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.In the TENANT NAME field, enter the name of the instance (for example, safenet) of your Workday account.

b.In the WORKDAY ORGANIZATION URL field, enter your organization URL (for example, https://wd3-impl.workday.com/safenet) registered in Workday

c.Under SAML Certificates, under Signing Certificate, click Upload Certificate to upload the Workday certificate that you saved earlier in step 11 (d) of Workday Setup.

d.Under User Login ID Mapping, in the NAME ID field, ensure that SAS User ID is selected.

e.Click Save Configuration to save the details and activate the Workday application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Workday Single Sign-on (SSO) URL, <Workday Organization URL>/login-saml2.flex, where, <Workday Organization URL> refers to the organization URL registered with Workday.

For example, https://wd3-impl.workday.com/safenet/login-saml2.flex

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Workday application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Workday application icon. You should be successfully logged in to the Workday application after authentication.

 

© 2020 SafeNet Trusted Access. Various trademarks are held by their respective owners.