ADFS 4.0 Step by Step Guide: Federating with Workday


This article provides step by step guidelines to implement single sign on using ADFS 4.0 as the identity provider and Workday as the identifier and service provider.

Important Note:

  • Workday does not provide a service provider metadata XML file to import into AD FS.
  • Workday does not import federation metadata automatically
  • Workday does not support SAML timed out.
  • Do not tick SP initiated Auth or IdP initiated Auth at the same time. Use one or the other not both.

Prerequisites:

  • Active Directory Federation Services 4.0
  • Workday tenant
  • Admin access in Workday and ADFS

Workday supports both Idp Initiated Auth and SP initiated Auth. In both cases ADFS configuration does not change but Workday configuration will change depending on what you select as your authentication method i.e. IdP initiated or SP initiated. Workday has two section to configure in Edit Security in Workday Tenant 1. SSO section and 2. SAML Auth Section.

Workday SSO IDP Initiated Auth

Single Sign-on

Login Redirect URL:  https://sts.domain.com/adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://www.workday.com/

Logout Redirect URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

Timeout Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld (Workday does not support SAML timed out. So when a user’s session is timed out, they will be redirected back to sign in page. Use the sign url as timed out url)

Mobile Login Redirect URL:  https://sts.domain.com/adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://www.workday.com/

SAML Setup

Enable SAML Authentication: Enabled

Identity Provider: IDPInitiatedAuth

Issuer: http://sts.domain.com/adfs/services/trust (do not type https in issuer)

X509 Certificate: sts.domain.com (Export certificate from ADFS, open the certificate in notepad, copy and paste the certificate in Workday security configuration)

Enable Idp Initiated Authentication: Enabled

Enable Workday Initiated Logout: Enabled

Enable IdP Initiated Logout: Enabled

Logout Request URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

Logout Response URL https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

IdP SSO Service URL: http:// sts.domain.com/adfs/services/trust

Workday SP Initiated Authentication

Single Sign-on

Login Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld

Logout Redirect URL:  https://sts.domain.com/adfs/ls/

Timeout Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld (Workday does not support SAML timed out. So when a user’s session is timed out, they will be redirected back to sign in page. Use the sign url as timed out url)

Mobile Login Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld

SAML Setup

Enable SAML Authentication: Enabled

Identity Provider: SPInitiatedAuth

Issuer: http://sts.domain.com/adfs/services/trust (do not type https in issuer)

X509 Certificate: sts.domain.com (Export certificate from ADFS, open the certificate in notepad, copy and paste the certificate in Workday security configuration)

Enable SP Initiated Authentication: Enabled

Enable Workday Initiated Logout: Enabled

Enable IdP Initiated Logout: Enabled

Logout Request URL: https://sts.domain.com/adfs/ls/

Logout Response URL https://sts.domain.com/adfs/ls/

IdP SSO Service URL: https://sts.domain.com/adfs/ls

Force IdP initiated Authentication: ForceAuth Only

Active Directory Federation Services Configuration

Relying Party Metadata: Copy the metadata and save as XML then import into Relying Party of ADFS.


<?xml version=”1.0″ encoding=”UTF-8″?>
<md:EntityDescriptor entityID=”http://www.workday.com&#8221; xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”><md:SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”false” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://wd3.myworkday.com/tenant/login-saml.htmld” index=”0″ isDefault=”true”/></md:SPSSODescriptor></md:EntityDescriptor>

Create Claim Rule

Template: Send LDAP Attributes as Claims

EmployeeNumber Name ID
EmailAddresess UPN
SAM-Account-Name Windows Account Name (Use this option to automatically SSO from internal network)

Access Control from ADFS

Access Control using SSO from internal network and SSO using MFA from external network.  Create a separate access control policy

Name: Workday

Description: Grant Access to Workday XYZ tenant

Permission:

  1. Permit everyone
  2. Permit a security group from Active Directory and from intranet
  3. Permit the same security group in number 2 from Active Directory, from internet and require MFA

Remote into Domain Controller and add users to the security groups mentioned in number 2 and number 3 of access policy using the below PowerShell

CSV Header: UserPrincipalName, SecurityGroup

Import-Module ActiveDirectory
$Csv = Import-Csv C:\temp\AddUsersToGroups.csv
Foreach ($item in $csv) {
$UPN = $Item.UserPrincipalName
$Groups=$Item.SecurityGroup
$Users=Get-ADUser -Filter “UserPrincipalName -eq ‘$UPN'” | % {Add-ADGroupMember -Identity $Groups -members $UPN}

ADFS properties looks like below:

Endpoints: https://wd3.myworkday.com/tenant/login-saml.htmld

Binding: Post

Default: Yes

SAML Signout URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

SAML Signout Binding : POST

Signature: Import private key from Workday and add into the signature tab of Workday relying party properties.

Encryption: SHA256 (Workday does not support SHA1 anymore)

Certificate Bits: 2048 (Microsoft no longer support 1024 bits)

Allow SAML Signature and Skew Time. Open PowerShell in ADFS Server and run the below cmdlets.

Set-ADFSRelyingPartyTrust -TargetName Workday -SamlResponseSignature “MessageOnly”

Set-ADFSRelyingPartyTrust -TargetName Workday -NotBeforeSkew 3

Test ADFS SSO:

Open any browser and type: https://wd3.myworkday.com/tenant/login.htmld or https://wd3.myworkday.com/tenant from internal and external network or from mobile app.

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
Gallery | This entry was posted in Azure and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s