Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Workday for SiteMinder (IdP)

  1. Last updated
  2. Save as PDF

Use this procedure to configure Workday to work with the SiteMinder identity provider, including the federation partnership between SiteMinder and Workday, and configuring SAML for Skyhigh CASB and Workday.  

Configure SiteMinder

Configure Identity Provider and Service Provider entities. 

Create the Local Entity 

  1. Select Create Entity.
    workday_with_siteminder1.png
  2. Entity Location. Local.
  3. Entity Type. SAML2 IDP.
  4. Entity ID. Universal identifier, preferably a domain name. For example, https://ca-idp.fugen.com/.
  5. Entity Name. Any. For example, fugencloud-caidp. 
  6. Base URL. Is pre-populated
  7. Signing Private Key Alias. Select the alias for the imported private key. For example, casaasidp.
  8. Supported Name ID Format. Email Address

Export the Local Certificate

  1. Select Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys
  2. Select Action > Export of the certificate to export.
  3. Click Export and save the file. 

workday_with_siteminder2.png

Create the Remote Entity

  1. Select Create Entity.
    clipboard_eec82ce635566ce3e4fe7e4303e967077.png
  2. Entity Location. Remote.
  3. New Entity Type. SAML2 SP.
  4. Entity ID. Universal identifier, preferably a domain name. This is the value as in Service Provider ID field of Workday SAML 2.0 SSO configuration. For example, http://www.workday.com
  5. Entity Name. Any. For example, Workday. 
  6. Assertion Consumer Service URL. http://workday.ca-sales.raksca.myshn....htmld&shnsaml
  7. Supported Name ID Format. Static.

Configure the Federation Partnership between CA SiteMinder and Workday

  1. Login to CA SiteMinder and navigate to Federation > Partnership Federation > Create Partnerships (SAML 2 IDP > SP). 
  2. Select Create Partnership (SAML 2 IDP-SP).
    workday_with_siteminder4.png
  3. Add Partnership Name. Any. For example, FuGenCloud-Workday. 
  4. Local Identity Provider. Select Local Identity Provider ID. For example, https://ca-idp.fugen.com/
  5. Remote Partner ID. Select Remote Partner ID, http://www.workday.com
  6. User Directories and Search Order. Select one or more User Directories in the required search order.

Federation Users

Configure Federation Users. Select users that should be allowed to federate. For example, All Users in Directory. 

workday_with_siteminder5.png

Configure the Assertion

  1. Name ID Format. Static.
  2. Name ID Type. User Attribute.
  3. Value. This should be the user name of the Workday account ID. For example, aid. 
    clipboard_ef69c5d5f1786c3706d1577a7001099b6.png

Configure the Signature and Encryption

  1. Signing Private Key Alias. Select the alias for the imported private key. For example, casaasidp. 
  2. Post Signature Options. Select Sign Response.

NOTE: The SAML provider must be configured to sign the entire SAML message, not just the Assertion element.

workday_with_siteminder7.png

Confirmation Page

Confirm the values and save the Partnership.

Activate the Partnership

Activate the Partnership. 

workday_with_siteminder8.png

Configure Skyhigh CASB for SAML

  1. Login to Skyhigh CASB. 
  2. Go to Service Management > Workday instance. 
  3. In the Proxy section, under SAML certificates, upload the SiteMinder certificate under IDP, and upload the Workday certificate under SP.
  4. Download proxy certificate.

Configure Workday for SAML

  1. Login to the Workday instance admin console.
  2. Search for Edit Tenant Setup - Security.
    workday_with_siteminder_saml.png
  3. Go to Single Sign-On. Click +, then enter the following:

workday_with_siteminder_sso.png

  1. Enable SAML Authentication. 
  2. Under SAML Identity Providers, click +, then enter the following:
    • Identity Provider Name. Name for reference. For example, FuGen IdP. 
    • Issuer. Identity Provider Entity ID. For example, https://ca-idp.fugen.com/
    • X509 Certificate. In the Create x509 Public Key screen, enter a unique name for your certificate. For example, proxy.cert.
      workday_with_siteminder_login.png
    • Service Provider ID. Service Provider Entity ID, according to the Workday document http://www.workday.com.
    • Select the checkbox Enable SP initiated SAML Authentication.
    • IdP SSO Service URL. Add Identity Provider SSO URL. For example, https://ca-idp.fugen.com/affwebservi...ublic/saml2sso.
    • Enable Do Not Deflate SP-initiated Authentication Request. 
    • Authentication Request Signature Method. Select SHA1.
    • Select the checkbox Enable Signature KeyInfo Validation
       

For SP initiated access: https://impl.workday.com/<instance_name>/login-saml2.flex

For IDP initiated access: https://ca-idp.fugen.com/affwebservices/public/saml2sso

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.