Skip to main content
McAfee MVISION Cloud

Workday SSO Integration with Okta and Mobile App via Proxy

IdP Flow

  1. Log in to your Workday instance as an admin. Then search for the task Edit Tenant Setup - Security.
    workday_mobile_login.png
  2. Go to Single Sign-On. Click +, then enter the following:
    workday_mobile_sso.png
  3. Activate the checkbox Enable SAML Authentication
    workday_mobile_saml.png
  4. Under SAML Identity Providers, click +, then enter the following:
    • Identity Provider Name. Enter Okta.
    • Issuer. Log into the Okta admin dashboard for this value. For example, https://dev-165501.oktapreview.com/a...dK0h7/sso/saml.
    • Click Create x509 Public Key.
      workday_mobile_okta.png
    • In the Create x509 Public Key dialog, enter a unique name for your certificate. For example, okta.cert.
      workday_mobile_public.png
    • Copy and paste the certificate into the Certificate field. Log into the Okta admin dashboard for this value.
    • Click OK to save your certificate.
    • Return to Edit Tenant Setup - Security.
  5. IdP SSO Service URL. Log into the Okta admin dashboard for this value. For example, https://dev-165501.oktapreview.com/a...dK0h7/sso/saml
  6. Click Create x509 Private Key Pair
    workday_mobile_name.png
  7. Enter a unique name for your certificate. For example, workday_key. Then click OK
  8. Service Provider ID. Enter http://www.workday.com.
  9. Enable Always Require IdP Authentication. Select ForceAuthn Only to enable Force Authentication.
  10. Authentication Request Signature Method. Select SHA256. Click OK.
  11. Select the Actions menu near the workday_key x509 Private Key Pair
  12. Select x509 Private Key Pair > View Key Pair. Copy the Public Key value and save as workday_key.cert
    workday_mobile_cert.png
  13. In Okta, for the Workday app, select the Sign On tab. Then click Edit.
  14. Configure the following settings:
    workday_mobile_sign_on.png
    • Deactivate the checkbox Disable Force Authentication.
    • Activate the checkbox Enable Single Logout.
    • To select workday_key.cert, click Browse
    • Click Upload, then click Save.
  15. Select the General tab and specify the Reverse Proxy URL. 
    workday_mobile_general.png

Workday Mobile App Flow

As the Workday mobile app does not allow any path in a web address other than hostname, specify the web address such as https://impl.workday.com. For example, https://impl.workday.com/<instance_name>/login-saml2.flex.

  1. Start the Workday mobile app. In Settings, specify your tenant name and web address. 
    workday_sp1.png
  2. You are navigated to SSO. Enter your credentials. 
    workday_sp2.png
  3. After a successful login, the Workday mobile app opens in an embedded browser. 
    workday_sp3.png

LIMITATION: If you click the Workday mobile app View button, you see an "Invalid web address" message, because the app does not support any URL except the direct URL. (For example, impl.workday.com or myworkday.com.). Workday doesn't support SAML SSO links are not mobile accessible refer this link for more details, https://community.workday.com/brainstorms/123076 and you can ask Workday to provide support and provide your comment in this links or raise request with Workday. It is observed with R2,2020 (Sept 12,2020) Workday release the embedded browser also doesn't work due to same reason.

 

  • Was this article helpful?