➿ Set up multiple Workday SSO providers
My company has gone through a number of acquisitions and as part of that, ended up in a situation where we have multiple identity providers from these companies and workers who have accounts within each. These licenses are quite expensive, so in an effort to decrease our license count, we are configuring Workday to handle multiple SSO providers so workers don't need licenses with multiple identity providers.
As usual, the process isn't all that well documented on Workday Community, so these are my notes on the setup.
Step 1: Do a test run in sandbox or an impl tenant
...Pretty self explanatory.
Step 2: Backup tenant setup - security configuraiton
Go to Tenant Setup - Security
and download/export a PDF and/or Excel file of the configuration for reference in case you need it. For the truly paranoid, email the file to someone else so there's a backup.
Step 3: Configure DISABLED SAML Identity Providers
Configure the identity providers that you'll need and check the box for "disabled" so that they aren't live yet.
Step 4: Create an authentication selector
With the task Manage Authentication Selectors
, create a new authentication selector for each identitty provider.
- Use descriptive names & descriptions that will help guide your workers to make the right selection.
- The URLs should be the identity provider's link to the app rather than the identity provider's base URL for the best experience. So instead of company.okta.com, it'll be company.okta.com/some-app-string...
Step 5: Flip the switch!
Turn on the new configuration in Tenant Setup - Security
:
- Within the redirection URLs section, select the Authentication Selector you created and then save the changes.
- Within the SAML Identity Providers section check and uncheck boxes as needed to enable the correct identity providers.
Step 6: Verify
Do these things to verify everything worked Okay:
- Visit the Workday login page, you should see options for each entry in the authentication selector.
- Click on each of the authentication selector links to make sure logging in works with both of them.
- Visit Workday directly from the identity provider to verify that method works correctly.
- Try logging into the mobile app.
- Logout and verify the logout redirect works as expected.