You do need to create a metadata file; Workday won't do it for you. We use
this site:
https://www.samltool.com/sp_metadata.php
Once you've created it for one Workday tenant, you can just copy it and
edit the XML directly for the other tenants; you don't have to use this
site for each tenant.
Then do something like this (copied from our internal wiki, and I'm not the
Workday guy, so I hope it makes sense to you!)
Configure Workday: Edit Tenant Setup - Security
1. Single Sign-on
1. Redirection URLs
-
Login Redirect URL:
https://www.myworkday.com/nYOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Logout Redirect URL:
-
Timeout Redirect URL:
-
Mobile App Login Redirect URL:
https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Mobile Browser Login Redirect URL:
https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Environment: Production
2. SAML Setup
-
Enable SAML Authentication [image: (tick)]
- x509 Private Key Pair: YOURPRIVATEKEYPAIR
- Enable Mobile Browser SSO for Native Apps [image: (error)]
- Enable Certificate Based SSO [image: (error)]
- Enable Dynamic Certificate Pinning [image: (error)]
- Service Provider ID: http://www.workday.com/Y
<http://www.workday.com/newschool>OURTENANTNAME
- Enable SP Initiated SAML Authentication (Will be Deprecated) [image:
(tick)]
- IdP SSO Service URL:
https://YOURCASSERVER/cas/idp/profile/SAML2/POST/SSO
<https://sso.newschool.edu/cas/idp/profile/SAML2/POST/SSO>
- Sign SP-initiated Authentication Request [image: (tick)]
- Do Not Deflate SP-initiated Authentication Request [image: (tick)]
- Always Require IdP Authentication [image: (error)]
- Authentication Request Signature Method: SHA256
- Enable Signature KeyInfo Validation [image: (error)]
1. SAML Identity Providers
1. Identity Provider Name: SSO (CAS 5)
- Disabled [image: (error)]
- Issuer: https://YOURCASSERVER/cas/idp
<https://sso.newschool.edu/cas/idp>
- x509 Certificate: YOUR CAS SIGNING CERT
(/etc/cas/saml/idp-signing.crt)
1.
As of Workday 27, the cert must begin with "-----BEGIN
CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
-
Enable IdP Initiated Logout [image: (error)]
-
Logout Response URL:
-
Enable Workday Initiated Logout [image: (tick)]
-
Logout Request URL:
https://YOURCASESERVER/logout/myday/YOURTENANTNAME.html
<https://sso.newschool.edu/logout/myday/newschool.html>
-
Use Unspecified Name ID Format for Logout Request [image:
(error)]
-
SP Initiated [image: (error)]
-
IdP SSO Service URL:
-
Managed Device Attribute:
-
Used for Environments: Production
Note: for "Logout Request URL" we send the users to a little "logout" page
rather than the standard SAML logout. This is OPTIONAL. We put ours in
.../tomcat/webapps/ROOT/logout/myday/YOURTENANTNAME.html on the CAS
server. It's basically just this:
<body>
<div class="container">
<div class="well">
<img id="logo" src="myday-logo.png"/>
<p>You have either logged out or timed out of your Workday session. To
protect your sensitive information, we recommend that you close
your browser.</p>
<p>You may also <a href="https://www.myworkday.com/YOURTENANTNAME";>
log in to Workday again</a>.</p>
</div>
</div>
</body>
The metadata we upload (generated by the site above) looks like the
attached.
Hope this helps.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • [email protected]
On Thu, Nov 29, 2018 at 3:08 PM Danny <[email protected]> wrote:
> I'm working on getting CAS 5.3 SAML2 IdP working with Workday, but not
> making much progress. Workday says the metadata file isn't required, but I
> can't see anyway to set it up with out one. Can you give more details on
> how you go this to work?
>
> Thanks
>
> On Tuesday, March 13, 2018 at 2:34:16 PM UTC-5, [email protected]
> wrote:
>>
>> We are trying to configure our Workday Preview tenant to authenticate via
>> SAML2 to a CAS 5.2.2 IdP.
>>
>> In the management webapp, we have defined a "SAML2 Service Provider"
>> service. The EntityID is set to:
>>
>> https://impl.workday.com/xxxxx
>>
>>
>> which matches the EntityID in the SP's metadata. When we try to log in
>> to Workday, we receive this error from the Workday side:
>>
>> Invalid Audience in SAML token: URL should start with
>> http://www.workday.com, or end with /xxxxx/login-saml.htmld
>>
>>
>> The string they're saying it should end with is the tenant name ("xxxxx")
>> and the name of the web page (login-saml.htmld) that is listed in the
>> metadata as the AssertionConsumerService. However, CAS is sending back
>> the EntityID as the audience:
>>
>> <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z"
>> NotOnOrAfter="2018-03-13T16:39:17.776Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>https://impl.workday.com/xxxxx
>> </saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>>
>> which appears to be correct behavior in the normal (non-Workday) world.
>>
>> On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday
>> tenant works successfully with), we had to add a line in the relying party
>> profile configuration (in relying-party.xml) to address this:
>>
>> <saml:Audience>http://www.workday.com</saml:Audience>
>>
>>
>> which results in the SAML2 response sent back to Workday containing two
>> audiences:
>>
>> <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z"
>> NotOnOrAfter="2018-03-13T13:49:01.503Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>https://impl.workday.com/xxxxx
>> </saml2:Audience>
>> <saml2:Audience>http://www.workday.com</saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>>
>> However, I don't see any way to perform the equivalent, either through
>> the management webapp's user interface or by editing the service registry
>> manually. And I don't see anything in the documentation or searching the
>> code on GitHub.
>>
>> We are NOT using the cas-server-support-saml-sp-integrations
>> dependency.... should we be?
>>
>> Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a
>> sandbox/implementation/preview tenant?
>>
>> Any ideas (even crazy ones) gladly accepted...
>>
>> Thanks,
>> --Dave
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/998a97d5-c952-4c81-8593-4da80388959b%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/998a97d5-c952-4c81-8593-4da80388959b%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANWn-gkiyuEWGENH8-GSeP6wNx9t4cOVCCyWzZY%3D1D6zQ%40mail.gmail.com.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="http://workday.workday.com/YOURTENANTNAME";
entityID="http://www.workday.com/YOURTENANTNAME";>
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIIDYjCCA...0AfF5v
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIIDYjCCA...0AfF5v
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.myworkday.com/YOURTENANTNAME/login-saml.htmld";
index="0" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
