You do need to create a metadata file; Workday won't do it for you. We use
this site:
https://www.samltool.com/sp_metadata.php
Once you've created it for one Workday tenant, you can just copy it and
edit the XML directly for the other tenants; you don't have to use this
site for each tenant.
Then do something like this (copied from our internal wiki, and I'm not the
Workday guy, so I hope it makes sense to you!)
Configure Workday: Edit Tenant Setup - Security
1. Single Sign-on
1. Redirection URLs
-
Login Redirect URL:
https://www.myworkday.com/nYOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Logout Redirect URL:
-
Timeout Redirect URL:
-
Mobile App Login Redirect URL:
https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Mobile Browser Login Redirect URL:
https://www.myworkday.com/YOURTENANTNAME/login-saml2.htmld
<https://www.myworkday.com/newschool/login-saml2.htmld>
-
Environment: Production
2. SAML Setup
-
Enable SAML Authentication [image: (tick)]
- x509 Private Key Pair: YOURPRIVATEKEYPAIR
- Enable Mobile Browser SSO for Native Apps [image: (error)]
- Enable Certificate Based SSO [image: (error)]
- Enable Dynamic Certificate Pinning [image: (error)]
- Service Provider ID: http://www.workday.com/Y
<http://www.workday.com/newschool>OURTENANTNAME
- Enable SP Initiated SAML Authentication (Will be Deprecated) [image:
(tick)]
- IdP SSO Service URL:
https://YOURCASSERVER/cas/idp/profile/SAML2/POST/SSO
<https://sso.newschool.edu/cas/idp/profile/SAML2/POST/SSO>
- Sign SP-initiated Authentication Request [image: (tick)]
- Do Not Deflate SP-initiated Authentication Request [image: (tick)]
- Always Require IdP Authentication [image: (error)]
- Authentication Request Signature Method: SHA256
- Enable Signature KeyInfo Validation [image: (error)]
1. SAML Identity Providers
1. Identity Provider Name: SSO (CAS 5)
- Disabled [image: (error)]
- Issuer: https://YOURCASSERVER/cas/idp
<https://sso.newschool.edu/cas/idp>
- x509 Certificate: YOUR CAS SIGNING CERT
(/etc/cas/saml/idp-signing.crt)
1.
As of Workday 27, the cert must begin with "-----BEGIN
CERTIFICATE-----" and end with "-----END CERTIFICATE-----".
-
Enable IdP Initiated Logout [image: (error)]
-
Logout Response URL:
-
Enable Workday Initiated Logout [image: (tick)]
-
Logout Request URL:
https://YOURCASESERVER/logout/myday/YOURTENANTNAME.html
<https://sso.newschool.edu/logout/myday/newschool.html>
-
Use Unspecified Name ID Format for Logout Request [image:
(error)]
-
SP Initiated [image: (error)]
-
IdP SSO Service URL:
-
Managed Device Attribute:
-
Used for Environments: Production
Note: for "Logout Request URL" we send the users to a little "logout" page
rather than the standard SAML logout. This is OPTIONAL. We put ours in
.../tomcat/webapps/ROOT/logout/myday/YOURTENANTNAME.html on the CAS
server. It's basically just this:
<body>
<div class="container">
<div class="well">
<img id="logo" src="myday-logo.png"/>
<p>You have either logged out or timed out of your Workday session. To
protect your sensitive information, we recommend that you close
your browser.</p>
<p>You may also <a href="https://www.myworkday.com/YOURTENANTNAME";>
log in to Workday again</a>.</p>
</div>
</div>
</body>
The metadata we upload (generated by the site above) looks like the
attached.
Hope this helps.
--Dave
--
DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu
On Thu, Nov 29, 2018 at 3:08 PM Danny <daniel.scha...@gmail.com> wrote:
> I'm working on getting CAS 5.3 SAML2 IdP working with Workday, but not
> making much progress. Workday says the metadata file isn't required, but I
> can't see anyway to set it up with out one. Can you give more details on
> how you go this to work?
>
> Thanks
>
> On Tuesday, March 13, 2018 at 2:34:16 PM UTC-5, cur...@newschool.edu
> wrote:
>>
>> We are trying to configure our Workday Preview tenant to authenticate via
>> SAML2 to a CAS 5.2.2 IdP.
>>
>> In the management webapp, we have defined a "SAML2 Service Provider"
>> service. The EntityID is set to:
>>
>> https://impl.workday.com/xxxxx
>>
>>
>> which matches the EntityID in the SP's metadata. When we try to log in
>> to Workday, we receive this error from the Workday side:
>>
>> Invalid Audience in SAML token: URL should start with
>> http://www.workday.com, or end with /xxxxx/login-saml.htmld
>>
>>
>> The string they're saying it should end with is the tenant name ("xxxxx")
>> and the name of the web page (login-saml.htmld) that is listed in the
>> metadata as the AssertionConsumerService. However, CAS is sending back
>> the EntityID as the audience:
>>
>> <saml2:Conditions NotBefore="2018-03-13T16:39:12.776Z"
>> NotOnOrAfter="2018-03-13T16:39:17.776Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>https://impl.workday.com/xxxxx
>> </saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>>
>> which appears to be correct behavior in the normal (non-Workday) world.
>>
>> On our old CAS 3.5.x/Shibboleth 2.4.0 setup (which the same Workday
>> tenant works successfully with), we had to add a line in the relying party
>> profile configuration (in relying-party.xml) to address this:
>>
>> <saml:Audience>http://www.workday.com</saml:Audience>
>>
>>
>> which results in the SAML2 response sent back to Workday containing two
>> audiences:
>>
>> <saml2:Conditions NotBefore="2018-03-13T13:44:01.503Z"
>> NotOnOrAfter="2018-03-13T13:49:01.503Z">
>> <saml2:AudienceRestriction>
>> <saml2:Audience>https://impl.workday.com/xxxxx
>> </saml2:Audience>
>> <saml2:Audience>http://www.workday.com</saml2:Audience>
>> </saml2:AudienceRestriction>
>> </saml2:Conditions>
>>
>> However, I don't see any way to perform the equivalent, either through
>> the management webapp's user interface or by editing the service registry
>> manually. And I don't see anything in the documentation or searching the
>> code on GitHub.
>>
>> We are NOT using the cas-server-support-saml-sp-integrations
>> dependency.... should we be?
>>
>> Does anyone have CAS 5.2.x SAML IdP working with Workday, especially a
>> sandbox/implementation/preview tenant?
>>
>> Any ideas (even crazy ones) gladly accepted...
>>
>> Thanks,
>> --Dave
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/998a97d5-c952-4c81-8593-4da80388959b%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/998a97d5-c952-4c81-8593-4da80388959b%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANWn-gkiyuEWGENH8-GSeP6wNx9t4cOVCCyWzZY%3D1D6zQ%40mail.gmail.com.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="http://workday.workday.com/YOURTENANTNAME";
entityID="http://www.workday.com/YOURTENANTNAME";>
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIIDYjCCA...0AfF5v
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate>
MIIDYjCCA...0AfF5v
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.myworkday.com/YOURTENANTNAME/login-saml.htmld";
index="0" isDefault="true" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
