- A public certificate and private key pair are required to successfully connect applications with JumpCloud. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
- In order to successfully complete the integration between JumpCloud and Workday, you must use an Organization Admin account Workday.
- After you connect an application to JumpCloud, you can connect it to user groups. Users in the groups you connect can access the application through SAML SSO. Learn how to connect user groups to applications.
- If, during testing, you find that your single sign-on configuration does not work properly, you can sign in to Workday using your Workday credentials (even if SSO is enabled) by appending
?redirect=nto the end of your Workday login portal URL.
- JumpCloud sends a value, the NameID, in the SAML Assertion that Workday uses to identify which user is attempting SSO. This value must match a user's Workday username. If your users' Workday usernames already exist within JumpCloud (as their emails or JumpCloud usernames), you may choose which of these attributes to send as the NameID for each user. If your users' Workday usernames do not match any pre-existing attributes in JumpCloud, you will need to add a WorkdayID custom attribute for every user that will be using SSO to Workday. To do so, complete the following steps for every user that will use SSO to Workday:
- From the JumpCloud Admin UI, select on the Users link in the sidenav
- Select details beside the user for whom you will add a custom attribute
- Select on the Attributes tab
- Select + add attribute
- In the Name field, enter
- In the Value field, enter the user's Workday username
- Select save user
Configure the JumpCloud SSO Application
- Access the JumpCloud Administrator Console at https://console.jumpcloud.com.
- Select Applications in the main navigation panel.
- Select the + in the upper left, scroll or search for the application in the 'Configure New Application' side panel, the select 'configure'.
- You can upload a service provider application's XML metadata file to populate SAML connector attributes for that application. The attributes populated by the metadata file may vary by the application. To apply a metadata file for the application you're connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You'll see a confirmation of a successful upload. Be aware that if you upload more than one metadata file, you'll overwrite the attribute values applied in the previously uploaded file.
- In the IDP Entity ID field, enter
- In the ACS URL field, enter
https://SUBDOMAIN.workday.com/TENANT_NAME/login-saml.htmld(replace SUBDOMAIN and TENANT_NAME with the appropriate values for your Workday instance, ex:
- In the SAMLSUBJECT NAMEID field, enter the name of the attribute whose value should be used as the NameID in the assertion as mentioned in Notes section. For each user, this value in JumpCloud should match his or her Workday username. Enter
usernameto send a user's JumpCloud email or username, respectively. Leave the default value,
WorkdayID, if you have added or will add custom attributes to be sent as the NameID for all users using SSO to Workday.
- In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector.
- (Optional) In the Display Label field, enter a label that will appear under the Service Provider logo within the JumpCloud User console.
- Select Activate.
Configure the Service Provider
- Log in to Workday as an administrator
- Select on the user menu in the upper left corner (your Workday avatar)
- Select Workbench from the drop-down menu
- Select Account Administration
- Select Edit Tenant Setup - Security
- In the Single Sign-on section under Redirection URLs, select the + icon
- Under Redirect Type, select Single URL
- Under Login Redirect URL, enter the same IdP URL that you set in the JumpCloud console (if you did not modify the termination of this URL, then enter the default URL:
- Under Logout Redirect URL, enter
- Under Environment, select inside the field and select Implementation from the drop-down menu
- In the SAML Setup section, check the box next to Enable SAML Authentication
- Under SAML Identity Providers, select the + icon
- Under Identity Provider Name, enter
- Under Issuer, enter
https://YOURDOMAIN.com(replace YOURDOMAIN with your company’s unique domain)
- Under x509 Certificate, select inside the field and select Create x509 Public Key
- Now on the Create x509 Public Key page, enter a Name for your certificate
- In the Valid To and Valid From fields, enter the appropriate dates for your public certificate
- In the Certificate field, paste the contents of your public certificate
- Select OK
- Back on the Edit Tenant Setup - Security page, leave the Service Provider ID as the default value or, if it is blank, enter
- Check the box next to Enable SP Initiated SAML Authentication
- In the IdP SSO Service URL field, enter the same IdP URL that you set in the JumpCloud console (if you did not modify the termination of this URL, then enter the default URL:
- Select inside the Authentication Request Signature Method field and select SHA1 from the drop-down menu
- Ensure that all other values and checkboxes in both the Single Sign-on and SAML Setup sections of this page (that are not explicitly mentioned above) are blank and unchecked, respectively
- Select OK
- Select Done
Validate SSO authentication workflows
- Access the JumpCloud User Console at https://console.jumpcloud.com.
- Select the Service Provider icon.
- This should automatically launch and login to the application.
- Navigate to your Service Provider application URL.
- You will be redirected to log in to the JumpCloud User Portal.
- The browser will be redirected back to the application and be automatically logged in.