[Notification] We're upgrading the JumpCloud Support Center the week of September 30th.

Support Center

Single Sign-On (SSO) with Workday



  • After you connect an application to JumpCloud, you can connect it to user groups. Users in the groups you connect can access the application through SAML SSO. Learn how to connect user groups to applications.
  • If, during testing, you find that your single sign-on configuration does not work properly, you can sign in to Workday using your Workday credentials (even if SSO is enabled) by appending ?redirect=n to the end of your Workday login portal URL.
  • JumpCloud sends a value, the NameID, in the SAML Assertion that Workday uses to identify which user is attempting SSO. This value must match a user's Workday username. If your users' Workday usernames already exist within JumpCloud (as their emails or JumpCloud usernames), you may choose which of these attributes to send as the NameID for each user. If your users' Workday usernames do not match any pre-existing attributes in JumpCloud, you will need to add a WorkdayID custom attribute for every user that will be using SSO to Workday. To do so, complete the following steps for every user that will use SSO to Workday:
  • From the JumpCloud Admin UI, select on the Users link in the sidenav
  • Select details beside the user for whom you will add a custom attribute
  • Select on the Attributes tab
  • Select + add attribute
  • In the Name field, enter WorkdayID
  • In the Value field, enter the user's Workday username
  • Select save user

Configure the JumpCloud SSO Application

  1. Access the JumpCloud Administrator Console at https://console.jumpcloud.com.
  2. Select Applications in the main navigation panel.
  3. Select the + in the upper left, scroll or search for the application in the 'Configure New Application' side panel, the select 'configure'.
  4. You can upload a service provider application's XML metadata file to populate SAML connector attributes for that application. The attributes populated by the metadata file may vary by the application. To apply a metadata file for the application you're connecting, click Upload Metadata. Navigate to the file you want to upload, then click Open. You'll see a confirmation of a successful upload. Be aware that if you upload more than one metadata file, you'll overwrite the attribute values applied in the previously uploaded file.
  5. In the IDP Entity ID field, enter https://YOURDOMAIN.TLD (e.g., https://thebestwidgets.com).
  6. In the ACS URL field, enter https://SUBDOMAIN.workday.com/TENANT_NAME/login-saml.htmld (replace SUBDOMAIN and TENANT_NAME with the appropriate values for your Workday instance, ex: https://wd3-impl.workday.com/jumpcloud_testing/login-saml.htmld)
  7. In the SAMLSUBJECT NAMEID field, enter the name of the attribute whose value should be used as the NameID in the assertion as mentioned in Notes section. For each user, this value in JumpCloud should match his or her Workday username. Enter email or username to send a user's JumpCloud email or username, respectively. Leave the default value, WorkdayID, if you have added or will add custom attributes to be sent as the NameID for all users using SSO to Workday.
  8. In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector.
  9. (Optional) In the Display Label field, enter a label that will appear under the Service Provider logo within the JumpCloud User console.
  10. Select Activate.

Configure the Service Provider

  1. Log in to Workday as an administrator
  2. Select on the user menu in the upper left corner (your Workday avatar)
  3. Select Workbench from the drop-down menu
  4. Select Account Administration
  5. Select Edit Tenant Setup - Security
  6. In the Single Sign-on section under Redirection URLs, select the + icon
  7. Under Redirect Type, select Single URL
  8. Under Login Redirect URL, enter the same IdP URL that you set in the JumpCloud console (if you did not modify the termination of this URL, then enter the default URL: https://sso.jumpcloud.com/saml2/workday)
  9. Under Logout Redirect URL, enter https://console.jumpcloud.com/userconsole/
  10. Under Environment, select inside the field and select Implementation from the drop-down menu
  11. In the SAML Setup section, check the box next to Enable SAML Authentication
  12. Under SAML Identity Providers, select the + icon
  13. Under Identity Provider Name, enter JumpCloud
  14. Under Issuer, enter https://YOURDOMAIN.com (replace YOURDOMAIN with your company’s unique domain)
  15. Under x509 Certificate, select inside the field and select Create x509 Public Key
  16. Now on the Create x509 Public Key page, enter a Name for your certificate
  17. In the Valid To and Valid From fields, enter the appropriate dates for your public certificate
  18. In the Certificate field, paste the contents of your public certificate
  19. Select OK
  20. Back on the Edit Tenant Setup - Security page, leave the Service Provider ID as the default value or, if it is blank, enter http://www.workday.com
  21. Check the box next to Enable SP Initiated SAML Authentication
  22. In the IdP SSO Service URL field, enter the same IdP URL that you set in the JumpCloud console (if you did not modify the termination of this URL, then enter the default URL: https://sso.jumpcloud.com/saml2/workday)
  23. Select inside the Authentication Request Signature Method field and select SHA1 from the drop-down menu
  24. Ensure that all other values and checkboxes in both the Single Sign-on and SAML Setup sections of this page (that are not explicitly mentioned above) are blank and unchecked, respectively
  25. Select OK
  26. Select Done

Validate SSO authentication workflows

IdP Initiated

  • Access the JumpCloud User Console at https://console.jumpcloud.com.
  • Select the Service Provider icon.
  • This should automatically launch and login to the application.

SP Initiated

  • Navigate to your Service Provider application URL.
  • You will be redirected to log in to the JumpCloud User Portal.
  • The browser will be redirected back to the application and be automatically logged in.

Last Updated: Aug 19, 2019 12:19PM MDT

Related Articles
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found