Skip to main content

Login to Workday using the WSO2 Identity Server


Prerequisites
  1. Use following keytool command to extract public certificate from the wso2is-5.1.0/repository/resources/security/wso2carbon.jks file.
(pw: wso2carbon)

keytool -export -alias wso2carbon -file key.crt -keystore wso2carbon.jks

Important: In production environment you must not use the default wso2carbon.jks which comes with the WSO2 Identity Server


  1. Use following command to print the extracted public certificate,

openssl x509 -text -inform DER -in key.crt

Ex:
-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
-----END CERTIFICATE-----
Alternatively follow this post to print the public certificate.

Workday Configurations

  1. Log in to the workday from an administrator account
  2. Open Edit Tenant Setup - Security
  3. Enable SAML Authentication

101.png

  1. Enter Identity Provider Name and Issuer.
301.png

Important: Issuer name MUST be equal to the Issuer value comes with the SAML Response from the Identity provider

  1. Add public certificate of the Identity Provider (which you have extracted from in the prerequisites)

105.png

|

103.png

|
104.png
Click on create and insert Name, Valid from, Valid to and Certificate here.


Tip: You can validate your extracted certificate and get its info by pasting it here


  1. Enable Workday initiated logout

302.png

  1. Set environments

108.png

  1. Generate private key pair if you don’t have a one

303.png
This certificate will use inside the identity server to validate the incoming authentication and logout requests from the Workday

Tip: You import a certificate to wso2 trust store using following command
(pw: wso2carbon)

keytool -import -alias workday -file workday.crt -keystore client-truststore.jks

Restart Identity Server after certificate import

  1. Insert Service Provider Name

304.png

Important: Service provider ID MUST start with http://www.workday.com/

  1. Enable SP initiated SAML authentication

112.png

  1. Enter Identity provider URL

305.png

  1. Add following configuration for authentication and logout requests
Enable following to sign login request,
123.png
Disable deflating of requests
122.png
Add request signature method
119.png

Finally click OK, then DONE.

Identity Server Configuration

  1. Add Service Provider

201.png

  1. Go to the SAML2 configuration page

202.png

  1. Set Issuer name. This value must be equal to Service Provider ID set in the Workday configuration

306.png

  1. Enter Assertion consumer URL

225.png


Tip: ACS URL will have following format,
https://www.myworkday.com/<Your workday tenant name>/login-saml.flex


  1. Enable Response Signing



  1. Enable signature validation in Authentication and Logout requests
231.png
Select the public certificate alias of the service provider( Section 8 in Workday configuration) from the drop down.
233.png

  1. Enable single logout

235.png
You need to provide logout URL in following format,
https://www.myworkday.com/<Your workday tenant name>/logout-saml.flex

  1. Click on Register, then Update


Now use https://www.myworkday.com/<Your workday tenant name>/login-saml2.flex URL to login to the Workday using WSO2 Identy Server,

309.jpg

If you want to change the Issuer value comes with SAML response from Identity server,

  1. Go to the Resident Identity Provider view

244.png


  1. Change “Identity Provider Entity Id” value to the required Issuer value

307.png
Labels:

Comments

Post a Comment

Popular posts from this blog

UUID Generation with WSO2 ESB

There are use cases which we need to generate a UUID( universally unique identifier ) from the WSO2 ESB server for the back end services. There are two commonly used UUID types, Version 1 UUID or Time UUID A Version 1 UUID use a scheme relying only on timestamp and the MAC address of the computer on which it is generated Version 4 UUID Version 4 UUIDs use a scheme relying only on random numbers Getting a version 4 UUID is really easy in ESB, since we already have one in the message flow. So we can extract it like follows, <property name="MessageID" expression="fn:substring-after(get-property('MessageID'), 'urn:uuid:')"/> But in case of version 1 UUID or Time UUID, we have to use script mediator or class mediator to generate a UUID . Script mediator is slower compared to the class mediator.  A simple class mediator which can use for version 1 UUID generation can be found here . This class mediator uses this library to gene
Post a Comment
Read more

SAML2 IdP Initiated Single Logout with WSO2 Identity Server 5.1.0

With this feature WSO2 Identity Server facilitates IdP initiated SAML2 single log out requests. In the SAML service provider configuration UI here is a new configuration called “Enable IdP Initiated SLO”. You can enable this feature using this checkbox. Also you can define redirect URL after the single log out using "Return to URL" under “Enable IdP Initiated SLO” option. Following parameters can be used with IdP initiated SLO request. Parameter Description slo This is a mandatory parameter and must have the value “true” to mark the request as an IdP initiated log out request. spEntityID This is an optional parameter. Value of the parameter should be the SAML issuer name as in “Issuer” field in the SAML service provider configuration UI. returnTo This is an optional parameter. Value of the parameter should be the URL which needs to be redirected to, after the log out. If this parameter is present
Post a Comment
Read more

How to extract and import certificate from a SAML SP metadata file to a Keystore

Extract certificate from the SAML service provider metadata file as follows, <X509Data> <X509Certificate> MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5 HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo= </X509Certificate> </X509Data> Copy extracted certificate to
Post a Comment
Read more