Workday SSO Integration with Okta: A Complete Guide

In today’s enterprise landscape, where secure and scalable access to digital tools is more important than ever, Single Sign-On (SSO) plays a vital role in managing user identities and permissions. Workday, widely used for Human Capital and Financial Management, is a key system that employees rely on daily. By connecting Workday with an SSO provider like Okta, organizations can offer their teams a smoother, more secure login experience.

‍

In this blog, we’ll walk through how SSO works with Workday, highlight the benefits it brings, guide you through the integration process with Okta step by step, and share some best practices for a secure and dependable setup.

‍

What is Single Sign-On (SSO)?

‍

Single Sign-On (SSO) is a login approach that lets users sign in just once to access a range of applications without needing to re-enter their credentials each time. For organizations, this reduces the hassle of managing multiple passwords, cuts down on security risks like password reuse, and helps employees work more efficiently.

‍

In the case of Workday, SSO allows users to log in through their company’s central identity provider, such as Okta, making it easier and more secure to access important HR and financial information.

‍

How SSO Works with Workday

‍

In a Single Sign-On setup, Workday functions as a Service Provider (SP), relying on an external Identity Provider (IdP) like Okta to handle user authentication. It uses the SAML 2.0 (Security Assertion Markup Language) protocol, an industry-standard method for securely exchanging authentication and authorization data between systems.

‍

SAML 2.0 Authentication Flow in Workday

‍

Here’s how the process typically works:

1. A user tries to access Workday through a SAML-enabled login URL.
2. Workday redirects the user to the configured Identity Provider (e.g., Okta).
3. The IdP (Okta) verifies the user’s identity using corporate login credentials and, if required, multi-factor authentication (MFA).
4. Once authenticated, Okta sends a SAML assertion back to Workday.
5. Workday checks the validity of the assertion and, if everything checks out, grants the user access.

Workday SSO Login URL Format

‍

The SSO login link for Workday usually follows this structure:

‍

https://www.myworkday.com/[tenant]/login-saml.htm

‍

Key Components in Workday SSO

• Identity Provider (IdP): Okta, Azure AD, Ping, etc.
• Service Provider (SP): Workday
• SAML Metadata: Configuration data, including URLs and certificates
• ACS (Assertion Consumer Service) URL: Where Workday receives SAML assertions
• X.509 Certificate: Used to sign the SAML assertions
• Authentication Policy: Determines who uses SSO and under what conditions

Today, we will set up Single Sign-On (SSO) integration for Workday. Our identity provider for this integration will be Okta. This setup will enable seamless and secure access to Workday via Okta.

‍

Workday SSO Setup with Okta – Step-by-Step Configuration

‍

Follow the steps below to configure Single Sign-On (SSO) in Workday using Okta as the Identity Provider (IdP).

‍

1. Access Workday Security Settings

• Log in to your Workday tenant with admin access.
• Use the search bar on the homepage to look for Edit Tenant Setup.
• Click on Edit Tenant Setup - Security from the search results.

2. Configure Redirection URLs

• Scroll down to the Single Sign-On section and expand it if it's collapsed.
• Click the plus (+) icon under the Redirection URLs section to add new entries.
• Fill in the following fields:

Login Redirect URL:

‍

Your Tenant URL]/login-saml2.flex    e.g, https://impl.workday.com/xme/login-saml2.flex

‍

Logout Redirect URL:

• This value will be generated from your Okta Admin Console.

Mobile App Login Redirect URL:

‍

[Your Tenant URL]/login-saml2.flex    e.g, https://impl.workday.com/xme/login-saml2.flex

‍

Mobile Browser Login Redirect URL:

‍

[Your Tenant URL]/login-saml2.flex    e.g, https://impl.workday.com/xme/login-saml2.flex 

• Specify the appropriate Environment for this configuration.

The Single Sign-On settings screen in Workday displays fields to input redirect URLs, with a table below showing redirect types and environment-specific dropdowns.

‍

 3. Enable SAML Authentication

• Scroll down to the SAML Setup section.
• Check the box labeled Enable SAML Authentication.

The SAML Setup section in Workday with the "Enable SAML Authentication" checkbox is selected to activate Single Sign-On using SAML.

‍

4. Add Okta as the SAML Identity Provider

• Click the + under SAML Identity Providers to add a new row.
• Complete the fields as follows:

Identity Provider Name: Enter Okta

‍

Issuer: Obtain this from your Okta Admin Dashboard under the Workday app's SAML settings.

The SAML Setup section lists multiple identity providers, including "Okta," with fields for Identity Provider Name, Issuer, and Certificate completed for each entry.

‍

 x509 Certificate:

• Click the key icon next to this field.
• In the pop-up dialog, select Create x509 Public Key.

The "Create x509 Public Key" dialog with fields for Name, Valid From, Valid To, and Certificate to input and save a new x509 certificate for SAML authentication.

• Assign a name like okta.cert.
• Paste the certificate content (retrieved from Okta) into the Certificate box.
• Click OK to save and return.

5. Enable Single Logout (SLO)

• Check the option Enable Workday Initiated Logout.
• Fill in the Logout Request URL using the value provided in Okta.

IdP SSO Service URL:

• Use the SSO URL from Okta's SAML configuration. Enable Workday Initiated Logout.

SAML Identity Providers table displaying settings to enable Workday Initiated Logout, including fields for Logout Request URL and IdP SSO Service URL.

• x509 Private Key Pair:
• Click the key icon.
• Choose Create x509 Private Key Pair.
• Name the key (e.g., workday_key) and click OK.

Workday interface for generating an x509 Private Key Pair with input fields for key name, description, and a setting to prevent regeneration.

‍

6. Final SAML Settings

• In the Service Provider ID field, enter: http://www.workday.com
• Optionally enable SP Initiated SAML Authentication by checking the relevant box.
• Also, enable the SP Initiated option under the SAML Identity Provider row.

SAML Identity Provider settings table in Workday, with checkboxes for enabling Workday Initiated Logout, SP Initiated Authentication, and other options across multiple entries.

‍

7. Force Authentication (Optional)

• To enforce re-authentication at each session:
  
  • Check Always Require  IdP Authentication.
  • Select the radio button ForceAuthn Only.
• Set the Authentication Request Signature Method to: SHA256
• Click OK to save all changes.

SAML authentication settings in Workday with "Always Require IdP Authentication," "ForceAuth Only," and "SHA256" selected for the Authentication Request Signature Method, ready to save.

‍

8. Configure Workday Certificate in Okta (Optional for SLO)

• In Workday, go to the x509 Private Key Pair section.
• Use the Actions menu next to your key and select View Key Pair.
• Copy the Public Key content and save it as workday_key.cert.

The "View x509 Private Key Pair" section displays the public key details, including the certificate content, RSA-SSH formatted key, and validity period.

‍

9. Update Okta Workday App Settings (Optional)

• In the Okta Admin Console:
  
  • Navigate to the Workday app.
  • Go to the Sign On tab and click Edit.
• For Force Authentication:
  
  • Uncheck Disable Force Authentication if applicable.
• For SLO Settings:
  
  • Enable Single Logout.
  • Click Browse, upload the workday_key.cert, and then click Upload.

View of the Okta Workday app settings under the "Sign On" tab, showing options to enable Single Logout, disable Force Authentication, and upload a signature certificate using Browse and Upload buttons. 

• Click Save to apply all changes.

You’ve now successfully set up SSO integration between Workday and Okta. Ensure testing is done for both web and mobile access paths, and validate SSO and logout behaviors thoroughly before rolling out to users.

‍

Common Issues and Troubleshooting Tips

‍

‍

Troubleshooting Tools:

• Use browser plugins like SAML-tracer or SAML Chrome Panel.
• Check Workday audit logs and Okta SSO logs.
• Re-verify attribute mapping (especially NameID).

Benefits of Integrating Workday SSO with Okta

• Centralized Authentication: One login for all enterprise tools.
• Stronger Security Posture: MFA, centralized logging, reduced attack surface.
• Improved User Experience: Faster access, no multiple passwords.
• Operational Efficiency: Reduced IT support burden and password reset tickets.‍
• Compliance-Ready: Easier to track and audit user access.

‍

Insight by
Gal Nakash
Cofounder & CPO at Reco

Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.

Expert Insight:

Beyond the Basics: Think Strategically

Integrating Workday with Okta for SSO is not just a technical step—it’s a strategic initiative that enhances both security and user experience. Rather than treating it as a one-time setup, organizations should align it with their broader identity and access management (IAM) policies.

Key Configuration Areas to Prioritize

Experts emphasize focusing on the following:

• Certificate Management: Monitor expiration dates of SAML X.509 certificates to avoid authentication failures.
• Accurate Attribute Mapping: Ensure NameID and user identifiers are correctly mapped to prevent login issues.
• Cross-Platform Testing: Validate the setup across different environments—desktop browsers, mobile browsers, and native Workday apps.

Security Enhancements for Robust Protection

Go beyond default settings to enable:

• Single Logout (SLO): Ensure session termination across all connected apps.
• Force Authentication (ForceAuthn): Require fresh login credentials for critical actions to prevent session hijacking.
• SHA256 Signing: Use strong cryptographic standards for signing SAML assertions.

Operational Integration and Monitoring

Integrate SSO logs into your incident response plan. Leverage:

• Workday audit logs
• Okta SSO event logs
• Tools like SAML-tracer or Chrome SAML Panel for real-time troubleshooting

These practices will improve visibility, support root-cause analysis, and strengthen your organization’s compliance posture.

‍

Conclusion

‍

Workday SSO integration with Okta is a strategic move toward secure and simplified enterprise access management. By leveraging SAML 2.0, organizations can centralize authentication without compromising user experience or system integrity.

‍

Whether you're a security admin, Workday consultant, or IT manager, mastering the steps to implement Workday SSO with Okta empowers you to deliver a more secure, efficient, and modern authentication experience across your organization.