# MangoApps as an SSO Provider for Workday ### **Overview** This guide provides step-by-step instructions to configure MangoApps as a **Single Sign-On (SSO)** provider for Workday. This integration allows users to log in to Workday using their MangoApps credentials, improving security and ease of access. *** ### **Required Roles** To perform the setup successfully, you must have the appropriate administrative access in both systems. * **MangoApps**: Admin access to the MangoApps Admin Portal * **Workday**: Administrator privileges to access and edit tenant security settings *** ### **MangoApps Side Setup** This section explains how to configure the SSO application within MangoApps. **Log in to MangoApps** as an admin and navigate to **Admin Portal > SSO > Application > MangoApps Provisioned Apps**

Click the **Add Application** button and search for **Workday**.

Click the **Add** button next to Workday to access the app configurations pop-up menu.

From this menu, fill in the required fields: * **Workday Application URL**: Your Workday Application URL * **Workday ACS URL**: Your Workday Application URL/login-saml.html * **Entity ID**: e.g. `http://www.workday.com` * **User Identifier**: Select `Email`, `sAMAccountName`, or `EmployeeID` per your requirement Save the application. Download the **Metadata** from the three-dot menu of the configured Workday application to obtain the **x509 certificate**. This certificate will be used during the Workday portion of this setup.

*** ### **Workday Side Setup** The following steps outline how to configure Workday to trust MangoApps as its SSO identity provider. **Sign in to Workday** with admin privileges. Navigate to **Edit Tenant Setup – Security** by searching for it on the home screen and expand the **Single Sign-On** section.

Under **Redirection URLs**, click the **plus icon** and add the following: * **Login Redirect URL**:\ `https:///saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/auth` * **Logout Redirect URL**:\ `https:///saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/logout` * **Mobile App Login Redirect URL**:\ `https:///saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/auth` * **Mobile Browser Login Redirect URL**:\ `https:///saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/logout` {% hint style="info" %} All the above redirect URLs can be found in the downloaded SAML metadata from MangoApps. Please open the file in a notepad to retrieve the information. {% endhint %} Then, enter an **Environment** name. Next, scroll to the **SAML Setup** section and enable **SAML Authentication**.

Add a new **SAML Identity Provider** with the following values: * **Identity Provider Name**: MangoApps * **Issuer**: `http://www.workday.com` For the **x509 Certificate**: * Click the **horizontal lines** icon an select **Create x509 Public Key** * Enter a unique name for your certificate (e.g., `MangoApps.cert`) * Paste the certificate from MangoApps (see MA Side Setup) After adding the certificate, click **OK** to save. This will return you to the **Edit Tenant Setup - Security** screen. We will need to set a couple more values in order to complete the integration. Set the following additional values in the **Edit Tenant Setup - Security** screen: * **Service Provider ID**: `http://www.workday.com` * Enable **SP-Initiated SAML Authentication** * **IdP SSO Service URL**: `http://www.workday.com` * Enable **Always Require IdP Authentication** * Select **ForceAuthn Only** * **Authentication Request Signature Method**: SHA256

Click **OK** to save. *** ### **Testing Considerations** After setup, it’s important to test the SSO flow to ensure everything works as expected before rolling it out to end users. * Use a **test user account** that exists in both MangoApps and Workday. * Test both **SP-initiated login** (from Workday) and **IdP-initiated login** (from MangoApps). * Verify the following: * Redirection works correctly. * User is authenticated using the correct identifier. * Access is granted without errors. *** ### **Security Considerations** When setting up SSO, ensure your configuration meets your organization’s security requirements. * Use **SHA256** for signature hashing. * Ensure your MangoApps and Workday tenants are using **HTTPS**. * Keep the **x509 certificate** secure and rotate it periodically. * Audit user login activities through MangoApps and Workday logs. *** ### **End User Experience** Once SSO is enabled, users can access Workday with their MangoApps credentials. * **From MangoApps**: Users can click the Workday app icon if published on the dashboard or app launcher. * **From Workday**: Users attempting to log in will be redirected to MangoApps for authentication. * **Mobile Support**: Both mobile app and browser-based logins are supported through SSO. *** ### **Rollout Recommendations** To ensure a smooth deployment, follow these steps: 1. **Pilot with a small user group** to validate the configuration. 2. **Document the login process** and provide training resources. 3. Update all relevant **communication channels** before rollout. 4. Monitor login traffic and support tickets during the initial rollout. 5. Plan for **certificate renewal** and revalidation schedules. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guides.mangoapps.com/integrations-guide/single-sign-on/sso-integrations-by-provider/sso-integrations-for-workday/mangoapps-as-an-sso-provider-for-workday.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.