Guides HomeMangoApps WebsiteCommunity & SupportBlog & Resources

🆕MangoApps as an SSO Provider for Workday

MangoApps as an SSO provider for Workday (Enterprise Apps)

Overview

This guide provides step-by-step instructions to configure MangoApps as a Single Sign-On (SSO) provider for Workday. This integration allows users to log in to Workday using their MangoApps credentials, improving security and ease of access.

Required Roles

To perform the setup successfully, you must have the appropriate administrative access in both systems.

  • MangoApps: Admin access to the MangoApps Admin Portal

  • Workday: Administrator privileges to access and edit tenant security settings

MangoApps Side Setup

This section explains how to configure the SSO application within MangoApps.

Log in to MangoApps as an admin and navigate to Admin Portal > SSO > Application > MangoApps Provisioned Apps

Click the Add Application button and search for Workday.

Click the Add button next to Workday to access the app configurations pop-up menu.

From this menu, fill in the required fields:

  • Workday Application URL: Your Workday Application URL

  • Workday ACS URL: Your Workday Application URL/login-saml.html

  • Entity ID: e.g. http://www.workday.com

  • User Identifier: Select Email, sAMAccountName, or EmployeeID per your requirement

Save the application.

Download the Metadata from the three-dot menu of the configured Workday application to obtain the x509 certificate. This certificate will be used during the Workday portion of this setup.

Workday Side Setup

The following steps outline how to configure Workday to trust MangoApps as its SSO identity provider.

Sign in to Workday with admin privileges.

Navigate to Edit Tenant Setup – Security by searching for it on the home screen and expand the Single Sign-On section.

Under Redirection URLs, click the plus icon and add the following:

  • Login Redirect URL: https://<your mangoapps domain>/saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/auth

  • Logout Redirect URL: https://<your mangoapps domain>/saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/logout

  • Mobile App Login Redirect URL: https://<your mangoapps domain>/saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/auth

  • Mobile Browser Login Redirect URL: https://<your mangoapps domain>/saml/08904ab0-343f-0137-0224-2f38cb4aeeeb/logout

All the above redirect URLs can be found in the downloaded SAML metadata from MangoApps. Please open the file in a notepad to retrieve the information.

Then, enter an Environment name.

Next, scroll to the SAML Setup section and enable SAML Authentication.

Add a new SAML Identity Provider with the following values:

  • Identity Provider Name: MangoApps

  • Issuer: http://www.workday.com

For the x509 Certificate:

  • Click the horizontal lines icon an select Create x509 Public Key

  • Enter a unique name for your certificate (e.g., MangoApps.cert)

  • Paste the certificate from MangoApps (see MA Side Setup)

After adding the certificate, click OK to save. This will return you to the Edit Tenant Setup - Security screen.

We will need to set a couple more values in order to complete the integration.

Set the following additional values in the Edit Tenant Setup - Security screen:

  • Service Provider ID: http://www.workday.com

  • Enable SP-Initiated SAML Authentication

  • IdP SSO Service URL: http://www.workday.com

  • Enable Always Require IdP Authentication

  • Select ForceAuthn Only

  • Authentication Request Signature Method: SHA256

Click OK to save.

Testing Considerations

After setup, it’s important to test the SSO flow to ensure everything works as expected before rolling it out to end users.

  • Use a test user account that exists in both MangoApps and Workday.

  • Test both SP-initiated login (from Workday) and IdP-initiated login (from MangoApps).

  • Verify the following:

    • Redirection works correctly.

    • User is authenticated using the correct identifier.

    • Access is granted without errors.

Security Considerations

When setting up SSO, ensure your configuration meets your organization’s security requirements.

  • Use SHA256 for signature hashing.

  • Ensure your MangoApps and Workday tenants are using HTTPS.

  • Keep the x509 certificate secure and rotate it periodically.

  • Audit user login activities through MangoApps and Workday logs.

End User Experience

Once SSO is enabled, users can access Workday with their MangoApps credentials.

  • From MangoApps: Users can click the Workday app icon if published on the dashboard or app launcher.

  • From Workday: Users attempting to log in will be redirected to MangoApps for authentication.

  • Mobile Support: Both mobile app and browser-based logins are supported through SSO.

Rollout Recommendations

To ensure a smooth deployment, follow these steps:

  1. Pilot with a small user group to validate the configuration.

  2. Document the login process and provide training resources.

  3. Update all relevant communication channels before rollout.

  4. Monitor login traffic and support tickets during the initial rollout.

  5. Plan for certificate renewal and revalidation schedules.

PreviousSSO Integrations for WorkdayNextWorkday as an SSO Provider for MangoApps

Last updated