# Workday as an SSO Provider for MangoApps ### Overview This guide explains how to configure Workday as a SAML-based Single Sign-On (SSO) provider for MangoApps. Using Workday for SSO eases access, improves security, and simplifies login experiences for your organization. *** ### Required Roles To successfully complete this integration, you will need access to the following roles: * **MangoApps Admin Credentials:** Required to access and configure the MangoApps SSO settings. * **Workday Admin Credentials:** Required to set up and manage SAML connections within the Workday interface. *** ### Workday Side Setup Start by configuring the SAML settings in your Workday environment. This setup allows Workday to act as the identity provider for MangoApps. **Login to Workday** using your administrator account and search for **Create SAML SSO Link**. Select it to access the pop-up window. From this window, click the 3-dash menu and click **Create SAML SSO Link**.

This will open the **Create SAML SSO Link** configuration form.

Fill out the form with the following: * **Name:** Descriptive name for your SSO connection. * **SAML Version:** 2.0 * **ACS URL:** Copy this URL from the MangoApps Admin Portal (**Admin > SSO > Connections > New SSO Connection**).

* **Name Identifier:** Select based on your user identification method (Email Address, Employee ID, Username, Workday Identifier). * **Enable “Use Unspecified Name ID Format”** (recommended). * **Recipient:** Enter your MangoApps domain URL. * **Issuer ID:** Use `http://www.workday.com`. * **Signature Method:** SHA256. * **Message Signing:** Select **Both Message and Assertion**. Click **Save**. *** Now, we need to retrieve the metadata for the connection for use in the MangoApps Setup. Search for **View SAML SSO Link** and select the newly created SSO link.

Click the **Okay** button. This will bring up the selected link's details screen. Click the **three-dot menu** in the top navigation bar, then choose **SAML SSO Link > Generate Metadata**.

**Save the SAML Metadata Descriptor** — information contained here will be used in the MangoApps setup. This completes the Workday side of the integration. *** ### MangoApps Setup After setting up Workday, configure MangoApps to recognize Workday as a valid SSO provider. Log in to **MangoApps Admin Portal**. Navitgate to **Admin > SSO > Connections** and open the **SAML** tab. Click the **Add SSO Connection** button in the top right of the screen.

In the provider dropdown, select **Workday**.

In the '**Configure Manually**' dropdown, enter the following parameters, all of which can be found in the **SAML Metadata Descriptor** copied from Workday: * **Issuer URL / Entity ID** (from metadata). * **X.509 Certificate** (from metadata). * For the **SAML 2.0 Endpoint**, enter**:**\ `https://impl.wd12.myworkday.com/mangoapps_dpt1/samlsso/autosubmit/` * Replace `` with the Application ID found in the browser URL after clicking the "Generate Metadata" option in Workday, which displays the Workday SAML metadata details.

*** ### Testing Considerations Before rolling out SSO to all users: * Test the connection with a few test accounts from different departments. * Ensure attributes (e.g., Email, Username) match between MangoApps and Workday. * Validate correct user mapping and login redirection. * Confirm that users not present in Workday are denied access (if desired). *** ### Security Considerations Security is critical when enabling SSO: * Use SHA256 as the signature method for stronger message integrity. * Enable both message and assertion signing. * Regularly rotate your x509 certificate in line with internal IT policies. * Restrict SSO login access based on IP ranges or conditional access policies, if supported. *** ### End User Experience Once configured, users can access MangoApps by authenticating through Workday: * Users will visit your MangoApps login URL. * Upon selecting the **Workday SSO option**, they are redirected to Workday for authentication. * After successful login, they are redirected back into the MangoApps platform with secure access. *** ### Rollout Recommendations For a smooth deployment: 1. **Pilot Group Testing:** Start with a small user group to identify any potential issues. 2. **Communicate:** Send an internal announcement detailing the new login process. 3. **Training:** Provide documentation or video guides on how users can log in via Workday. 4. **Support:** Set up a helpdesk line or internal IT support to assist with login issues during the transition. 5. **Gradual Rollout:** Transition teams in phases before enforcing mandatory SSO. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guides.mangoapps.com/integrations-guide/single-sign-on/sso-integrations-by-provider/sso-integrations-for-workday/workday-as-an-sso-provider-for-mangoapps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.