Workday as an SSO Provider for MangoApps

Overview

This guide explains how to configure Workday as a SAML-based Single Sign-On (SSO) provider for MangoApps. Using Workday for SSO eases access, improves security, and simplifies login experiences for your organization.

Required Roles

To successfully complete this integration, you will need access to the following roles:

• MangoApps Admin Credentials: Required to access and configure the MangoApps SSO settings.

• Workday Admin Credentials: Required to set up and manage SAML connections within the Workday interface.

Workday Side Setup

Start by configuring the SAML settings in your Workday environment. This setup allows Workday to act as the identity provider for MangoApps.

Login to Workday using your administrator account and search for Create SAML SSO Link.

Select it to access the pop-up window. From this window, click the 3-dash menu and click Create SAML SSO Link.

This will open the Create SAML SSO Link configuration form.

Fill out the form with the following:

• Name: Descriptive name for your SSO connection.

• SAML Version: 2.0

• ACS URL: Copy this URL from the MangoApps Admin Portal (Admin > SSO > Connections > New SSO Connection).

• Name Identifier: Select based on your user identification method (Email Address, Employee ID, Username, Workday Identifier).

• Enable “Use Unspecified Name ID Format” (recommended).

• Recipient: Enter your MangoApps domain URL.

• Issuer ID: Use http://www.workday.com.

• Signature Method: SHA256.

• Message Signing: Select Both Message and Assertion.

Click Save.

Now, we need to retrieve the metadata for the connection for use in the MangoApps Setup.

Search for View SAML SSO Link and select the newly created SSO link.

Click the Okay button. This will bring up the selected link's details screen. Click the three-dot menu in the top navigation bar, then choose SAML SSO Link > Generate Metadata.

Save the SAML Metadata Descriptor — information contained here will be used in the MangoApps setup.

This completes the Workday side of the integration.

MangoApps Setup

After setting up Workday, configure MangoApps to recognize Workday as a valid SSO provider.

Log in to MangoApps Admin Portal.

Navitgate to Admin > SSO > Connections and open the SAML tab. Click the Add SSO Connection button in the top right of the screen.

In the provider dropdown, select Workday.

In the 'Configure Manually' dropdown, enter the following parameters, all of which can be found in the SAML Metadata Descriptor copied from Workday:

• Issuer URL / Entity ID (from metadata).

• X.509 Certificate (from metadata).

• For the SAML 2.0 Endpoint, enter: https://impl.wd12.myworkday.com/mangoapps_dpt1/samlsso/autosubmit/<appid>

  • Replace <appid> with the Application ID found in the Workday metadata URL.

Testing Considerations

Before rolling out SSO to all users:

• Test the connection with a few test accounts from different departments.

• Ensure attributes (e.g., Email, Username) match between MangoApps and Workday.

• Validate correct user mapping and login redirection.

• Confirm that users not present in Workday are denied access (if desired).

Security Considerations

Security is critical when enabling SSO:

• Use SHA256 as the signature method for stronger message integrity.

• Enable both message and assertion signing.

• Regularly rotate your x509 certificate in line with internal IT policies.

• Restrict SSO login access based on IP ranges or conditional access policies, if supported.

End User Experience

Once configured, users can access MangoApps by authenticating through Workday:

• Users will visit your MangoApps login URL.

• Upon selecting the Workday SSO option, they are redirected to Workday for authentication.

• After successful login, they are redirected back into the MangoApps platform with secure access.

Rollout Recommendations

For a smooth deployment:

1. Pilot Group Testing: Start with a small user group to identify any potential issues.

2. Communicate: Send an internal announcement detailing the new login process.

3. Training: Provide documentation or video guides on how users can log in via Workday.

4. Support: Set up a helpdesk line or internal IT support to assist with login issues during the transition.

5. Gradual Rollout: Transition teams in phases before enforcing mandatory SSO.