SSO setup — Workday
Step-by-step SAML 2.0 single sign-on setup for Workday as the identity provider, with exact field values and group-to-role mapping.
Use Workday as the SAML 2.0 identity provider for Pact. Workday SSO is configured in Tenant Setup — Security; the steps below assume your Workday security administrator does the IdP side.
Before you start
- Owner or admin in Pact.
- A Workday security admin with access to Edit Tenant Setup – Security and the x509 Private Key Pairs / SAML Identity Providers tasks.
- Your sign-in domain (e.g.
acme.com).
Pact's Service Provider values
| Workday field | Value |
|---|---|
| Assertion Consumer Service URL | https://<your-pact-host>/v1/sso/saml/acs |
| Service Provider ID / Entity ID | https://<your-pact-host>/v1/sso/saml/metadata.xml |
| Name ID format | Email address |
Exact values + downloadable SP metadata: Admin → SSO (SAML) → Show SP metadata.
1. Configure the SAML Identity Provider in Workday
- In Workday, search the task Edit Tenant Setup – Security.
- Under SAML Setup, add a new Identity Provider:
- Identity Provider Name:
Pact. - Issuer: your Workday SAML issuer (e.g.
http://www.workday.com/<tenant>). - Service Provider ID: Pact's SP Entity ID above.
- Assertion Consumer Service URL: Pact's ACS URL above.
- Enable SP Initiated SAML Authentication: checked.
- Want Assertions Signed: checked (Pact requires signed assertions).
- Identity Provider Name:
- Attach your signing certificate under x509 Private Key Pairs and export the public certificate — you'll give it to Pact.
2. Attributes
Workday emits the user's email as the Name ID by default; Pact falls back to the Name ID for email when the email attribute is absent. If you map additional attributes, set their names in Pact's Add IdP form:
| Pact field | Typical Workday attribute |
|---|---|
| Email attribute | email (or leave blank to use Name ID) |
| First-name attribute | firstName |
| Last-name attribute | lastName |
| Groups attribute | groups (if you emit a multi-valued group attribute) |
3. Register Workday in Pact
Workday does not always publish a fetchable metadata URL, so use the manual path:
- Admin → SSO (SAML) → Add IdP.
- Fill in:
- Display name:
Workday. - IdP entity ID: your Workday issuer.
- Single Sign-On URL: your Workday SSO endpoint (from the SAML setup task).
- Signing certificate (PEM): paste the public cert you exported in step 1.
- Email domain:
acme.com.
- Display name:
- Set attribute mappings as needed, then save.
If your Workday tenant does expose IdP metadata XML, paste it into the metadata XML box and click Auto-fill instead.
4. Group → role mapping (optional)
If you emit a group attribute, map values to Pact roles in Group → role mapping:
| IdP group value | Pact role |
|---|---|
Pact Admins | admin |
Pact Managers | manager |
Highest-precedence match wins; groups elevate only.
5. Test
Admin → SSO (SAML) → Test on the Workday row → complete the Workday login → confirm auth.saml.acs.success in the audit log. Failures log the precise reason under auth.saml.acs.failure.
6. (Optional) Signed AuthnRequests
For Workday policies that require the SP to sign requests: Admin → SSO (SAML) → SP signing key → Generate, re-download SP metadata for Workday, and tick Sign AuthnRequests on the IdP.
7. Verify domain + enforce + break-glass
- Admin → SSO → Domains → add
acme.com, add the DNS TXT record, Verify. - Designate a break-glass admin under Enforcement first.
- Toggle Require SSO for all users.
Break-glass admins keep password login if Workday is unreachable (audited as auth.break_glass.used).
Provisioning note
Workday is most commonly used for SSO; for automated user lifecycle, drive SCIM provisioning from Workday or a middleware (e.g. Okta/Entra as the SCIM client) against https://<your-pact-host>/scim/v2.