none
Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL? RRS feed

All replies

  • As per the documentation "Sign-on URL" needs to be passed as Mobile Login Redirect URL and in Login Redirect URL. Also, Workday does not support SAML timed out and you can pass the sign url as Timed Out url such that when a user's session time out it will redirect the user back to sign in page. 
    Thursday, May 2, 2019 6:26 PM
    Moderator
  • Hi SaurabhSharma-MSFT,

    Thank you very much for your response! Could you clarify your statement about Time Out URL? In particular, are you saying that:

    - Session time-out is configured entirely in Workday (i.e. no token lifetime settings in Azure AD), and

    - The Timeout Redirect URL in Workday should be the same as the "Sign-on URL", which is https://impl.workday.com/<workdayTenantName>/login-saml2.html

    Thank you for your help again!

    Friday, May 3, 2019 1:10 PM
  • Actually, I now think that the Timeout Redirect URL in Workday is really just the page to where the user will be redirected after timeout occurs. That URL is not actually involved in terminating the SSO session with Workday.

    If the above is true, the main question becomes how to configure Workday to terminate the SSO session after the timeout period. And the sections and URLs in question for this part are:

    • SP Initiated Logout (Enables a logout from Workday to initiate a ‘SAML LogoutRequest’ to end the SSO session)
    • Logout Request URL (The IdP URL that the ‘SAML LogoutRequest’ POST will be made)

    And in Azure AD, the following section might be configured:

    Kindly let me know if this line of thinking is correct.



    Monday, May 6, 2019 4:18 PM
  • Providing an update: it is still unclear how an SP-initiated logout from Workday could work, at least while using SAML. In a browser session, the Timeout URL can be configured with the WS-Federation logout endpoint:

    https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    ...instead of the SAML endpoint:

    https://login.microsoftonline.com/<tenantID>/saml2

    ...(which should be able to receive both AuthnRequest and LogoutRequest SAML messages). However, using the WS-Federation endpoint seems hacky, and I am not sure if this is the recommended way of doing this in Workday.

    In a mobile app session, I am not sure that the Timeout URL with the WS-Federation logout endpoint works at all.


    Monday, May 20, 2019 5:01 PM
  • So if you want to enable the Mobile single sign-on for the application then you have to “Enable Mobile Browser SSO” needed to be set to true. Also you need to populate the Mobile App Login Redirect URL you need to enter the URL like this https://impl.workday.com/contoso/login-saml2.flex

    For the TimeOut redirect URL please populate the URL something like this https://impl.workday.com//login-saml2.flex This way it will again authenticate the user. If you want to force the user to login then you need to select the "Always Require IDP Authentication - Force Authn Only" option.

    For Logout please follow the documentation and copy the Logout URL from Azure Portal and use it in the Logout Response URL Field.

    Thanks,

    Jeevan Desarda

    enter image description here


    Azure AD Program Manager - App Integration

    Wednesday, July 17, 2019 10:31 PM