Sample Workday SAML Payload

Losen, Stephen C. (scl) scl at virginia.edu
Tue Mar 20 08:29:35 EDT 2018 

Hi Hugo,

Here is the metadata for one of our Workday instances.  We had to hand edit the metadata file that we got from Workday.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://www.workday.com/uva1">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oid:0.9.2342.19200300.100.1.1</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    index="1" Location="https://impl.workday.com/uva1/login-saml.htmld" />
  </md:SPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">
    Workday</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">
    Workday</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">
    https://www.workday.com</md:OrganizationURL>
  </md:Organization>
</md:EntityDescriptor>

Here is sample aacli.sh output (SAML assertion) for user “scl”.  We release affiliation attributes by default.  We release “uid” so that it gets stuffed into the NameID.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_02c4c0989252bd2d83d13086baa30fae"
    IssueInstant="2018-03-20T12:17:01.659Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer>urn:mace:incommon:virginia.edu</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID Format="urn:oid:0.9.2342.19200300.100.1.1"
            NameQualifier="urn:mace:incommon:virginia.edu" SPNameQualifier="http://www.workday.com/uva1">scl</saml2:NameID>
    </saml2:Subject>
    <saml2:AttributeStatement>
        <saml2:Attribute FriendlyName="uid"
            Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">scl</saml2:AttributeValue>
        </saml2:Attribute>
       <saml2:Attribute FriendlyName="eduPersonScopedAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">staff at virginia.edu</saml2:AttributeValue>
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">employee at virginia.edu</saml2:AttributeValue>
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">member at virginia.edu</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute FriendlyName="eduPersonAffiliation"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">member</saml2:AttributeValue>
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">staff</saml2:AttributeValue>
            <saml2:AttributeValue
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">employee</saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

In saml-nameid.xml we have a bean for nameid format urn:oid:0.9.2342.19200300.100.1.1 that uses “uid” as its source.

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
            p:format="urn:oid:0.9.2342.19200300.100.1.1"
            p:attributeSourceIds="#{ {'uid'} }" />

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu<mailto:scl at virginia.edu>    434-924-0640

From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Hugo Slavia
Sent: Monday, March 19, 2018 11:32 PM
To: Shib Users <users at shibboleth.net>
Subject: Sample Workday SAML Payload

Could a kind soul forward a sample SAML post-auth payload on authentication to Worday?

We plan to leverage uid but also looking at other unique identifiers....so far no luck with a working SSO (but we are also new to configuring Workday).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180320/9bbd8fd7/attachment.html>

More information about the users mailing list