The Workday integration provides biometric passwordless SSO via SAML 2.0 and API-based identity verification for self-service password reset using Workday employee data.
Integration type
API
Updated
Overview
1Kosmos integrates with Workday as a SAML 2.0 identity provider, allowing employees to access Workday HCM using passwordless authentication via the 1Kosmos mobile app. Users navigate to the Workday login URL, are redirected to 1Kosmos for biometric verification, and are returned to Workday as an authenticated session without entering a password.
Beyond SSO, 1Kosmos connects to Workday via API as a trusted employee data source for self-service password reset (SSPR) workflows. In this configuration, Workday serves as the authoritative directory for employee attributes (first name, last name, date of birth) which 1Kosmos uses to verify identity before allowing a password reset. This eliminates reliance on knowledge-based security questions and reduces help desk call volume for account recovery.
Both the SSO and API integrations can be deployed independently or together. The SAML configuration is handled in the 1Kosmos AdminX portal and Workday's Edit Tenant Setup — Security screen. The API connection is configured via AdminX using Workday REST API credentials.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if your tenant is not yet provisioned.
Workday administrator access: Rights to Edit Tenant Setup — Security in Workday, including the ability to configure SAML Identity Providers and x509 certificates.
Workday SSO-enabled subscription: SAML SSO must be available on your Workday plan.
Workday API credentials (for SSPR integration): A Workday REST API endpoint and authentication credentials, including an Integration System User with appropriate permissions to read employee attributes.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing SSO.
Configuration values
Values to collect from 1Kosmos (IdP) for Workday SAML setup:
Field | Where to find it |
|---|---|
IdP SSO Service URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Logout URL | AdminX → Settings → IdP Configuration → Single Logout Service URL |
IdP Issuer / Entity ID | AdminX → Settings → IdP Configuration → Core Configuration → IdP Name |
x509 Signing Certificate | AdminX → Settings → IdP Configuration → View Certificate → Public Key (PEM) |
Fixed Workday SP values to enter in AdminX:
Field | Value |
|---|---|
Login Redirect URL | https://.workday.com//login-saml2.flex |
Service Provider ID | http://www.workday.com |
ACS URL | https://.workday.com//login-saml.htmld |
NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Values to collect from Workday for the API (SSPR) connection:
Field | Description |
|---|---|
Workday REST API endpoint | Your tenant's Workday API base URL |
Integration System User credentials | Username and password for the ISU account with read access to worker data |
Attribute mapping | First name, last name, and date of birth field names from your Workday schema |
Integration steps
Step 1: Add Workday as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to the Custom App section, select SAML 2.0 Generic, and click Add integration.
Enter "Workday" as the Application Name, set Instance to Production, and enter your Workday login URL as the Application Access URL (e.g., https://.workday.com//login-saml2.flex).
Click Next.
Step 2: Configure SAML settings in AdminX
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand the NameID Value toemail.Add claims mappings for
email(format: Username),firstname(format: first_name), andlastname(format: last_name).Click Next.
On Advanced Options, enter the Workday Service Provider ID (
http://www.workday.com) as the Entity ID.Set the ACS URL Method to POST and enter the Workday ACS URL.
Enable Assertion signing. Click Save.
Step 3: Configure 1Kosmos as an IdP in Workday
Log in to Workday as an administrator and search for Edit Tenant Setup — Security in the home screen search bar. Click the link in search results.
Scroll to the Single Sign On section and expand it.
Under Redirection URLs, click the + icon and enter the Login Redirect URL and Logout Redirect URL using your 1Kosmos SSO and SLO endpoints.
Under SAML Identity Providers, click the + icon to add a new row.
Enter "1Kosmos" as the Identity Provider Name.
Paste your 1Kosmos IdP Entity ID into the Issuer field.
Click the key icon next to the x509 Certificate field and select Create x509 Public Key. Enter a name (e.g., "1kosmos.cert"), paste the PEM signing certificate from AdminX, and click OK.
Enter the 1Kosmos IdP SSO Service URL in the IdP SSO Service URL field.
Check SP Initiated and, if applicable, Enable Workday Initiated Logout. Click OK and then Done to save.
Step 4: Configure the Workday API connection for SSPR (optional)
In the AdminX portal, navigate to the SSPR or Password Reset configuration section.
Select Workday as the employee data source.
Enter your Workday REST API endpoint and Integration System User credentials.
Set up transformation scripts to map Workday employee attributes (first name, last name, date of birth) to the corresponding 1Kosmos attributes.
Test the attribute mapping to confirm data is retrieved correctly before enabling for users.
Step 5: Test the integration
Navigate to your Workday tenant login URL and enter a federated user's email address.
Confirm you are redirected to the 1Kosmos AdminX login screen.
Open the 1Kosmos mobile app, tap Scan QR, scan the code, and complete biometric authentication.
Confirm you are returned to Workday as an authenticated user.
Test with a single user before enabling SSO for the full organization. Retain the Workday backup login URL (
https://.workday.com/login.flex?redirect=n) as a fallback during rollout.
Attribute mappings
Source (1Kosmos) | Target (Workday) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary SSO identifier |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Workday's SAML configuration requires the certificate to be registered as a named x509 Public Key within the Workday tenant, not uploaded as a file.
The key name you assign in Workday is for internal reference only and does not need to match any 1Kosmos value. If SAML authentication is misconfigured, Workday provides a backup login URL in the format https://.workday.com/login.flex?redirect=n ; keep this accessible until SSO is fully validated.
For the SSPR API integration, the Integration System User must have read permissions on the Worker Data domain in Workday's security configuration.
