--- title: Workday description: Integrate Workday with Access. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ SAML ](https://developers.cloudflare.com/search/?tags=SAML) # Workday **Last reviewed:** almost 2 years ago This guide covers how to configure [Workday ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/saml/dan1370796470811.html?toc=1.5.1) as a SAML application in Cloudflare One. ## Prerequisites * An [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) configured in Cloudflare One * Admin access to a Workday account ## 1\. Add a SaaS application to Cloudflare One 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Access controls** \> **Applications**. 2. Select **Create new application** \> **SaaS application**. 3. For **Application**, enter `Workday` and select the corresponding textbox that appears. 4. For the authentication protocol, select **SAML**. 5. Select **Add application**. 6. Fill in the following fields: * **Entity ID**: `http://www.workday.com` * **Assertion Consumer Service URL**: `https://.myworkday.com//login-saml.flex` for a production account or `https://-impl.myworkday.com//login-saml.flex` for a preview sandbox account * **Name ID format**: _Email_ 7. Copy the **SSO endpoint**, **Access Entity ID or Issuer**, and **Public key**. 8. Configure [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for the application. 9. Save the application. ## 2\. Download the metadata file 1. Paste the SAML Metadata endpoint from application configuration in Cloudflare One in a web browser. 2. Follow your browser-specific steps to download the URL's contents as an `.xml` file. ## 3\. Add a SAML SSO provider to Workday 1. In Workday, go to **Account Administration** \> **Actions** \> **Edit Tenant Setup - Security**. 2. Under **SAML Setup**, turn on **Enable SAML Authentication**. 3. In the **SAML Identity Providers** table, select **+**. 4. Fill in the following fields: * **Identity Provider Name**: Your desired name for the identity provider (for example, `Cloudflare Access`) * **Issuer**: Access Entity ID or Issuer from application configuration in Cloudflare One * **IdP SSO Service URL**: SSO endpoint from application configuration in Cloudflare One 5. Under **x509 Certificate**, select the menu icon > **Create x509 Public Key**. 6. Under **Name**, enter a unique name (for example, `access`). 7. Under **Certificate**, paste the Public key from application configuration in Cloudflare One. 8. Select **OK**. 9. If you want to enable SP-initiated login (login initiated by going to your Workday URL), fill in the following fields: * **SP Initiated**: Turn on. * **Service Provider ID**: `http://www.workday.com` * **Sign SP-initiated request**: Turn off. 10. Under **Single Sign-On**, add one or both of the following entries to the **Redirection URLs** grid. For each entry, if your user groups will use the same authentication option to sign in, select **Single URL**. If they will use different authentication options, select **Authentication selector**. * IdP-initiated SSO: Under **Login Redirect URL**, enter `.cloudflareaccess.com`. * SP-initiated SSO: Under **Login Redirect URL**, enter `https:////login.flex?redirect=n`. 1. In Workday, create an [authentication rule ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html). 2. Under **Authentication Conditions**, add conditions that will apply only to your test user. 3. Under **Allowed Authentication Types**, select **Specific**, then **SAML**. 4. Select **Done**. 5. Complete the following step: * **If you have enabled SP-initiated login**: Open an incognito browser window, go to your Workday URL, and enter your test user's email. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. * **If you have not enabled SP-initiated login**: Go to your App Launcher at `https://.cloudflareaccess.com`. Select the **Workday** tile. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. 6. Once login is successful, you can configure your security settings further, such as adding [user groups ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/configurable-security/security-groups/user-based-security-groups/dan1370796695367.html?toc=2.2.12.0) or [authentication rules ↗](https://doc.workday.com/admin-guide/en-us/authentication-and-security/authentication/authentication-policies/dan1370796466772.html) to configure different login rules for different groups of users. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/access-controls/","name":"Access controls"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/access-controls/applications/","name":"Applications"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/","name":"Add web applications"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/","name":"SaaS applications"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas/","name":"Workday"}}]} ```