Skip to main content

logoCorrectSize.png

Workday Adaptive Planning Knowledge Center

Configure SAML SSO into Adaptive Planning from Workday Without User Sync

 

Explains how to configure SAML SSO for Workday users who also use Adaptive Planning.

 

Contact Professional Services or a certified implementer to connect the planning solution to other Workday solutions. See Contact Us.

This SAML SSO configuration is only valid if you have the following requirements. Also, this is the only SSO configuration that Workday Adaptive Planning supports.

  • Don't want to synchronize user accounts, enable notifications, or publish plans to Workday.
  • Only want to use Single Sign-on from Workday.   See the Workday Community for more information. If you do not have a community account, request one at https://community.workday.com/user/register.

Before configuring SAML SSO from Workday, verify you have an IDP provider like Okta already configured. Post-configuration, verify that Allow only SAML SSO is selected under Administration> SAML SSO Settings> Enable SAML.

You can configure SAML SSO in Adaptive Planning so that Workday users who are also Adaptive Planning users can click a Workday Worklet and automatically log into Adaptive Planning. 

This process only sets up single-sign on from Workday to Adaptive Planning. It does not enable user synchronization, notifications, or publishing plans.

Basic Steps

  • Enable SAML SSO in Adaptive Planning
  • Add the Workday ID into Adaptive Planning for the Workday security admin responsible for configuring SSO.
  • Add the Workday Federation ID into Adaptive Planning for the users.
  • Enable the Adaptive Planning Worklet for the Workday users after SSO configuration is complete. 

API calls to Adaptive Planning that authenticate with an Adaptive Planning username and password will not succeed after you complete this configuration.

Before You Begin

Make sure you have an IDP provider like Okta already configured.  See Reference: SAML SSO Settings. If you don’t have an IDP provider for Adaptive Planning, you can configure the worklet to launch Adaptive Planning as described at the end of this article.

In Adaptive Planning

  • Verify your instance was configured for Workday  using your Workday Tenant ID, Environment, UI URL, and REST URL. See Using Adaptive Planning with Workday.
  • Verify with your Customer Success Manager that Enable SAML was turned on for your instance and you already have an IDP provider configured.
  • Verify you created or already have an administrative role with the following role permissions. This user will enable User Sign-on to configure SSO in Workday.
    • Users
    • Roles 
    • Manage Global User Groups
    • General Setup

In Workday

  • Enable the domain that lets Adaptive Planning users log in through single sign-on:
    • Access Adaptive Planning: Contains Unconstrained Security group users that sync to the Adaptive Planning Worklet domain
  • Verify you have access to these Workday Domains:
    • Security Configuration in the System functional area
    • Set Up: System in the System functional area.
    • Set Up: Tenant Setup – Adaptive Planning in the System functional area.
    • Set Up: Tenant Setup – General in the System functional area.
    • Set Up: Tenant Setup – Worklets in the System functional area.
    • Workday Accounts in the System functional area.
  • As a security admin, verify you copied and edited the All Workday Accounts standard report with additional row columns for the Workday ID field. Obtain the Workday Federation ID for every planning user requiring SSO into Adaptive Planning. The username is part of the Workday Federation ID which follows this pattern: workdayUserName@TenantID.Environment    

     

Enable User Sign-On in Adaptive Planning

Set up the Workday security admin and all users who need access to Adaptive Planning from Workday. 

  1. Log in to Adaptive Planning as a user with the Administrator role.
  2. Navigate to Administration > Users.
  3. Find and edit the administrator user (the Workday security admin doing the SSO configuration) to enter their Workday ID.
  4. Enter the Workday Federation ID for all users who need login access to Adaptive Planning from Workday. If the security administrator enabling SSO requires access, they must also enter their Workday Federation ID. The Workday Federation ID for a user follows this pattern: workdayUserName@TenantID.Environment

Enable the User Sign-On Task in Workday

  1. Log in to Workday as a security admin (this is the user with WID information in Adaptive Planning).
  2. Search for tenant setup and select it.
  3. Select the User Sign-on tab within the Adaptive Planning tab. 
  4. Select Enable User Sign-On with Adaptive Planning and confirm. 
  5. Select OK.
  6. Select Done.

Configure the Worklet in Workday

Enable the domain Access Adaptive Planning and edit the domain security policy to allow user access to the Adaptive Planning Worklet. This domain allows security group types Unconstrained Groups.

  1. Configure the Access Adaptive Planning domain with security groups that include your Adaptive Planning users.
  2. Security Administrators can create security groups appropriate to their organization.
  3. Recommended Setup:
    1. Create a user-based Security Group 'All Adaptive Planners
    2. Assign Users to User-based security group
    3. Access the Edit Domain Security Policy task for Adaptive Planning domain and add the All Adaptive Planners security group once it's created.
  4. Access the Maintain Dashboards task to configure the Adaptive Planning worklet to automatically display for Adaptive Planning users.
  5. Find the Home dashboard using the Dashboard column header filter.
  6. Select Edit.
  7. Expand the Worklet section on the Content tab. Add a new row and select Adaptive Planning on the Worklet prompt. The Required for Groups column displays the security groups allowed to see the worklet. Select the security group you created. 
  8. Select Required to always display the worklet to your users.

The Adaptive Planning worklet appears for any planning users added to the Worklet domain. 

Once you complete this process, Workday users should only log in to Adaptive Planning by clicking the Adaptive Planning worklet.

If you have Adaptive Planning OfficeConnect installed, you can continue to log into OfficeConnect using your identity provider username and credentials.

Configure the Worklet to Launch Adaptive Planning Without an IDP Provider

In Workday:

  1. Access the Configure Worklet task.
  2. Select Adaptive Planning.
  3. In the External Links section, select SAML SSO link created.

 OR

  1. In the External Links section, select Create Quicklink.
  2. Enter the name and URL for your Adaptive Planning instance and select OK to save.
  • Was this article helpful?