Skip to main content


Workday Adaptive Planning KB

SAML SSO into Adaptive Insights from Workday

Explains how to configure SAML SSO for Workday users who also use Adaptive Insights can click a Workday Worklet and automatically log into Adaptive Insights.

Set up of the Workday-Adaptive Insights integration is handled by Adaptive Insights. It is strongly recommended that first-time set up of a Workday-Adaptive Insights integration be performed by Adaptive Insights Professional Services or a certified implementer. Contact your Adaptive Insights Customer Success manager to get started.

This SAML SSO configuration is only valid if you don't want to synchronize user accounts, enable notifications, or publish plans to Workday. This configuration will work if you only want to use Single Sign-on from Workday. See the Workday Community for more information. If you do not have a community account, request one at

You can configure SAML SSO in Adaptive Insights so that Workday users who are also Adaptive Insights users can click a Workday Worklet and automatically log into Adaptive Insights.

This process only sets up single-sign on from Workday to Adaptive Insights. It does not enable user synchronization, notifications, or publishing plans.

Basic Steps

  • Enable SAML SSO in Adaptive Insights.
  • Add the Workday ID into Adaptive Insights for the Workday user responsible for configuring SSO.
  • Add the Workday Federation ID into Adaptive Insights for the users.
  • Enable the Adaptive Insights Worklet for the Workday users after SSO configuration is complete.

API calls to Adaptive Insights that authenticate with an Adaptive Insights username and password will not succeed after you complete this configuration.

Before You Begin

Make sure you have an IDP provider like Okta already configured. If you don’t have an IDP provider for Adaptive Insights you can configure the worklet to launch Adaptive Insights described at the end of this article.

In Adaptive Insights

  • Verify ‘Workday Enabled’ was configured by provisioning for your instance using your Workday Tenant ID, Environment, UI URL, and REST URL.
  • Verify with your Customer Success Manager that Enable SAML was turned on for your instance and you already have an IDP provider configured.
  • Verify you created or already have an administrator role with the role permissions Users, Roles, Manage Global User Groups, General Setup. This user will enable User Sign-on to configure SSO in Workday.

In Workday

  • The domain that lets Adaptive Insights users log in through single sign-on:
    • Access Adaptive Insights: Contains Unconstrained Security group users that sync to the Adaptive Insights Worklet domain
  • Verify you have access to these Workday Domains:
    • Security Configuration in the System functional area
    • Set Up: System in the System functional area.
    • Set Up: Tenant Setup – Adaptive Insights in the System functional area.
    • Set Up: Tenant Setup – General in the System functional area.
    • Set Up: Tenant Setup – Worklets in the System functional area.
    • Workday Accounts in the System functional area.

As a security admin, verify you copied and edited the All Workday Accounts standard report with additional row columns for the Workday ID field. Obtain the Workday Federation ID for every planning user requiring SSO into Adaptive Insights. The username is part of the Workday Federation ID which follows this pattern: workdayUserName@TenantID.Environment

Enable User Sign-On in Adaptive Insights

  1. Log in to Adaptive Insights as a user with the Administrator role.
  2. Navigate to Administration and select SAML SSO Settings under Users and Roles.
  3. Select Allow Only SAML SSO in the Enable SAML SSO section. This setting prevents all users except those with administrator role permissions from logging in through the Adaptive Insights login page.
  4. Navigate to Administration > Users.
  5. Find and edit the administrator user (the Workday security admin doing the SSO configuration) to enter their Workday ID.
  6. Enter the Workday Federation ID for all users who need login access to Adaptive Insights from Workday. If the security administrator enabling SSO requires access, they must also enter their Workday Federation ID. The Workday Federation ID for a user follows this pattern: workdayUserName@TenantID.Environment

Enable the User Sign-On Task in Workday

  1. Log in to Workday as a security admin (this is the user with WID information in Adaptive Insights).
  2. Search for tenant setup and select it.
  3. Select the User Sign-on tab within the Adaptive Insights tab.
  4. Select Enable User Sign-On with Adaptive Insights and confirm.
  5. Select OK.
  6. Select Done.

Configure the Worklet in Workday

Enable the domain Access Adaptive Insights and edit the domain security policy to allow user access to the Adaptive Insights Worklet. This domain allows security group types Unconstrained Groups.

  1. Configure the Access Adaptive Insights domain with security groups that include your Adaptive Insights users.
  2. Security Administrators can create security groups appropriate to their organization.
  3. Recommended Setup:
    1. Create a user-based Security Group 'All Adaptive Planners
    2. Assign Users to User-based security group
    3. Access the Edit Domain Security Policy task for Adaptive Insights domain and add the All Adaptive Planners security group once it's created.
  4. Access the Maintain Dashboards task to configure the Adaptive Insights worklet to automatically display for Adaptive Insights users.
  5. Find the Home dashboard using the Dashboard column header filter.
  6. Select Edit.
  7. Expand the Worklet section on the Content tab. Add a new row and select Adaptive Insights on the Worklet prompt. The Required for Groups column displays the security groups allowed to see the worklet. Select the security group you created. 
  8. Select Required to always display the worklet to your users.

The Adaptive Insights worklet appears for any planning users added to the Worklet domain. When a user clicks the Adaptive Insights worklet to log in automatically.

Once you complete this process, Workday users should only log in to Adaptive Insights by clicking the Adaptive Insights worklet.

If you have Adaptive Insights OfficeConnect installed, you can continue to log into OfficeConnect using your identity provider username and credentials.

Configure the Worklet to Launch Adaptive Insights Without an IDP Provider

In Workday:

  1. Access the Configure Worklet task.
  2. Select Adaptive Insights.
  3. In the External Links section, select SAML SSO link created.


  1. In the External Links section, select Create Quicklink.
  2. Enter the name and URL for your Adaptive Insights instance and select OK to save.
  • Was this article helpful?