Set up of the Workday-Adaptive Insights integration is handled by Adaptive Insights. It is strongly recommended that first-time set up of a Workday-Adaptive Insights integration be performed by Adaptive Insights Professional Services or a certified implementer. Contact your Adaptive Insights Customer Success manager to get started.
If you configured SAML SSO to Workday you must set it up again after the 2019.3 release because of feature improvements.
You can configure SAML SSO in Adaptive Insights so that Workday users who are also Adaptive Insights users can click a Workday Worklet and automatically log into Adaptive Insights.
- Enable SAML SSO in Adaptive Insights.
- Add the Workday ID into Adaptive Insights for the Workday user responsible for configuring SSO.
- Add the Workday Federation ID into Adaptive Insights for the users.
- Enable the Adaptive Insights Worklet for the Workday users after SSO configuration is complete.
API calls to Adaptive Insights that authenticate with an Adaptive Insights username and password will not succeed after you complete this configuration.
Before You Begin
Make sure you have an IDP provider like Okta already configured. If you don’t have an IDP provider for Adaptive Insights you can configure the worklet to launch Adaptive Insights described at the end of this article.
In Adaptive Insights
- Verify ‘Workday Enabled’ was configured by provisioning for your instance using your Workday Tenant ID, Environment, UI URL, and REST URL.
- Verify with your Customer Success Manager that Enable SAML was turned on for your instance and you already have an IDP provider configured.
- Verify you created or already have an administrator role with all possible role permissions, including Admin Access > Users > SAML. This user will configure SSO in Workday.
- Verify you have access to these Workday Domains:
- Security Configuration in the System functional area
- Set Up: System in the System functional area.
- Set Up: Tenant Setup – Adaptive Insights in the System functional area.
- Set Up: Tenant Setup – General in the System functional area.
- Set Up: Tenant Setup – Worklets in the System functional area.
- Workday Accounts in the System functional area.
As a security admin, verify you copied and edited the All Workday Accounts standard report with additional row columns for the Workday ID field. Obtain the Workday Federation ID for every planning user requiring SSO into Adaptive Insights. The username is part of the Workday Federation ID which follows this pattern: workdayUserName@TenantID.Environment
Configure SAML SSO in Adaptive Insights
- Log in to Adaptive Insights as a user with the Administrator role.
- Navigate to Administration and select SAML SSO Settings under Users and Roles.
- Select Allow Only SAML SSO in the Enable SAML SSO section. This setting prevents all users except those with administrator role permissions from logging in through the Adaptive Insights login page.
- Navigate to Administration > Users.
- Find and edit the administrator user (the security admin on the Workday side doing the SSO configuration) to enter their Workday ID.
- Enter the Workday Federation ID for all users who need login access to Adaptive Insights from Workday. If the security administrator enabling SSO requires access, they must also enter their Workday Federation ID. The Workday Federation ID for a user follows this pattern:
Run the SSO Task in Workday
- Log in to Workday as a security admin (this is the user with WID information in Adaptive Insights).
- Search for tenant setup and select it.
- Select the Adaptive Insights tab.
- Select Configure SAML SSO with Adaptive Insights and confirm.
- Select OK.
- Select Done.
Configure the Worklet in Workday
Enable the domain Adaptive Insights and edit the domain security policy to allow user access to the Adaptive Insights Worklet. This domain allows security group types Unconstrained Groups.
- Configure the Adaptive Insights domain with security groups that include your Adaptive Insights users.
- Security Administrators can create security groups appropriate to their organization.
- Recommended Setup:
- Create a user-based Security Group 'All Adaptive Planners'
- Assign Users to User-based security group
- Access the Edit Domain Security Policy task for Adaptive Insights domain and add the All Adaptive Planners security group once it's created.
- Access the Maintain Dashboards task to configure the Adaptive Insights worklet to automatically display for Adaptive Insights users.
- Find the Home dashboard using the Dashboard column header filter.
- Select Edit.
- Expand the Worklet section on the Content tab. Add a new row and select Adaptive Insights on the Worklet prompt. The Required for Groups column displays the security groups allowed to see the worklet. Select the security group you created.
- Select Required to always display the worklet to your users.
The Adaptive Insights worklet appears for any planning users added to the Worklet domain. When a planning user clicks the Adaptive Insights worklet, they log in automatically.
Once you complete this process, Workday planning users should only log in to Adaptive Insights by clicking the Adaptive Insights worklet.
If you have Adaptive Office Connect (AOC) installed, you can continue to log into AOC using your identity provider username and credentials.
Configure the Worklet to Launch Adaptive Insights Without an IDP Provider
- Access the Configure Worklet task.
- Select Adaptive Insights.
- In the External Links section, select SAML SSO link created.
- In the External Links section, select Create Quicklink.
- Enter the name and URL for your Adaptive Insights instance and select OK to save.