Professional Documents
Culture Documents
Subscriptions
Authentication: Microsoft ADFS - Troubleshooting
Guide Manage all My Subscriptions
LIMITED ACCESS - THIS PAGE IS RESTRICTED TO PROFESSIONAL SERVICES. SHARING A LINK TO THIS
PAGE WILL NOT WORK FOR ALL COMMUNITY MEMBERS.
Product Authentication
Description
This troubleshooting guide lists typical issues and errors encountered while con guring Microsoft ADFS
instances to work with Workday authentication services for SAML authentication.
Be sure to consult the issue resolution guide for general tips on troubleshooting issues: Issue Resolution
Guide
Table of Contents
General Troubleshooting Steps
Setup an single ADFS instance for multiple tenants
End user session logged off of Workday, but browser "back" button allows access
End user is prompted with a dropdown for all service providers con gured on the ADFS server
No Identity providers are enabled or selected for this environment for SAML Issuer
SAML response was not showing in the Signons and Attempted Signons report
Unable to process PEM Encoded Certi cate. Reason: Unable to decode X.509 certi cates
Signature is missing or does not refer to the entire message
When signing in, receive "Bad Request - Invalid URL" response from ADFS server
405 - HTTP verb used to access this page is not allowed
Connection Timed Out
Authentication Failure Message
After enabling Enable SP Initiated SAML Authentication check box, IdP SSO SAML ow is still seen
After submitting credentials to ADFS, an error occurs: Internal Error: Property
'tenantLoginRedirectUrl'
Validate SAML Message produces this error: "Could not parse SAML Message, for SAML Assertion
token (web services), make sure you include <wsse:Security tag as it is used to verify the signature."
General Guidance
In general, consider the following items to narrow down what the issue may be:
https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 1/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
3. SAML Tracing: Integrations KSS – 2 October 2015
Potential Resolution:
Some clients want to use the same ADFS instance for more than one tenant: two
implementation tenants for example, or sandbox and production tenants. For this use case,
it is possible to create more than one relying party on ADFS and set the tenant "Service
Provider ID" elds to different values. Note that the "Service Provider ID" eld must start
with the pre x "http://www.workday.com/", but identi ers can be added after the pre x such
as
http://www.workday.com/impl, http://www.workday.com/sbox, http://www.workday.com/prod,
etc... Note that the
"Service Provider ID" in Workday must match the "Relying Party Identi er" on the ADFS
server. Please refer to the Setting up Relying Party section of the implementation guide.
Issue: End user session logged off of Workday, but browser "back" button allows
access
Potential Resolution:
Typically what is seen is the back button authenticates the user against ADFS and allows access back into
the application. The "Signons and Attempted Signons" report shows the previous session (differentiated
by the ID column on the report as being signed out, and a new session logged in. A trace will also show
the user re-authenticating against ADFS.
1. For and IDP-initiated sign-in, "Enable Workday Initiated Logout" with a logout request URL of
"https://[server].[domain].com/adfs/ls/?wa=wsignoutcleanup1.0"
2. Enable SP-initiated sign-in and enable the "Always Require IdP Authentication" option. This should
force the user to re-login when authenticating with the ADFS instance.
Issue: End user is prompted with a dropdown for all service providers con gured
on the ADFS server
Potential Resolution:
The "loginToRp" query string set as as part of the Workday "Login Redirect URL" must match the "Relying
party identi er" con gured on ADFS.
Issue: No Identity providers are enabled or selected for this environment for SAML
Issuer
Here's what the error looks like on the Signons and Attempted Signons report:
Check the environment restrictions set for the identity provider and ensure they are appropriate for the
tenant that is returning the error message.
SearchThe Workday Issuer value must match the
Basics ADFS Federation
Release Products Collaborate Services
Service Identi er.
https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 2/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Potential Resolution #2:
Ensure the "Issuer" speci ed on the Tenant Setup - Security page is the same as the one speci ed in
the <Issuer> element on the SAML request.
Issue: SAML response was not showing in the Signons and Attempted Signons
report
Potential Resolution:
Issue: Unable to process PEM Encoded Certi cate. Reason: Unable to decode
X.509 certi cates
Potential Resolution:
This is due to a bad public key. Be sure that the key was cut & pasted correctly.
Potential Resolution:
Issue: When signing in, receive "Bad Request - Invalid URL" response from ADFS
server
Potential Resolution:
One option is to un-install certain KBs and then re-install in the correct order:
1) Remove KB2989956
2) Remove KB2896713
3) Remove KB2843638
Then
1) Install KB2843638
2) Install KB2896713
If the above is unsuccessful, another option if ADFS 2.0 generates a URL with an invalid query string, such
as https://server.domain.com:443/adfs/ls/&authInProgress=XXXX is to try setting the URL to force a valid
query string, such as: https://server.domain.com/adfs/ls/?parm=test. This URL should force ADFS to
append a ? to the query string and thus generate a valid URL, something like:
https://server.domain.com/adfs/ls/?parm=test&authInProgress=XXXX. Note how the query string now
starts with a "?" and is a valid URL.
Potential Resolution:
https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 3/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Issue: Connection Timed Out
Potential Resolution:
Ensure the "IdP SSO Service" URL is set to HTTPS and not HTTP.
For example: https://[ADFS server].[ADFS Domain].com/adfs/ls
Potential Resolution:
We came across this issue only once while modifying the "SAML Assertion Consumer Endpoint" on one of
the ADFS servers from login-saml. ex to login-saml.htmld and removing the "www." subdomain. After
retrying a few times over 5-10 minutes, the issue resolved itself. It seems the change took some time to
propagate across the ADFS domain servers.
*** UPDATE 7/13/2016: Do not use "my.workday.com" as the base url, the "www"
subdomain must be used, so a URL of "https://www.myworkday.com/tenant/login-
saml.htmld" should be used.
On ADFS, users are able to login when selecting the back button on the browser or navigating back to the
Workday tenant's home page.
Potential Resolution:
Ensure the "Login Redirect URL" has been changed to "login-saml2.htmld". If Workday is still redirecting to
the ADFS IdP page ("idpinitiatedSignon.aspx"), then the logins will continue to be IdP. The login redirect
URL must be updated to login-saml2.htmld so the SAML request is sent to the IdP.
https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 4/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Potential Resolution:
Multiple "Token-signing" certi cates were in use on the ADFS server. Matching the certi cate sent in the
SAML response to the x509 Certi cate speci ed for the SAML Identity Provider in the Workday tenant
identi ed & resolved the issue. The ADFS Token-signing certi cate is sent in the SAML response in
the /samlp:Response/ds:Signature/KeyInfo/ds:X509Data/ds:X509Certi cate element. The X509Certi cate
value must match the x509 Certi cate speci ed in Workday for the SAML Identity Provider.
Issue: Validate SAML Message produces this error: "Could not parse SAML
Message, for SAML Assertion token (web services), make sure you include
<wsse:Security tag as it is used to verify the signature."
Potential Resolution:
Ensure the downstream system is not sending an encrypted assertion. Per this brainstorm, encrypted
assertions are not currently supported.
FOLLOW WORKDAY
https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 5/5