You are on page 1of 5

10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community

Services Tools Authentication: Microsoft…

Subscriptions
Authentication: Microsoft ADFS - Troubleshooting
Guide Manage all My Subscriptions

VIEW REVISIONS Subscribe

Posted Oct 5, 2018 • Updated Oct 11, 2018 • Read 69 times

LIMITED ACCESS - THIS PAGE IS RESTRICTED TO PROFESSIONAL SERVICES. SHARING A LINK TO THIS
PAGE WILL NOT WORK FOR ALL COMMUNITY MEMBERS.

Tool Type Tool / Template

Deployment Stage Con gure & Prototype

Product Authentication

Audience Integration Consultant

Services Product Lead Integrations


Area

Description
This troubleshooting guide lists typical issues and errors encountered while con guring Microsoft ADFS
instances to work with Workday authentication services for SAML authentication.

Be sure to consult the issue resolution guide for general tips on troubleshooting issues: Issue Resolution
Guide
 

Table of Contents
General Troubleshooting Steps
Setup an single ADFS instance for multiple tenants
End user session logged off of Workday, but browser "back" button allows access
End user is prompted with a dropdown for all service providers con gured on the ADFS server
No Identity providers are enabled or selected for this environment for SAML Issuer
SAML response was not showing in the Signons and Attempted Signons report
Unable to process PEM Encoded Certi cate. Reason: Unable to decode X.509 certi cates
Signature is missing or does not refer to the entire message
When signing in, receive "Bad Request - Invalid URL" response from ADFS server
405 - HTTP verb used to access this page is not allowed
Connection Timed Out
Authentication Failure Message
After enabling Enable SP Initiated SAML Authentication check box, IdP SSO SAML ow is still seen
After submitting credentials to ADFS, an error occurs: Internal Error: Property
'tenantLoginRedirectUrl'
Validate SAML Message produces this error: "Could not parse SAML Message, for SAML Assertion
token (web services), make sure you include <wsse:Security tag as it is used to verify the signature."

General Guidance
In general, consider the following items to narrow down what the issue may be:

1. Does the issue impact all workers?


2. Is the issue only impacting certain environments?
3. Are there certain populations that are not affected?
4. Can you manually create an account on ADFS and Workday and re-test?
5. Can you trace the SAML ow from Workday to ADFS?
1. Is the SAML message to ADFS correct?
2. Are there ADFS logs to review?

https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 1/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
3. SAML Tracing: Integrations KSS – 2 October 2015

Speci c Troubleshooting Steps


Issue: Setup an single ADFS instance for multiple tenants

Potential Resolution:

Some clients want to use the same ADFS instance for more than one tenant: two
implementation tenants for example, or sandbox and production tenants. For this use case,
it is possible to create more than one relying party on ADFS and set the tenant "Service
Provider ID" elds to different values. Note that the "Service Provider ID" eld must start
with the pre x "http://www.workday.com/", but identi ers can be added after the pre x such
as
http://www.workday.com/impl, http://www.workday.com/sbox, http://www.workday.com/prod,
etc... Note that the
"Service Provider ID" in Workday must match the "Relying Party Identi er" on the ADFS
server. Please refer to the Setting up Relying Party section of the implementation guide.

Issue: End user session logged off of Workday, but browser "back" button allows
access

Potential Resolution:

Typically what is seen is the back button authenticates the user against ADFS and allows access back into
the application. The "Signons and Attempted Signons" report shows the previous session (differentiated
by the ID column on the report as being signed out, and a new session logged in. A trace will also show
the user re-authenticating against ADFS.

Things to try include:

1. For and IDP-initiated sign-in, "Enable Workday Initiated Logout" with a logout request URL of
"https://[server].[domain].com/adfs/ls/?wa=wsignoutcleanup1.0"
2. Enable SP-initiated sign-in and enable the "Always Require IdP Authentication" option. This should
force the user to re-login when authenticating with the ADFS instance.

Issue: End user is prompted with a dropdown for all service providers con gured
on the ADFS server

Potential Resolution:

The "loginToRp" query string set as as part of the Workday "Login Redirect URL" must match the "Relying
party identi er" con gured on ADFS.

Issue: No Identity providers are enabled or selected for this environment for SAML
Issuer

Here's what the error looks like on the Signons and Attempted Signons report:

Potential Resolution #1:

Check the environment restrictions set for the identity provider and ensure they are appropriate for the
tenant that is returning the error message.
SearchThe Workday Issuer value must match the
Basics ADFS Federation
Release Products Collaborate Services
Service Identi er.

https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 2/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Potential Resolution #2:

Ensure the "Issuer" speci ed on the Tenant Setup - Security page is the same as the one speci ed in
the <Issuer> element on the SAML request.

Issue: SAML response was not showing in the Signons and Attempted Signons
report

Potential Resolution:

Incorrect end point set on ADFS. Assertions should point to https://wd5-impl.workday.com/tenant/login-


saml.htmld instead of https://wd5-impl.workday.com/tenant/login.htmld

Issue: Unable to process PEM Encoded Certi cate. Reason: Unable to decode
X.509 certi cates

Potential Resolution:

This is due to a bad public key. Be sure that the key was cut & pasted correctly.

Issue: Signature is missing or does not refer to the entire message.

Potential Resolution:

Run the powershell commands from the implementation guide.


guide .

Issue: When signing in, receive "Bad Request - Invalid URL" response from ADFS
server

Potential Resolution:

One option is to un-install certain KBs and then re-install in the correct order:

1) Remove KB2989956
2) Remove KB2896713
3) Remove KB2843638
Then
1) Install KB2843638
2) Install KB2896713

If the above is unsuccessful, another option if ADFS 2.0 generates a URL with an invalid query string, such
as https://server.domain.com:443/adfs/ls/&authInProgress=XXXX is to try setting the URL to force a valid
query string, such as: https://server.domain.com/adfs/ls/?parm=test. This URL should force ADFS to
append a ? to the query string and thus generate a valid URL, something like:
https://server.domain.com/adfs/ls/?parm=test&authInProgress=XXXX. Note how the query string now
starts with a "?" and is a valid URL.

Issue:  405 - HTTP verb used to access this page is not allowed

Potential Resolution:

Ensure the "IdP SSO Service" URL has a trailing slash (/):

Should be: https://[ADFS Server].[ADFS Domain].com/adfs/ls/ not https://[ADFS Server].[ADFS


Domain].com/adfs/ls

https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 3/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Issue: Connection Timed Out

Potential Resolution:

Ensure the "IdP SSO Service" URL is set to HTTPS and not HTTP.
For example: https://[ADFS server].[ADFS Domain].com/adfs/ls

Issue: Authentication Failure Message: The destination URL


https://myworkday.com/tenant/login-saml.htmld End in SAML Assertion does not
match with https://www.myworkday.com/tenant/login-saml. ex

Potential Resolution:

We came across this issue only once while modifying the "SAML Assertion Consumer Endpoint" on one of
the ADFS servers from login-saml. ex to login-saml.htmld and removing the "www." subdomain. After
retrying a few times over 5-10 minutes, the issue resolved itself. It seems the change took some time to
propagate across the ADFS domain servers.

*** UPDATE 7/13/2016: Do not use "my.workday.com" as the base url, the "www"
subdomain must be used, so a URL of "https://www.myworkday.com/tenant/login-
saml.htmld" should be used.

Issue: After enabling Enable SP Initiated SAML Authentication check box, IdP SSO


SAML ow is still seen in traces.

On ADFS, users are able to login when selecting the back button on the browser or navigating back to the
Workday tenant's home page.

Potential Resolution:

Ensure the "Login Redirect URL" has been changed to "login-saml2.htmld". If Workday is still redirecting to
the ADFS IdP page ("idpinitiatedSignon.aspx"), then the logins will continue to be IdP. The login redirect
URL must be updated to login-saml2.htmld so the SAML request is sent to the IdP.

Issue: After submitting credentials to ADFS, an error occurs: Internal Error:


Property 'tenantLoginRedirectUrl' not found on type
com.workday.ui.gateway.login.LoginInfo

Signons report shows "Signature cannot be veri ed" error.

https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 4/5
10/19/2018 Authentication: Microsoft ADFS - Troubleshooting Guide | Workday Community
Potential Resolution:

Multiple "Token-signing" certi cates were in use on the ADFS server. Matching the certi cate sent in the
SAML response to the x509 Certi cate speci ed for the SAML Identity Provider in the Workday tenant
identi ed & resolved the issue. The ADFS Token-signing certi cate is sent in the SAML response in
the /samlp:Response/ds:Signature/KeyInfo/ds:X509Data/ds:X509Certi cate element. The X509Certi cate
value must match the x509 Certi cate speci ed in Workday for the SAML Identity Provider.

Issue: Validate SAML Message produces this error: "Could not parse SAML
Message, for SAML Assertion token (web services), make sure you include
<wsse:Security tag as it is used to verify the signature."

Potential Resolution:

Ensure the destination URL on the IdP is con gured correctly.

Ensure the downstream system is not sending an encrypted assertion. Per this brainstorm, encrypted
assertions are not currently supported.

FOLLOW WORKDAY

Where great minds meet for shared success.


Workday is 100% green powered Contact Us Community Policy Privacy Legal © 2018 Workday, Inc.

https://community.workday.com/pro-services/tools/453574#PowerShellConfiguration 5/5