Single sign-on (SSO) lets your employees access Workday straight from Blink without having to log in again. Once it is set up, Blink acts as the identity provider (IdP) and Workday as the service provider (SP), using the SAML 2.0 protocol. Users can launch Workday from a tile in the Blink Hub, or start in the Workday app and be securely authenticated through Blink. This article is for Blink administrators setting up this connection for organisations using Workday as their HR system.
REQUIREMENTS
Admin access to the Blink Admin dashboard (Single Sign-On section)
Admin access to the Workday tenant security settings (or a technical contact who has this access)
Blink user profiles must store each user's Workday username, since this is used to identify the user during sign-on
Only SAML 2.0 is supported
Only one identity provider can be enabled for the SP-initiated flow in Workday. If more than one identity provider is already configured in your Workday tenant, check with your Workday administrator to confirm which one is enabled for this flow
CONFIGURATION
Step 1: Get your Blink SSO configuration details
In the Blink Admin dashboard, go to the Single Sign-On section. Create a new SSO configuration (or open an existing one) for Workday.
Complete the SSO configuration form by providing the following details:
Display name: Workday SSO (or other recognisable name for this configuration)
Entity ID: e.g.
http://www.workday.com- This must match the Service Provider ID field value used in Workday SSO configuration. This should either start withhttp://www.workday.com, or end with/{workday tenant}/login-saml.htmldSingle sign on URL (ACS):
https://{workday tenant URL}/{workday tenant name}/login-saml.htmld- this is the endpoint where Blink will send the SAML2.0 assertion.
Click "Save changes" to confirm and scroll down to the bottom of the page to download Blink's Identity Provider XML metadata.
Step 2: Add Blink as an Identity Provider to Workday
In Workday, navigate to "Edit Tenant Setup - Security" task and go to SAML identity provider setup section. Ensure the "Enable SAML Authentication" box is ticked.
Click "Import Identity Provider" button and upload the Blink Identity Provider XML metadata file retrieved in the previous steps. Workday will automatically populate some of the fields.
Before saving, update the following fields in the newly created Identity Provider configuration:
Service Provider ID: enter the value you specified in the Entity ID field on Blink in earlier step (e.g.
http://www.workday.com)Ensure the "Do Not Deflate SP-initiated Authentication Request" box is ticked
Step 3: Update Workday Authentication Policy
In Workday, open the Manage Authentication Policies task. Find the policy your Workday tenant is currently using and open it for editing. The exact changes you need will depend on your own Workday setup and security preferences.
To let all employees sign in using Blink, add the SAML configuration you saved in Step 1 to the Allowed Authentication Types column, in the Default rule for All Users section.
Once the edits are saved, go to the Activate All Pending Authentication Policy Changes task and confirm the changes to activate them.
Step 4: Add Workday to your Blink Hub
In the Blink Admin dashboard, go to Hub management.
Select Add Content, then choose Single Sign-On.
Give the item a name (for example, "Workday") and select the SSO configuration you created in Step 1.
Set the Relay state. This is the URL users are taken to in Workday after they successfully sign in. For example - if you wish users to be taken to their time-off request form when they click on this Hub item, add a link to the relevant Workday task. Usually these look like this:
https://tenant-locator.myworkday.com/my-wd-tenant/d/task/2997$18982.htmldChoose an icon, section, and which teams should see this item, then click "Share".
Troubleshooting
If a user ends up on a Workday error page instead of being signed in, there are two useful ways to investigate:
Run a SAML trace using a browser extension. This may help verify that the NameID sent by Blink matches the worker's username on Workday.
Check Workday's sign-on audit trail. On Workday admin panel open the "Signons and Attempted Signons" task. Make sure the "Show Signon Attempts with an Invalid User Name" option is switched on, so failed attempts appear in the log. Check the errors in the logs to identify the root cause of the issue.
END USER EXPERIENCE
Once SSO is configured, users can move between Blink and Workday without signing in twice.
Starting from Workday: If a user opens the Workday app or website first, they may be redirected to sign in through Blink, depending on how the authentication policy is set up in Workday. Once they have signed in on Blink, they are taken back to Workday automatically. This works the same way whether or not the user has the Blink app installed on their device, since it uses the device's browser rather than the Blink app itself. This means users may occasionally be asked to sign in again on Blink even if they already have an active session in the Blink app.
Starting from Blink: If a user launches Workday from a tile in the Blink Hub, Workday opens inside the Blink mobile app rather than launching the separate Workday app (on desktop - Workday will be launched in a pop-up window). This keeps the experience simple, since the user can navigate back to Blink easily.
On desktop: The experience is similar. If the user does not already have an active session on Blink, they are asked to sign in there first, and are then taken through to Workday.








