Workday Bidirectional Directory Integration

This topic describes how to sync users between Workday and OneLogin using the Workday Get_Workers API.

Configure OneLogin to:

• Import users and attributes from Workday (at a sync interval of 6 hours).
• Export a subset of user attributes to Workday every time a user is added or updated in OneLogin, allowing you to sync in both directions (exporting from OneLogin to Workday as well as importing from Workday to OneLogin).

You can also configure Workday to provide OneLogin with real-time updates when employees are terminated in Workday. See Workday Real-time Synchronization of Termination Events.

If you don't need to export user attributes from OneLogin to Workday, use the Workday Custom Reports directory connector to import Workday users into OneLogin. This may be the best option if you have Workday user attributes to import into OneLogin but aren't supported in the Workday Bidirectional directory connector. For more information, see Workday Custom Reports Directory Integration.

Note. To set up SSO for Workday, see Configuring SAML for Workday.

Configuration Overview

To configure Workday sync with OneLogin, you must:

1. Create a Workday Integration System User with access to the Workday domains that you will sync with OneLogin.

2. Configure OneLogin to sync users with Workday.

Create a Workday Integration System User

All Workday integrations, like the integration with OneLogin, require a separate Integration System User account with at least Get access to all of the Workday security domains touched by the integration. If you want to export attributes from OneLogin to Workday, you must create an Integration System User account with both Get and Put access to those domains that can be exported from OneLogin to Workday. These instructions tell you how to create and configure a "read-only" Integration System User account with Get access only and an admin Integration System User account with both Get and Put access.

Note. This procedure takes place entirely in Workday, and these instructions are provided as a convenience. For complete and up-to-date instructions, see Workday documentation.

Create a read-only Integration System User to import attributes from Workday only

1. Log in to Workday with an administrator account.

2. Search for and open the Create Integration System User task.

3. Create the user, configure the integration system user details, and save the configuration.

4. Create a security group.

5. Add the integration system user to this security group. In a later step, add the domains to sync with OneLogin.

   1. Search for and open the Create Security Group task.
   2. In the Type of Tenanted Security Group field, select Integration System Security Group (Unconstrained).
   3. Add the Integration System User you created above to the group and save the configuration.

6. Add the domains that you want to sync with OneLogin to the security group.

   1. Search for domain: Worker Data: Public Worker Reports and select it.
   2. Click the ellipsis (...) next to Worker Data: Public Worker Reports.
   3. In the window that opens, hover your cursor over Domain and click Edit Security Policy Permissions.
   4. Under Integration Permissions, add the security group that you created.
   5. Select the checkbox in the Get column.
   6. Click OK.

7. Activate your security policy changes.

   1. Search for security changes and open Activate Pending Security Policy Changes.
   2. Enter a comment, click OK, and confirm the changes.

Create an admin Integration System User to import and export attributes between Workday and OneLogin

1. Log in to Workday with an administrator account.

2. Locate and open the Create Integration System User task.

3. Create the user, configure the integration system user details, and save the configuration.

4. Create a security group.

   Add the integration system user to this security group. In a later step, add the domains that you want to sync with OneLogin.

   1. Search for and open the Create Security Group task.
   2. In the Type of Tenanted Security Group field, select Integration System Security Group (Unconstrained).
   3. Add the Integration System User you created above to the group and save the configuration.

5. Add the domains that you want to sync with OneLogin to the security group.

   1. Search for domain: Worker Data: Public Worker Reports and select it.
   2. Click the ellipsis (...) next to Worker Data: Public Worker Reports.
   3. In the window that opens, hover your cursor over Domain and click Edit Security Policy Permissions.
   4. Under Integration Permissions, add the security group that you created.
   5. Select the checkbox in the Get column.
   6. Click OK.
   7. For any domains whose fields you want to export from OneLogin to Workday, repeat the above steps, selecting the checkboxes in both the Get and Put columns when you Edit Security Policy Permissions.

      The domains that OneLogin can write to include:

      Worker Data: Work Email
      Worker Data: Work Address

6. Add your security group to the business process security policy for the Maintain Contact Information (web service) functional area.

   1. Search for Business Process Security Policies for Functional Area and select it.
   2. In the Functional Area field, enter Contact Information.
   3. Click OK.
   4. In the left pane, select Contact Change.
   5. Scroll to the bottom of the page and click the Edit Permissions button.
   6. Under Initiating Action: Maintain Contact Information (Web Service), add your security group.
   7. Click OK.

7. Activate your security policy changes.

   1. Search for security changes and open Activate Pending Security Policy Changes.
   2. Enter a comment, click OK, and confirm the changes.

Configure OneLogin

After you created a Workday Integration System User with permission to read or modify the fields synced with OneLogin, configure OneLogin to sync with Workday.

1. Log in to OneLogin as an administrator and go to Users > Directories.

2. Click New Directory and select Workday Bidirectional.

   Don't select Workday or Workday Custom Reports.

3. Name the directory and choose OneLogin under Authenticate users in.

4. Click Save to enable additional configuration fields and tabs.

   

5. To use this directory connector to import users from Workday to OneLogin, select Enabled under Importing Users.

6. To enable role mapping, select Instead of managing users' roles manually... .

   This option lets you assign users to OneLogin roles, groups, and other OneLogin attributes, using Workday user attributes as assignment criteria. For example, you can create a mapping to set all Workday users with the Job Profile Sales Development Rep to the OneLogin Role Sales. For more information, see Mappings.

7. To enable this directory connector to export user attributes from OneLogin to Workday, select Provisioning enabled.

   When you select Enabled under Importing Users, the Workday directory connector imports users and their attributes from Workday to OneLogin. The Provisioning enabled option lets you export a subset of user attributes from OneLogin to Workday. For a list of exportable user attributes, see step 11.

   Exportable attributes can be imported to OneLogin from Workday, providing bidirectional synchronization. Whenever one of these attributes is modified in either OneLogin or Workday, the other directory is also updated.

   Note. This option requires that you select Enabled under Importing Users. There is no export-only option.

8. To automatically approve all user updates exported from OneLogin to Workday, select Auto approve changes.

   This option prevents the failure of OneLogin-to-Workday provisioning events when attributes are configured in Workday to require approval workflow.

9. Select Use Change Contact API to use the Workday Update Contact API to update user contact information when the user record is in a workflow. For instance, if a user's work address is updated, but the approval process isn't complete, this record can't be updated using the default Main Contact API. The Change Contact API provides the capacity to update the user record while it's in this state. This applies to user contact attributes, including email. 

   Note: v30 or above is required to use this API. To find your current version, consult the URL in the API Endpoint field. If you have v29 or below and select the Use Change Contact API, you won't be able to update a user record while it's in a workflow process in Workday.

   Security Groups

   Prior to working with the v30 API, you must create a general set of permissions. Perform the following in the Workday UI.  

   1. Search and select the domain Integration build.
   2. Click the ellipsis (...) next to Worker Data: Public Worker Reports.
   3. In the dialog, place cursor over Domain and click Edit Security Policy Permissions.
   4. Under Integration Permissions, add the security group you created.
   5. Select the checkbox in the Get column.
   6. Click OK.
   7. Activate your security policy changes.
   8. Search for security changes and open Activate Pending Security Policy Changes.
   9. Enter a comment, click OK, and confirm the changes.

   To work with the new endpoint, you must create separate sets of permissions for Work Contact Data and Home Contact Data, as they are 2 separate API calls. Perform the following in the Workday UI.

   Work Contact Data

   1. Search for Business Process Security Policy.
   2. Open Edit Business Process Security Policy.
   3. Select the appropriate Business process type, for example Work contact change.
   4. Locate Change Work Contact Information (Web Service), set security groups for permissions and save.
   5. Go to Profile > Workbench > Security and Audit.
   6. Locate Activate pending security policy changes on the Actions tab, enter a comment and confirm.

   Home Contact Data

   1. Search for Business Process Security Policy.
   2. Open Edit Business Process Security Policy.
   3. Select the appropriate Business process type, for example Home contact change.
   4. Locate Change Home Contact Information (Web Service), set security groups for permissions and save.
   5. Go to Profile > Workbench > Security and Audit.
   6. Locate Activate pending security policy changes on the Actions tab, enter a comment and confirm.

10. Enter the API Settings required to connect to the Workday API.

    

    API username and API password are the credentials for the Integration System User account you created in Creating a Workday Integration System User. Include @ + your Workday tenant name (@tenant_name) in the username. For example, integration_user@acme. If you intend to export OneLogin attributes to Workday, use the Integration System User with admin rights (both Get and Push permissions).

    API endpoint is the Workday web service URL. For example: https://server_name.workday.com/ccx/service/tenant_name/Human_Resources/v25.0?wsdl. If you do not know your endpoint URL, contact Workday or see the Workday Getting Started documentation for more information.

    Worker ID for fetching Schema is a Worker ID for any employee in your Workday system that has values populated in all fields that you are synching with OneLogin.

11. Click Save to connect to the API and retrieve available Workday fields to sync with OneLogin.

    These fields appear on the Directory Attributes tab, which appears after Save is clicked.

12. On the Directory Attributes tab, map the Workday fields you want to sync with OneLogin.

    

    Select the Workday field from the dropdown in the Directory Field column for each required field.

    Click the + plus button at the top right to add rows, where you can map additional Workday fields to OneLogin fields. For any new mappings, you must create a OneLogin custom user field to hold the value you want to sync with the Workday field. All custom fields will be available for selection from the dropdown in the OneLogin Field column in rows that you add.

    The following table provides a list of the fields you must map between OneLogin and Workday, and the fields you can sync in both directions (exporting from OneLogin to Workday as well as importing from Workday to OneLogin). All of the other fields in the Workday Field dropdown are optional and can only be imported from Workday to OneLogin.

    Workday domain	Field name on Directory Attributes tab	OneLogin Field	Export?	Required?
    Worker Data: External ID	worker_id	external_id		Y
    Worker Data: Work Email	primary_work_email	email	Y	Y
    Worker Data: Legal Name	legal_first_name	firstname		Y
    Worker Data: Legal Name	legal_last_name	lastname		Y
    Worker Data: Username	user_id	username		Y
    Worker Data: Preferred Name	preferred_first_name	custom field
    Worker Data: Preferred Name	preferred_last_name	custom field
    Worker Data: Work Phone	phone_number_work	custom field	Y
    	primary_work_phone_device_type*	custom field	Y
    Worker Data: Home phone	phone_number_home_1	custom field	Y
    	home_phone_1_device_type*	custom field	Y
    Worker Data: Work Address	business_address	custom field	Y
    Worker Data: Work Address	business_address_city	custom field	Y
    Worker Data: Work Address	business_address_state	custom field	Y
    Worker Data: Work Address	business_address_zip	custom field	Y
    Worker Data: Work Instant Messenger	primary_home_messenger_provider	custom field	Y
    Worker Data: Work Instant Messenger	primary_home_messenger_id	custom field	Y
    Worker Data: Home Instant Messenger	home_messenger_1_provider	custom field	Y
    Worker Data: Home Instant Messenger	home_messenger_1_id	custom field	Y

    
    

    *If you export a phone device type field (for example, primary_work_phone_device_type) from OneLogin to Workday, all user records must include a value for the corresponding phone number field (for example, phone_number_work).

13. Click Save.