This site requires JavaScript to be enabled
External Customer KB > General > Provisioning from Workday to Active Directory Using Custom Reports
Provisioning from Workday to Active Directory Using Custom Reports
Article: KB0010429 Published: 02/20/2019 Last modified: 02/18/2020

You can use OneLogin as an intermediary to load users from Workday to Active Directory.  It is a two-step process:

  1. Provision from Workday into OneLogin using Workday Reports.
  2. Provision from OneLogin into Active Directory.

Note. These instructions assume that you are using the Workday Custom Reports directory connector, but you can also set up the same user attribute flow using the Workday Bidirectional connector. 

Provisioning from Workday into OneLogin

Note. Before you perform the import, you should be familiar with the attributes in your Workday user list, specifically the editable Default Fields and XML Overrides.

  1. Log into Workday as an administrator.
  2. Go to Webservice > View URL.
  3. Copy the JSON and XSD URLs and save them for insertion into OneLogin's Workday Reports page.
  4. Log into OneLogin.
  5. Go to Users > Directories and select Workday Custom Reports - Beta.
  6. Give the directory a name, and then choose OneLogin under Authenticate users by.

  7. Click Save to open the Workday Reports configuration page.
  8. Ensure that both check boxes under Importing Users are enabled.
  9. Under API Settings, enter your administrative username and password, as well as the XSD and JSON URLs that you copied from Workday.

  10. Click Save to generate the directory and allow you to access the Directory Attributes page.

  11. On the Directory Attributes page, map the Workday attribute fields to OneLogin fields.

    You might need to create custom OneLogin user fields to hold some Workday attributes.

    When you have mapped the user fields according to your account configuration, click Save.

  12. Click the More Actions menu and select Synchronize Users (Force) to initiate the user import into OneLogin.

    After this, OneLogin will sync new user and attribute updates from Workday to OneLogin at regular intervals.

  13. Go to the Events tab to view when the user import has finished.

Provisioning from OneLogin into Active Directory

Once you are exporting Workday users with their attributes into OneLogin, you can push those user attributes into Active Directory.

Note: Make sure that the Active Directory service account can write to any associated fields (such as display name or UPN). If you followed the installation instructions for Active Directory Connector correctly, your OneLogin Domain Service Account will have these permissions. 

  1. In OneLogin, go to Users > Mappings.

    You will create two mappings: one to enable OneLogin to push user attributes to Active Directory, and the other to disable user attribute pushes. Both mappings depend on the status of the user in Workday.

  2. Create the mapping to activate user attribute pushes.

    • Under Conditions, set Workday Status > equals > Active.
    • Under Actions, set your mappings using the page mappings shown below.

      • Set directory is the current directory.
      • Set role and Set display name are optional and can be configured depending on your Active Directory implementation.

  3. Click Save.
  4. Create the mapping for deactivating (terminating) user attribute pushes.

    1. Under Conditions, set Workday Status > equals > Terminated.
    2. Under Actions, set your mappings using the page mappings shown below.

      Set DistinguishedName is optional. Use it if you want to put the defined user in a Terminated group.

  5. Click Save.
  6. Go to Users > Directory and select the Active Directory currently connected to your account.
  7. Go the Advanced tab and enable Exporting Users.

    Specify what happens when a user is deleted in Active Directory.

  8. Click Save to confirm your settings.
  9. Go to Directory Attributes tab to confirm that the mappings are properly configured.

    Map the unicodePwd field to the Welcome Key field.

    Your page should resemble the example below:

  10. Click Save.

Now when a user is added to Workday or an active Workday user’s attributes change, these changes will be pushed from Workday into your connected Active Directory.


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo