The EmpowerID Workday Connector functions as a bridge, enabling the smooth transition of user data from a Workday cloud instance to EmpowerID. Utilizing SuccessFactors Connector is an integration tool that connects EmpowerID's Identity Management platform with SAP SuccessFactors. This connector is designed to pull user information from SuccessFactors into EmpowerID, ensuring that user identities, roles, and related attributes are consistently reflected within EmpowerID. Using the SCIM 2.0 protocol and the OData protocol for data retrieval, the connector can provision EmpowerID Persons and sustain ensures consistent and reliable data synchronization across all connected back-end user directories.This connector's architecture comprises two core components: an EmpowerID microservice deployed
Architecture Overview
The architecture of the EmpowerID SuccessFactors Connector is built around three core components: the EmpowerID Microservice, the EmpowerID Account Store, and the OData Layer. These components work together to provide secure, efficient, and reliable integration between EmpowerID and SAP SuccessFactors, ensuring that user data is accurately retrieved, processed, and synchronized.
...
The above architectural flowchart illustrates how these components interact to handle data synchronization and management between EmpowerID and SAP SuccessFactors.
SAP SuccessFactors Microservice
The SAP SuccessFactors Microservice is the central processing unit within the connector’s architecture. Deployed on an Azure app service and an EmpowerID account store specifically designed to store and synchronize Workday identity information. The Azure app service is engineered to function using a system-assigned managed identity tied to an Azure AD application explicitly created for EmpowerID. This setup enables the Workday microservice to access Azure AD-protected services securely without requiring explicit credentials for authentication. Client certificate authentication is employed to ensure a high degree of security throughout this interaction.
...
Inventory Objects and their corresponding components in EmpowerID
Connects to the Human Resource service and retrieves Worker data.
...
Object in Workday
...
Component in EmpowerID
...
Worker
...
Account
Attribute Mapping
The table below shows the attribute mappings of Workday users to EmpowerID. Attributes marked with N/A* are supported but are not specifically mapped to corresponding EmpowerID Person Attributes. To map these attributes, the EmpowerID Schema needs to be extended. For information on extending the schema for Workday, see https://dotnetworkflow.jira.com/wiki/spaces/EIDADV23/pages/3176988713/Inventory+Workday+Custom+Attributes#Configure-EmpowerID-for-the-Workday-Custom-Attributes.
Personal Data
...
, this microservice retrieves and processes user information from SuccessFactors. It periodically queries SuccessFactors to pull the latest user data, capturing updates to user profiles or organizational roles within EmpowerID. The microservice benefits from Azure's cloud infrastructure for availability, scalability, and security.
SAP SuccessFactors Account Store
The SAP SuccessFactors Account Store is a data repository within the connector architecture, designed to securely store identity information retrieved from SuccessFactors. This account store serves as a central location within EmpowerID where SuccessFactors user data is synchronized and maintained. The information pulled from SuccessFactors is available for identity management and governance within EmpowerID, allowing organizations to manage access rights based on accurate and current user data.
OData Layer
The OData Layer retrieves user information from SuccessFactors. Positioned between the Azure Tenant and SuccessFactors, this layer uses the OData protocol to execute queries against the SuccessFactors database. The OData protocol enables the connector to efficiently filter, sort, and retrieve specific user data, ensuring that relevant information is pulled into EmpowerID. This process helps maintain an optimized integration by reducing the amount of data processed and ensuring necessary identity information is captured.
Data Inventory and Account Management
The EmpowerID SuccessFactors Connector inventories and manages user accounts based on the data retrieved from SAP SuccessFactors.
Inventory Objects and Data Retrieval
EmpowerID initiates SCIM calls to the SAP SuccessFactors microservice, which is responsible for integrating with SuccessFactors. This microservice invokes the OData protocol to retrieve user data, including personal details, employment status, and future hires scheduled up to 30 days in advance.
Once the microservice retrieves the user data via OData, the OData response is converted into a SCIM response. The SCIM response is returned to EmpowerID, where the data is processed and inserted as an account object in the EmpowerID Identity and Resource Warehouse.
Inventory Objects and Their Corresponding Components in EmpowerID
After the user data is inserted into EmpowerID as an account object, it is mapped to the corresponding fields in the Account table of the EmpowerID Identity and Resource Warehouse. This process involves cataloging personal and employment details, such as role assignments, job titles, and future hires, to ensure that records are maintained accurately.
Object in SuccessFactors | Component in EmpowerID |
---|---|
User | Account |
Provisioning Person Objects and Lifecycle Management
Once user accounts are inventoried, EmpowerID can automatically provision Person objects from these accounts. These Person objects are key to EmpowerID’s lifecycle management processes:
Joiner: Person objects are created for each user account, ensuring they are assigned appropriate roles and access rights.
Mover: When users change roles or locations, their Person objects are updated to reflect new job responsibilities or organizational units.
Leaver: Upon termination, Person objects are deactivated, revoking access rights as required.
Provisioning Person objects from the inventoried accounts enables EmpowerID to manage user transitions efficiently, using the latest data retrieved from SAP SuccessFactors.
Attribute Mapping
EmpowerID maps user attributes from SAP SuccessFactors to the appropriate fields within the EmpowerID system to facilitate seamless data integration. Below is a table that shows the attribute mappings for personal and employment data:
Personal Data Attribute Mapping
SuccessFactors Attribute | SCIM Attribute | EmpowerID Person Attribute |
---|---|---|
User.FirstName |
Name |
. |
GivenName | FirstName |
User.LastName |
Name |
. |
FamilyName | LastName |
Middle_Name
personalInfoNav.MiddleName | Name.MiddleName | MiddleName |
User.Formatted |
DisplayName | DisplayName |
PerPerson.DateOfBirth |
additionalDataExtension. |
N/A*
Citizenship
AdditionalDataExtension.Citizenship
N/A*
Email_Address
emails[?(@.type=='work')].value
PhoneData.PhoneNumber.Communicationtype=FAX
phoneNumbers[?(@.type=='fax')].value
Fax
PhoneData.Phonenumber.Communicationtype=HOMEPHONE
phoneNumbers[?(@.type=='home')].value
HomeTelephone
NumberData.Phonenumber.Communicationtype=MOBILENUMBER
phoneNumbers[?(@.type=='mobile')].value
MobilePhone
PhoneData.PhoneNumber.Communicationtype=WORK
phoneNumbers[?(@.type=='work')].value
BusinessPhone
Employment Data
DateOfBirth | DateOfBirth | |
personalInfoNav.Gender | additionalDataExtension.Gender | Gender |
homeAddressNavDFLT.Country | addresses.country && user.Country | Country |
homeAddressNavDFLT.ZipCode | address.PostalCode | ZipCode |
homeAddressNavDFLT.State | address.Region && user.State | State |
homeAddressNavDFLT.Address1 | address.StreetAddress | StreetAddress |
homeAddressNavDFLT.City | address.Locality && user.City | City |
employee.PersonExternalId | user.UserName , User.Id , user.ExternalId | Username , Id , LogonName |
emailNav.Value | email.Value | |
PerPhone.PhoneNumber | phoneNumber.Value | HomePhone |
User.EmpInfo.StartDate | enterpriseDataExtension.StartDate | ValidFrom |
User.EmpInfo.EndDate | enterpriseDataExtension.EndDate | AccountExpires |
User.custom01 | enterpriseDataExtension.custom01 | CustomAttribute01 |
Employment Data Attribute Mapping
SuccessFactors Attribute | SCIM Attribute | EmpowerID Person Attribute |
---|
Worker_Status_Data.Active
active
Status
Worker_Status_Data.Original_Hire_Date
hireDate
OriginalHireDate
Worker_Status_Data.Hire_Date
hireDate
ExpectedHireDate
Worker_Status_Data.Termination_Date
terminationDate
TerminationDate
Worker_Status_Data.Rehire
AdditionalDataExtension.RehireFlag
If set to Y, the Person is directed through the Rehire Workflow.
Worker_Status_Data.Terminated
Terminated
If set to true this value is used to terminate the Person in EmpowerID.
Worker_Status_Data.Hire_Rescinded
HireRescinded
If set to true, accounts linked to the EmpowerID Person are disabled.
Worker_Status_Data.Leave_Status_Data
OnLeave
If set to Y, the EmpowerID Person is directed to the On Leave workflow. Accounts can be disabled as needed.
Worker_Status_Data.Secondary_Termination_Reasons_Data
TerminationReason
N/A*
Worker_Job_Data.Position_Data.Business_Title
Title
Title
Organization Data
...
Workday Attribute
...
SCIM Attribute
...
EmpowerID Person Attribute
...
Workday Attribute
...
SCIM Attribute
...
EmpowerID Person Attribute
...
Organization_Data.Organization_Name.COST_CENTER
...
Organization[?(@.organizationType=='COST_CENTER')].organizationName
...
CostCenter
...
Organization_Data.Worker_Organization_Data.Cost_Center_Reference_ID
...
['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['WorkDayDataExtension']['departmentNumber']
...
DepartmentNumber
...
Organization_Data.Organization_Name.Division
...
Organization[?(@.organizationType=='Division')].organizationName
...
Division
Custom Attributes
...
EmploymentNav.JobInfo.Department | enterpriseUserExtension.Department | Department |
EmploymentNav.JobInfo.Division | enterpriseUserExtension.Divsion | Division |
EmploymentNav.JobInfo.SeqNumber | enterpriseUserExtension.EmployeeNumber | EmployeeId |
EmploymentNav.JobInfo.ManagerId | enterpriseUserExtension.Manager.Value | ManagerId |
EmploymentNav.JobInfo.CostCenterNav.Name | enterpriseUserExtension.CostCenter | CostCenter |
EmploymentNav.JobInfo.StartDate | enterpriseDataExtension.StartDate | ValidFrom |
EmploymentNav.JobInfo.EndDate | enterpriseDataExtension.EndDate | AccountExpires |
EmploymentNav.JobInfo.JobCode | enterpriseDataExtension.JobCode | JobCode |
EmploymentNav.JobInfo.JobTitle | enterpriseDataExtension.JobTitle | JobTitle |
EmploymentNav.JobInfo.CompanyNav.Name_en_US | enterpriseDataExtension.CompanyName | Company |
EmploymentNav.JobInfo.WorkLocation | enterpriseDataExtension.WorkLocation | OfficeLocation |
EmploymentNav.JobInfo.EmployeeStatusNav.Status | enterpriseDataExtension.EmployeeStatus | EmployeeStatus |
EmploymentNav.JobInfo.CostCenterNav.CostCenterDescription | enterpriseDataExtension.CostCenterDescription | CostCenterDescription |
EmploymentNav.JobInfo.CompanyNav.Name | enterpriseDataExtension.CompanyDescription | CompanyDescription |
EmploymentNav.JobInfo.BusinessUnit | enterpriseDataExtension.BusinessUnit | BusinessUnit |
EmploymentNav.JobInfo.BusinessUnitNav.Name(EmploymentNav.JobInfo.BusinessUnitNav.ExternalCode) | enterpriseDataExtension.BusinessUnitDescription | OrgUnit |
EmploymentNav.JobInfo.IsFulLTimeEmployee | enterpriseDataExtension.IsFullTimeEmployee | IsFulLTimeEmployee |
EmployeeNav.IsContigentWorker | enterpriseDataExtension.IsContigentWorker | IsContigentWorker |
EmployeeNav.JobInfo.PositionNav.Code | enterpriseDataExtension.PositionCode | PositionCode |
employeeNav.LastDayWorked | enterpriseDataExtension.LastDayWorked | LastDayWorked |
employmentNav.OriginalStartDate | enterpriseDataExtension.OriginalStartDate | OriginalHireDate |
employmentNav.ServiceDate | effectiveStartDate |
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Connect to WorkdayInventory Workday Custom AttributesSAP SuccessFactors
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
...