Versions Compared

Old Version 8

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID Workday connector is a read-only connector that uses the SCIM 2.0 protocol to allow you to bring the user data from a Workday cloud instance to EmpowerID, where it can be used to provision EmpowerID Persons, and be synchronized with data in any connected back-end user directories.

The Workday connector is an EmpowerID microservice that you deploy to an Azure app service, which in turn retrieves information from Workday. The app service uses a system-assigned managed identity linked to an application you create in Azure AD for EmpowerID. The managed identity is used to allow the Workday microservice to access Azure AD-protected services without needing to supply credentials for authentication. The entire process uses secure client certificate authentication.

...

Step 1 – Register an application for the SCIM Microservice in Azure AD

...

Log in to your Azure portal as a user with the necessary permissions to create an application in Azure AD.

...

In Azure, navigate to your Azure Active Directory.

...

On the Azure navbar, click App registrations.

...

On the App registrations page, click New registration.

...

 

...

Name the application, select the scope for the application (single or multitenant) and click Register.

Once the application is registered, copy the Application (client) ID, Directory (tenant) ID and Object ID from the Overview page. These values are used when configuring the SCIM app service.

...

Under Manage, click Certificates & secrets.

...

Under Certificates, click Upload certificate and upload the base-64 encoded certificate.

...

 

...

Under Client secrets, click New client secret. The secret is used by the application to prove its identity when requesting a token.

...

Enter a Description for the client secret, select when the secret Expires and then click Add.

...

 

...

Copy the secret. You will use it when configuring the Workday SCIM app service.

Step 2 – Create an app service to host the Workday SCIM microservice

  1. Log in to your Azure portal as a user with the necessary permissions to create an App Service.

  2. In Azure, navigate to All Services > App Services and create a new App service.

  3. Under Project Details, select a Subscription and then create a Resource Group for the App Service.

  4. Under Instance Details, do the following:

    • Name — Enter a name.

    • Publish — Select Code.

    • Runtime Stack — Select .Net Core 3.1 (LTS).

    • Operating System — Select Linux.

    • Region — Select the appropriate region.

  5. Click Review + Create.

  6. Click Create.

  7. After the deployment of the app service completes, click Go to resource.

  8. Change the platform for the app service to 64 Bit by doing the following:

    1. On the app service navbar, under Settings, click Configuration.

    2. On the Configuration blade, select the General settings tab.

    3. Under Platform settings, change the Platform to 64 Bit and click Save.

    4. Click Continue confirm you want to save the changes.

  9. On the Overview page for the app service, copy and save the URL. You will need this when you configure Azure AD Auth for the app service.

    Image Removed

Step 3 – Configure Azure AD auth for the app service

  1. In Azure, navigate to the Workday SCIM app service.

  2. Under Settings in the sidebar, select Authentication / Authorization.

  3. Turn on App Service Authentication.

    Image Removed

  4. For Action to take when request is not authenticated, select Log in with Azure Active Directory.

  5. Under Authentication Providers, click Azure Active Directory and then select Advanced as the Management mode.

  6. Enter the following information for the Advanced mode settings:

    • Client ID — Enter the Client ID for the service principal you registered earlier for EmpowerID.

    • Issuer Url — Enter https://login.microsoftonline.com/<TenantID>, where <TenantID> is the TenantID of the application you registered in Azure AD for EmpowerID.

    • Show Secret — Click the button and then enter in the Client Secret field the value of the client secret for the application you registered in Azure AD for EmpowerID.

    • Allowed Token Audience — Enter the App Service URL.

      The settings should look similar to those shown in the below image:

      Image Removed

  7. Click OK to close the Active Directory Authentication dialog.

  8. Save your changes.

  9. Under Settings, select Identity.

  10. Turn on system assigned managed identity and click Save.

    Image Removed

  11. Click Yes to confirm you want to enable system assigned managed identity and register the App Service with Azure Active Directory.

    Image Removed

  12. Back in the Overview page for the App Service, click Get Publish Profile. You will need this file when you publish the Workday microservice to Azure.

    Image Removed

Step 4 – Publish the Workday Microservice to Azure

  1. Log in to EmpowerID as a person with the necessary access to initiate the SCIM Microservice Publishing workflow.

  2. On the navbar, expand Azure Manager and click Configuration.

  3. Select the Tenants tab and then click the Publish Azure AD SCIM App Service action link.

    Image Removed

     

  4. For Application Type select Microservices and then click SUBMIT.

    Image Removed

     

  5. For Microservice Application select Workday SCIM Microservice and then click SUBMIT.

    Image Removed

     

  6. Click Choose File and browse for the browse for the Workday SCIM App Service Publisher Profile Settings file you downloaded from Azure. 

  7. Once you have selected the file, click Submit

  8. Click Yes to confirm that you want to publish the Workday SCIM Microservice. 

  9. Click OK to close the publish results message.

Step 5 – Create a key vault with secrets to store Workday credentials

  1. In Azure, create a key vault if you do not already have one or want to create a new one.

  2. Navigate to the Key Vault blade for the appropriate key vault.

  3. On the Secrets page, click Generate/Import.

     

    Image Removed

  4. On the Create a secret blade, do the following to create the secret:

    1. Name — Enter userName.

    2. Value — Enter the user name of the user account accessing the user data in your Workday instance.

    3. Click Create

  5. Back on the Secrets blade, click Generate/Import again.

  6. On the Create a secret blade, do the following to create the second secret:

    1. Name — Enter Password.

    2. Value — Enter the password of the user account accessing the user data your Workday instance.

    3. Click Create.

  7. Back on the Secrets blade, click Generate/Import again.

  8. On the Create a secret blade, do the following to create the third and final secret:

    1. Name — Enter tenantid.

    2. Value — Enter the tenant of your Workday instance.

    3. Click Create
      You should now have the following secrets in the key vault:

      Image Removed

  9. Next, navigate to the Workday SCIM App Service you created earlier.

  10. On the navbar for the App Service, under Settings, click Configuration.

  11. Under Application settings, click New application setting.

     

    Image Removed

  12. In the Add/Edit application setting pane, add the following:

    1. Name — Enter WORKDAY_VAULTED_CREDS.

    2. Value — Enter the name of the vaulted creds you created for your Workday secrets.

    3. Click OK.

      Image Removed

       

  13. Click Save on the Configuration blade.

  14. Click Continue to confirm that you want to save changes.

Step 6 – Create an account store for Workday

  1. On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  2. Select the Actions tab and then click Create Account Store.

     On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  3. Select the Actions tab and then click Create Account Store.

    Image Removed

     

  4. Under System Types, search for Workday.

  5. Click the record for Workday to select the type and then click Submit.

     

    Image Removed

  6. Enter the following information in the Azure Microservice Configuration form:

    • Name – Name of the account store

    • Microservice URL – The URL to the app service hosting the Workday SCIM microservice

    • Azure AppID – The ID of the application you registered in Azure AD for EmpowerID

    • Azure Directory (Tenant) ID – The ID of your Azure tenant

    • Certificate Thumbprint – Thumbprint of the certificate you uploaded to your Azure tenant

  7. When ready, click Submit to create the account store.

    Image Removed

Step 7 – Verify Workday resource system parameters

  1. Return to the Find Account Stores page and search for the Workday account store you just created.

  2. Click the Account Store link.

    Image Removed

  3. Select the Resource System tab and then expand the Configuration Parameters accordion at the bottom of the page.

  4. Verify the following parameters have the correct value:

    • AzureAppID

    • AzureTenantID

    • certificateThumbprint

    • GetNewOrUpdatedUsersUrl

    • MicroserviceUrl

Step 8 – Configure Attribute Flow

...

Step 9 – Create Dynamic Hierarchy policies to generate roles and location (Optional)

If desired, You can use Dynamic Hierarchy policies to generate external roles and locations based on specific user attributes, such as Job Title and Department. The external roles and locations can then be used to map corresponding EmpowerID logical locations. Please see Use Dynamic Hierarchy Policies to Create External Roles and Locations for information on setting this up. When completed, return to this article and complete steps 10 and 11.

Step 10 – Configure the Workday account store

...

On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

...

Search for the Workday account store and click the Account Store link for it.

...

On the Account Store Details page, click the Edit link to put the account store in edit mode.

...

Edit the account store settings as needed and then enable inventory as shown below.

Step 11 – Enable Inventory on the account store

By default, EmpowerID inventories account stores once every 10 minutes. However, Workday updates user data once every 24 hours. As this is the case, EmpowerID recommends that you set the interval level to once every 12 hours or once every 24 hours. If you do not change the default, inventory still occurs, but the data in the account store will not update until Workday updates.

  1. On the Account Store Settings page, select the Inventory tab.

  2. Under Inventory Schedule Interval, do the following:

    1. Optionally, select a Start and End date for inventory to occur

    2. Select Hour Interval

    3. Interval – Enter either 12 or 24.

  3. Inventory Enabled – Toggle to enable EmpowerID to inventory Workday.

  4. Click Save to save your changes to the account store.

Now that inventory is enabled for the account store, the next step is to turn on the Account Inbox permanent workflow. This workflow is responsible for fetching and processing new user accounts.

Step 12 – Enable the Account Inbox Permanent Workflow

...

Step 13 - Map Role and Locations

EmpowerID Role and Location mappings allow multiple AD, LDAP or other external directory containers to be visually mapped to one or more roles and logical locations in EmpowerID for unified and easy management. For roles, when a mapping occurs, all the external roles are assigned to a corresponding EmpowerID Business Role. This ensures that users with roles in the external directory will have those same roles in EmpowerID.

For locations, when a mapping occurs, all the resources or objects located in the directory container are assigned to a corresponding EmpowerID location, allowing you to use those locations for delegating user access and setting default policy settings. If you create these mappings before your first inventory, all new people discovered by EmpowerID during the inventory process will be provisioned in EmpowerID locations (instead of directory locations), and those EmpowerID locations will be assigned to them as the "Location" portion of their Business Role and Location (BRL). For example, if you have a user named "Barney Smythe" in a London > Contractors OU and a user named "Kris McClure" in a London > Employees OU and you map both of those London OUs to a single London location in EmpowerID, when you turn on your inventory the Location portion of the BRL for both Barney Smythe and Kris McClure would be the EmpowerID location and not the external OUs.

Note

In situations where you need to create custom external roles and locations using Dynamic Hierarchy policies, you will need to map roles and locations after inventory. When this is the case, EmpowerID places users discovered during inventory in the Temporary Role and Temporary Location. Once mapping is complete, the Role and Location Compiler job creates inbox entries for those users and the Role and Location Processor job processes those entries and places those users in the appropriate Business Role and Location.

  1. On the navbar, expand Identity Lifecycle and select Role and Location Mapper.

  2. Select the Role Mapper tab.

  3. In the External Source Business Role pane of the Role Mapper tab, do the following:

    1. In the first (upper) field - Search for and select the external directory containing the role you want to map, and

    2. In the second (lower) field - Enter the name of the external role you want to map and press ENTER to load the role.

    3. Select the role from the tree.

  4. Select the Location Mapper tab.

  5. In the External Source Location pane of the Location Mapper tab, do the following:

    1. In the first (upper) field - Search for and select the external directory containing the location you want to map and

    2. In the second (lower) field - Enter the name of the external location you want to map and press ENTER to load the location.

    3. Select the location from the tree.

      Image Removed

       

  6. In the Internal Destination Location pane, enter the name of the EmpowerID location to which you want to map the external directory location and then select the location from the tree.

    Image Removed

     

  7. Click Save to save the mapping.

  8. Repeat for any other mappings you wish to create.

Info

If you select an external role or an external location that is a parent role or location, the children of that role or location will be mapped to the selected EmpowerID location.

 

See Also

Use Dynamic Hierarchy Policies to Create External Roles and Locations

Div
stylefloat: left; position: fixed;

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone

...

Inventory Objects and their corresponding components in EmpowerID

Object in Workday

Component in EmpowerID

User

Account

Attribute Mapping

The below table shows the attribute mappings of Workday users to EmpowerID.

Workday Attribute

SCIM Attribute

EmpowerID Person Attribute

Country_Reference.ISO_3166-1_Alpha-2_Code

addresses[?@.type=="BUSINESS"].country

Country

Business_Site_Summary_Data.Name

siteName

JobLocationName

Organization_Data.Organization_Name.COST_CENTER

Organization[?(@.organizationType=='COST_CENTER')].organizationName

CostCenter

Organization_Data.Worker_Organization_Data.Cost_Center_Reference_ID

['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['WorkDayDataExtension']['departmentNumber']

DepartmentNumber

Organization_Data.Organization_Name.Division

Organization[?(@.organizationType=='Division')].organizationName

Division 

Worker_Data.Worker_ID

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.EmployeeNumber

EmployeeNumber 

Legal_Name_Data.Name_Detail_Data.First_Name

name.givenName

FirstName

Legal_Name_Data.Name_Detail_Data.Middle_Name

name.middleName

MiddleName 

Legal_Name_Data.Name_Detail_Data.Last_Name

name.familyName

LastName 

Preferred_Name_Data.Name_Detail_Data.First_Name

nickName

PreferredFirstName

Preferred_Name_Data.Name_Detail_Data.Last_Name

preferredLastName

PreferredLastName

Address_Data.Municipality

addresses[?(@.type=='BUSINESS')].locality

City

Country_Region_Descriptor

addresses[?(@.type=='BUSINESS')].region

State

Address_Data.Postal_Code

addresses[?(@.type=='BUSINESS')].postalCode

PostalCode

Address_Data.AddressLineData 

addresses[?(@.type=='BUSINESS')].streetAddress

StreetAddress

PhoneData.PhoneNumber.Communicationtype=WORK

phoneNumbers[?(@.type=='work')].value

BusinessPhone

Position_Data.Business_Title

title

Jobtitle 

Organization_Data.Organization_Name.COMPANY

Organization[?(@.organizationType=='COMPANY')].organizationName

Company 

Worker_Type_Reference.Employee_TypeID

userType

EmployeeType

Worker_Data.User_ID

userName

LogonName 

Worker_Status_Data.Active

active

Status

Worker_Status_Data.Hire_Date

hireDate

HireDate

Worker_Status_Data.Termination Date

terminationDate

TerminationDate

Manager_as_of_last_detected_manager_change_Reference. EmployeeID

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']

ManagerPersonID

FirstName, Lastname

displayName

DisplayName 

Country_Reference.ISO_3166-1_Alpha-3_Code

addresses[?(@.type=='BUSINESS')].country

Country

Email_Address_Data.Email_Address

emails[?(@.type=='work')].value

Email

PhoneData.PhoneNumber.Communicationtype=FAX

phoneNumbers[?(@.type=='fax')].value

Fax

PhoneData.Phonenumber.Communicationtype=HOMEPHONE

phoneNumbers[?(@.type=='home')].value

HomeTelephone

NumberData.Phonenumber.Communicationtype=MOBILENUMBER

phoneNumbers[?(@.type=='mobile')].value

MobilePhone

PhoneData.Phonenumber.Communicationtype=TELEPHONE

phoneNumbers[?(@.type=='other')].value

Telephone

 

name.honorificSuffix

GenerationalSuffix

WorkerData.User_ID

externalId

EmailAlias

Macrosuite divider macro
dividerWidth100
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconbootstrap/CloudsFill

Connect to Workday