You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Connect to Workday

 



In order to connect EmpowerID to Workday, the following prerequisites need to be met:

  1. Workday needs to be configured to allow SOAP API access

  2. The Workday API user needs to have access to read worker and contingent worker attributes (excluding things like compensation)

Step 1 – Generate a self-signed certificate in EmpowerID

  1. On the navbar of the EmpowerID Web interface, expand Apps and Authentication > SSO Connections and select SSO Components.

  2. Select the Certificates tab and then click the Add button in the grid header.

     

  3. Select Generate Self-Signed Certificate.

     

  4. Enter the following information:

    • Certificate Owner – Leave empty

    • Prefer Local Machine Store – Leave empty

    • Subject Name – Enter something suitable to the purpose of the certificate, such as CN=AzureCertificate

    • Requires Password – Select this option; this adds a private key to the certificate

    • Certificate Password – Enter a password for the certificate

  5. Click Save to create the certificate.

 

Step 2 – Download the certificate in Base64 format

  1. Return to the SSO Components page from the Certificate Details page by clicking the Find Certificates breadcrumb.

  2. Select the Certificates tab on the SSO Components page and search for the certificate you just created.

     

  3. Click the Name link for the certificate to navigate to the View page for the certificate.

  4. On the View page for the certificate, click Export Certificate.

     

  5. Select the desired location in which to save the certificate and click Save.

Step 3 – Register a service principal application in Azure

  1. Log in to your Azure portal as a user with the necessary permissions to create an application in Azure AD.

  2. In Azure, navigate to your Azure Active Directory.

  3. On the Azure navbar, click App registrations.

  4. On the App registrations page, click New registration.

     

  5. Name the application, select the scope for the application (single or multitenant) and click Register.

  6. Once the application is registered, copy the Application (client) ID and Directory (tenant) ID from the Overview page. These values are used when configuring the SCIM app service.



  7. Navigate to the Certificates & secrets blade for the application and click Upload certificate.

     

  8. Select the base-64 encoded certificate you downloaded from EmpowerID and click Add.

The public key certificate that you upload to Azure must have a corresponding private key in the EmpowerID certificate store; otherwise, an error will occur when calling Azure’s API.

Step 4 – Create an app service to host the Workday SCIM microservice

  1. Log in to your Azure portal as a user with the necessary permissions to create an App Service.

  2. In Azure, navigate to All Services > App Services and create a new App service.

  3. Under Project Details, select a Subscription and then create a Resource Group for the App Service.

  4. Under Instance Details, do the following:

    • Name – Enter a name.

    • Publish – Select Code.

    • Runtime Stack – Select .Net Core 3.1 (LTS).

    • Operating System – Select Linux.

    • Region – Select the appropriate region.

  5. Click Review + Create.

  6. Click Create.

  7. After the deployment of the app service completes, click Go to resource.

  8. Change the platform for the app service to 64 Bit by doing the following:

    1. On the app service navbar, under Settings, click Configuration.

    2. On the Configuration blade, select the General settings tab.

    3. Under Platform settings, change the Platform to 64 Bit and click Save.

    4. Click Continue to confirm you want to save the changes.

  9. Copy and save the URL on the app service's Overview page. You will need this when you configure Azure AD Auth for the app service.

Step 5 – Configure authentication for the app service

  1. Navigate to the Authentication blade for the app service and click Add identity provider.

     

  2. Select Microsoft.

     

  3. Add the following identity provider information:

    1. App registration type – Select Pick an existing app registration in this directory.

    2. Name or app ID – Select the service principal you created to provide Azure AD authentication for the microservice.

    3. Issuer URL – Replace the default value with https://login.microsoftonline.com/<Your Tenant ID>

    4. Restrict access – Select Require authentication.

    5. Unauthenticated requests – Select HTTP 401 Unauthorized: recommended for APIs.

    6. Token Store – Leave selected.

    7. Click Add.

       

  4. After adding the Identity provider, click the Edit link for it.

     

  5. Set the Issuer URL to https://login.microsoftonline.com/<Your Tenant ID>.

  6. Under Allowed token audiences enter the URL for the app service.

     

  7. Click Save.

  8. Under Settings, select Identity.

  9. Turn on system assigned managed identity and click Save.

     

  10. Click Yes to confirm you want to enable system assigned managed identity and register the App Service with Azure Active Directory.

     

  11. Back in the Overview page for the App Service, click Get Publish Profile. You will need this file when you publish the Workday microservice to Azure.

 

Step 6 – Publish the Workday Microservice to Azure

Prior to publishing the microservice, you will need to obtain the appropriate ZIP file from EmpowerID.

  1. Copy the below PowerShell script into the text editor of your choice and save it as zipdeploy_appService.ps1.

    param( $pubProfileFilePath ,$zipFilePath ) $ErrorActionPreference = "Stop" $pubProfile = [xml](gc $pubProfileFilePath) $zipPubProfile = $pubProfile.publishData.publishProfile | where { $_.publishMethod -eq "zipdeploy" } $userAgent = "powershell/1.0" $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $zipPubProfile.userName, $zipPubProfile.userPWD))) $zipdeployUrl = "https://$($zipPubProfile.publishUrl)/api/zipdeploy" $deploymentsUrl = "https://$($zipPubProfile.publishUrl)/api/deployments" Invoke-RestMethod -Uri $zipdeployUrl -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UserAgent $userAgent -Method Post -InFile $zipFilePath Invoke-RestMethod -Uri $deploymentsUrl -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UserAgent $userAgent -Method Get

     

  2. Open an administrative PowerShell session.

  3. Navigate to the directory where you saved the script and execute the script, passing in the values of the pubProfilePath and zipFilePath parameters via the command line, where the value of pubProfilePath is the path to the Workday App Service Publisher Profile Settings file you downloaded from Azure, and the value of zipFilePath is the path to the microservice ZIP file you received from EmpowerID.

    The command to execute the script should look similar to that shown in the below image.

     

Step 7 – Configure the Workday App Service to Support Custom Attributes

  1. Navigate to the Workday SCIM App Service you created earlier.

  2. On the navbar for the App Service, under Settings, click Configuration.

  3. Under Application settings, click New application setting.

     

     

  4. Add the following two Name / Value pairs and save your changes.

Name

Value

Name

Value

WORKDAY_PARAMETER_CRITERIA_DATA_TYPE

Integration_System_ID

WORKDAY_PARAMETER_CRITERIA_DATA_VALUE

The value of the Integration_System_ID for the Integration System created in Workday.

Further configuration must be performed in both Workday and EmpowerId before custom attributes can be successfully inventoried. Please see Inventory Workday Custom Attributes for the details.

Step 8 – Create a key vault with secrets to store Workday credentials

  1. In Azure, create a key vault if you do not already have one or want to create a new one.

  2. Navigate to the Key Vault blade for the appropriate key vault.

  3. On the Secrets page, click Generate/Import.

     

     

  4. On the Create a secret blade, do the following to create the secret:

    1. Name – Enter userName.

    2. Value – Enter the username of the user account accessing the user data in your Workday instance.

    3. Click Create

  5. Back on the Secrets blade, click Generate/Import again.

  6. On the Create a secret blade, do the following to create the second secret:

    1. Name – Enter Password.

    2. Value – Enter the password of the user account accessing the user data your Workday instance.

    3. Click Create.

  7. Back on the Secrets blade, click Generate/Import again.

  8. On the Create a secret blade, do the following to create the third secret:

    1. Name – Enter tenantUrl.

    2. Value – Enter the tenant URL of your Workday instance.

    3. Click Create

  9. Back on the Secrets blade, click Generate/Import again.

  10. On the Create a secret blade, do the following to create the fourth and final secret:

    1. Name – Enter tenantid.

    2. Value – Enter the tenant of your Workday instance.

    3. Click Create
      You should now have the following secrets in the key vault:

       

  11. Next, navigate to the Workday SCIM App Service you created earlier.

  12. On the navbar for the App Service, under Settings, click Configuration.

  13. Under Application settings, click New application setting.

     

     

  14. In the Add/Edit application setting pane, add the following:

    1. Name – Enter WORKDAY_VAULTED_CREDS.

    2. Value – Enter the name of the vaulted creds you created for your Workday secrets.

    3. Click OK.

       

  15. Click Save on the Configuration blade.

  16. Click Continue to confirm that you want to save changes.

Step 9 – Create an account store for Workday

  1. On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  2. Select the Actions tab and then click Create Account Store.

     On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  3. Select the Actions tab and then click Create Account Store.

     

  4. Under System Types, search for Workday.

  5. Click the record for Workday to select the type and then click Submit.

     

     

  6. Enter the following information in the Azure Microservice Configuration form:

    • Name – Name of the account store

    • Microservice URL – The URL to the app service hosting the Workday SCIM microservice

    • Azure AppID – The ID of the application you registered in Azure AD for EmpowerID

    • Azure Directory (Tenant) ID – The ID of your Azure tenant

    • Certificate Thumbprint – Thumbprint of the certificate you uploaded to your Azure tenant

  7. When ready, click Submit to create the account store.

     

Step 10 – Verify Workday resource system parameters

  1. Return to the Find Account Stores page and search for the Workday account store you just created.

  2. Click the Account Store link.

     

  3. Select the Resource System tab and then expand the Configuration Parameters accordion at the bottom of the page.

  4. Verify the following parameters have the correct value:

    • AzureAppID

    • AzureTenantID

    • certificateThumbprint

    • GetNewOrUpdatedUsersUrl

    • MicroserviceUrl

Step 11 – Configure Attribute Flow

  1. On the Account Store Details page for the Workday account store, select the Attribute Flow Rules tab.

  2. Review the attribute flow and revise as needed. EmpowerID translates the attributes in Workday to SCIM for use with the connector and represents those attributes in EmpowerID as External Directory Attributes. You map these attributes to EmpowerID Person attributes to ensure that any changes occurring to user attributes in Workday flow to the EmpowerID Person, as well as any other user accounts owned by the Person.

  3. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

Step 12 – Create Dynamic Hierarchy policies to generate roles and location (Optional)

If desired, you can use Dynamic Hierarchy policies to generate external roles and locations based on specific user attributes, such as Job Title and Department. The external roles and locations can then be used to map corresponding EmpowerID logical locations. Please see Use Dynamic Hierarchy Policies to Create External Roles and Locations for information on setting this up. When completed, return to this article and complete steps 10 and 11.

Step 13 – Configure the Workday account store

  1. On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.

  2. Search for the Workday account store and click the Account Store link for it.

     

  3. On the Account Store Details page, click the Edit link to put the account store in edit mode.


    This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Workday instance as well as how you want EmpowerID to handle the user information it discovers in Workday during inventory. Settings that are relevant to Workday are described in the table below the image


  4. Edit the account store settings as needed and then enable inventory as shown below.

Step 14 – Enable Inventory on the account store

  1. On the Account Store Settings page, select the Inventory tab.

  2. Under Inventory Schedule Interval, do the following:

    1. Optionally, select a Start and End date for inventory to occur

    2. Select Hour Interval

    3. Interval – Enter either 12 or 24.

  3. Inventory Enabled – Toggle to enable EmpowerID to inventory Workday.

  4. Click Save to save your changes to the account store.

Now that inventory is enabled for the account store, the next step is to turn on the Account Inbox permanent workflow. This workflow is responsible for fetching and processing new user accounts.

Step 15 – Enable the Account Inbox Permanent Workflow

Step 16 – Map Role and Locations

  1. On the navbar, expand Identity Lifecycle and select Role and Location Mapper.

  2. Select the Role Mapper tab.

  3. In the External Source Business Role pane of the Role Mapper tab, do the following:

    1. In the first (upper) field - Search for and select the external directory containing the role you want to map, and

    2. In the second (lower) field - Enter the name of the external role you want to map and press ENTER to load the role.

    3. Select the role from the tree.

  4. Select the Location Mapper tab.

  5. In the External Source Location pane of the Location Mapper tab, do the following:

    1. In the first (upper) field - Search for and select the external directory containing the location you want to map and

    2. In the second (lower) field - Enter the name of the external location you want to map and press ENTER to load the location.

    3. Select the location from the tree.

       

  6. In the Internal Destination Location pane, enter the name of the EmpowerID location to which you want to map the external directory location and then select the location from the tree.

     

  7. Click Save to save the mapping.

  8. Repeat for any other mappings you wish to create.

 

Use Dynamic Hierarchy Policies to Create External Roles and Locations