- Created by Phillip Hanegan, last modified on Jul 29, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 23 Next »
The EmpowerID Workday connector is a read-only connector that uses the SCIM 2.0 protocol to allow you to bring the user data from a Workday cloud instance to EmpowerID, where it can be used to provision EmpowerID Persons, and be synchronized with data in any connected back-end user directories.
The Workday connector is an EmpowerID microservice that you deploy to an Azure app service, which in turn retrieves information from Workday. The app service uses a system assigned managed identity linked to an application you create in Azure AD for EmpowerID. The managed identity is used to allow the Workday microservice to access Azure AD-protected services without needing to supply credentials for authentication. The entire process uses secure client certificate authentication.
Prerequisites:
In order to connect EmpowerID to Workday, the following requirements need to be met:
Workday needs to be configured to allow SOAP API access
The Workday API user needs to have access to read worker and contingent worker attributes (excluding things like compensation)
Step 1 – Generate a self-signed certificate in EmpowerID
On the navbar of the EmpowerID Web interface, expand Apps and Authentication > SSO Connections and select SSO Components.
Select the Certificates tab and then click the Add button in the grid header.
Select Generate Self-Signed Certificate.
Enter the following information:
Certificate Owner – Leave empty
Prefer Local Machine Store – Leave empty
Subject Name – Enter something suitable to the purpose of the certificate, such as CN=AzureCertificate
Requires Password – Select this option; this adds a private key to the certificate
Certificate Password – Enter a password for the certificate
Click Save to create the certificate.
Step 2 – Download the certificate in Base64 format
From the Certificate Details page, return to the SSO Components page by clicking the Find Certificates breadcrumb.
On the SSO Components page, select the Certificates tab and search for the certificate you just created.
Click the Name link for the certificate to navigate to the View page for the certificate.
On the View page for the certificate, click Export Certificate.
Select the desired location in which to save the certificate and click Save.
Step 3 – Register a service principal application in Azure
Log in to your Azure portal as a user with the necessary permissions to create an application in Azure AD.
In Azure, navigate to your Azure Active Directory.
On the Azure navbar, click App registrations.
On the App registrations page, click New registration.
Name the application, select the scope for the application (single or multitenant) and click Register.
Once the application is registered, copy the Application (client) ID and Directory (tenant) ID from the Overview page. These values are used when configuring the SCIM app service.
Navigate to the Certificates & secrets blade for the application and click Upload certificate.
Select the base-64 encoded certificate you downloaded from EmpowerID and click Add.
The public key certificate that you upload to Azure must have a corresponding private key in the EmpowerID certificate store; otherwise, an error will occur when calling Azure’s API.
Step 4 – Create an app service to host the Workday SCIM microservice
Log in to your Azure portal as a user with the necessary permissions to create an App Service.
In Azure, navigate to All Services > App Services and create a new App service.
Under Project Details, select a Subscription and then create a Resource Group for the App Service.
Under Instance Details, do the following:
Name – Enter a name.
Publish – Select Code.
Runtime Stack – Select .Net Core 3.1 (LTS).
Operating System – Select Linux.
Region – Select the appropriate region.
Click Review + Create.
Click Create.
After the deployment of the app service completes, click Go to resource.
Change the platform for the app service to 64 Bit by doing the following:
On the app service navbar, under Settings, click Configuration.
On the Configuration blade, select the General settings tab.
Under Platform settings, change the Platform to 64 Bit and click Save.
Click Continue to confirm you want to save the changes.
On the Overview page for the app service, copy and save the URL. You will need this when you configure Azure AD Auth for the app service.
Step 5 – Configure authentication for the app service
Navigate to the Authentication blade for the app service and click Add identity provider.
Select Microsoft.
Add the following identity provider information:
App registration type – Select Pick an existing app registration in this directory.
Name or app ID – Select the service principal you created to provide Azure AD authentication for the microservice.
Issuer URL – Replace the default value with
https://login.microsoftonline.com/<Your Tenant ID>
Restrict access – Select Require authentication.
Unauthenticated requests – Select HTTP 401 Unauthorized: recommended for APIs.
Token Store – Leave selected.
Click Add.
After adding the Identity provider, click the Edit link for it.
Set the Issuer URL to
https://login.microsoftonline.com/<Your Tenant ID>
.Under Allowed token audiences enter the URL for the app service.
Click Save.
Under Settings, select Identity.
Turn on system assigned managed identity and click Save.
Click Yes to confirm you want to enable system assigned managed identity and register the App Service with Azure Active Directory.
Back in the Overview page for the App Service, click Get Publish Profile. You will need this file when you publish the Workday microservice to Azure.
Step 4 – Publish the Workday Microservice to Azure
Log in to EmpowerID as a person with the necessary access to initiate the SCIM Microservice Publishing workflow.
On the navbar, expand Azure Manager and click Configuration.
Select the Tenants tab and then click the Publish Azure AD SCIM App Service action link.
For Application Type select Microservices and then click SUBMIT.
For Microservice Application select Workday SCIM Microservice and then click SUBMIT.
Click Choose File and browse for the browse for the Workday SCIM App Service Publisher Profile Settings file you downloaded from Azure.
Once you have selected the file, click Submit.
Click Yes to confirm that you want to publish the Workday SCIM Microservice.
Click OK to close the publish results message.
Step 5 – Create a key vault with secrets to store Workday credentials
In Azure, create a key vault if you do not already have one or want to create a new one.
Navigate to the Key Vault blade for the appropriate key vault.
On the Secrets page, click Generate/Import.
On the Create a secret blade, do the following to create the secret:
Name – Enter userName.
Value – Enter the username of the user account accessing the user data in your Workday instance.
Click Create.
Back on the Secrets blade, click Generate/Import again.
On the Create a secret blade, do the following to create the second secret:
Name – Enter Password.
Value – Enter the password of the user account accessing the user data your Workday instance.
Click Create.
Back on the Secrets blade, click Generate/Import again.
On the Create a secret blade, do the following to create the third secret:
Name – Enter tenantUrl.
Value – Enter the tenant URL of your Workday instance.
Click Create.
On the Create a secret blade, do the following to create the fourth and final secret:
Name – Enter tenantid.
Value – Enter the tenant of your Workday instance.
Click Create.
You should now have the following secrets in the key vault:
Next, navigate to the Workday SCIM App Service you created earlier.
On the navbar for the App Service, under Settings, click Configuration.
Under Application settings, click New application setting.
In the Add/Edit application setting pane, add the following:
Name – Enter WORKDAY_VAULTED_CREDS.
Value – Enter the name of the vaulted creds you created for your Workday secrets.
Click OK.
Click Save on the Configuration blade.
Click Continue to confirm that you want to save changes.
Step 6 – Create an account store for Workday
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
Select the Actions tab and then click Create Account Store.
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
Select the Actions tab and then click Create Account Store.
Under System Types, search for Workday.
Click the record for Workday to select the type and then click Submit.
Enter the following information in the Azure Microservice Configuration form:
Name – Name of the account store
Microservice URL – The URL to the app service hosting the Workday SCIM microservice
Azure AppID – The ID of the application you registered in Azure AD for EmpowerID
Azure Directory (Tenant) ID – The ID of your Azure tenant
Certificate Thumbprint – Thumbprint of the certificate you uploaded to your Azure tenant
When ready, click Submit to create the account store.
Step 7 – Verify Workday resource system parameters
Return to the Find Account Stores page and search for the Workday account store you just created.
Click the Account Store link.
Select the Resource System tab and then expand the Configuration Parameters accordion at the bottom of the page.
Verify the following parameters have the correct value:
AzureAppID
AzureTenantID
certificateThumbprint
GetNewOrUpdatedUsersUrl
MicroserviceUrl
Step 8 – Configure Attribute Flow
EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store. The following flow rules are available: No Sync ( Red Circle) — When this option is selected, no information flows between EmpowerID and the native system. Bidirectional Flow (Bidirectional Green Arrow) — When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting. Account Store Changes Only (Left Pointing Arrow) — When this option is selected, changes can only be made in the native system and are then passed to EmpowerID. For Workday, attributes should only flow from Workday to EmpowerID. The Workday connector is read-only. EmpowerID Changes Only (Right Pointing Arrow) — When this option is selected, changes can only be made in EmpowerID and are then passed to the native system. The following CRUD operations are available: Create — This operation is used to create an attribute value for an existing attribute when the value of that attribute is null. Update — This operation is used to update the value of an attribute. Delete — This operation is used to delete the value of an attribute. On the Account Store Details page for the Workday account store, select the Attribute Flow Rules tab. Review the attribute flow and revise as needed. EmpowerID translates the attributes in Workday to SCIM for use with the connector and represents those attributes in EmpowerID as External Directory Attributes. You map these attributes to EmpowerID Person attributes to ensure that any changes occurring to user attributes in Workday flow to the EmpowerID Person, as well as any other user accounts owned by the Person. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory. Workday Attribute SCIM Attribute EmpowerID Person Attribute Country_Reference.ISO_3166-1_Alpha-2_Code addresses[?@.type=="BUSINESS"].country Country Business_Site_Summary_Data.Name siteName JobLocationName Organization_Data.Organization_Name.COST_CENTER Organization[?(@.organizationType=='COST_CENTER')].organizationName CostCenter Organization_Data.Worker_Organization_Data.Cost_Center_Reference_ID ['urn:ietf:params:scim:schemas:extension:AdAdditionalData:2.0:User']['WorkDayDataExtension']['departmentNumber'] DepartmentNumber Organization_Data.Organization_Name.Division Organization[?(@.organizationType=='Division')].organizationName Division Worker_Data.Worker_ID urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.EmployeeNumber EmployeeNumber Legal_Name_Data.Name_Detail_Data.First_Name name.givenName FirstName Legal_Name_Data.Name_Detail_Data.Middle_Name name.middleName MiddleName Legal_Name_Data.Name_Detail_Data.Last_Name name.familyName LastName Preferred_Name_Data.Name_Detail_Data.First_Name nickName PreferredFirstName Preferred_Name_Data.Name_Detail_Data.Last_Name preferredLastName PreferredLastName Address_Data.Municipality addresses[?(@.type=='BUSINESS')].locality City Country_Region_Descriptor addresses[?(@.type=='BUSINESS')].region State Address_Data.Postal_Code addresses[?(@.type=='BUSINESS')].postalCode PostalCode Address_Data.AddressLineData addresses[?(@.type=='BUSINESS')].streetAddress StreetAddress PhoneData.PhoneNumber.Communicationtype=WORK phoneNumbers[?(@.type=='work')].value BusinessPhone Position_Data.Business_Title title Jobtitle Organization_Data.Organization_Name.COMPANY Organization[?(@.organizationType=='COMPANY')].organizationName Company Worker_Type_Reference.Employee_TypeID userType EmployeeType Worker_Data.User_ID userName LogonName Worker_Status_Data.Active active Status Worker_Status_Data.Hire_Date hireDate HireDate Worker_Status_Data.Termination Date terminationDate TerminationDate Manager_as_of_last_detected_manager_change_Reference. EmployeeID ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value'] ManagerPersonID FirstName, Lastname displayName DisplayName Country_Reference.ISO_3166-1_Alpha-3_Code addresses[?(@.type=='BUSINESS')].country Country Email_Address_Data.Email_Address emails[?(@.type=='work')].value Email PhoneData.PhoneNumber.Communicationtype=FAX phoneNumbers[?(@.type=='fax')].value Fax PhoneData.Phonenumber.Communicationtype=HOMEPHONE phoneNumbers[?(@.type=='home')].value HomeTelephone NumberData.Phonenumber.Communicationtype=MOBILENUMBER phoneNumbers[?(@.type=='mobile')].value MobilePhone PhoneData.Phonenumber.Communicationtype=TELEPHONE phoneNumbers[?(@.type=='other')].value Telephone name.honorificSuffix GenerationalSuffix WorkerData.User_ID externalId EmailAlias EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID.
Attribute translation from Workday to the EmpowerID SCIM connector is as follows:
Step 9 – Create Dynamic Hierarchy policies to generate roles and location (Optional)
If desired, you can use Dynamic Hierarchy policies to generate external roles and locations based on specific user attributes, such as Job Title
and Department
. The external roles and locations can then be used to map corresponding EmpowerID logical locations. Please see Use Dynamic Hierarchy Policies to Create External Roles and Locations for information on setting this up. When completed, return to this article and complete steps 10 and 11.
Step 10 – Configure the Workday account store
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
Search for the Workday account store and click the Account Store link for it.
On the Account Store Details page, click the Edit link to put the account store in edit mode.
This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Workday instance as well as how you want EmpowerID to handle the user information it discovers in Workday during inventory. Settings that are relevant to Workday are described in the table below the imageAccount Store Settings
Setting
Description
Authentication and Password Settings
Password Manager Policy for Accounts without Person
Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.
Provisioning Settings
Allow Person Provisioning (Joiner Source)
Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.
Allow Attribute Flow
Specifies whether attribute changes should flow between the account store and EmpowerID.
Allow Provisioning (By RET)
Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
Allow Deprovisioning (By RET)
Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
Max Accounts per Person
This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Business Role Settings
Allow Business Role and Location Re-Evaluation
Specifies whether Business Role and Location re-evaluation should occur for the account store
Business Role and Location Re-Evaluation Order
This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence.
Inventory Auto Provision OUs as IT System Locations
Specifies whether OUs in the external system are added as IT System locations in EmpowerID. If true, the OUs appear under the All IT Systems location node.
Inventory Auto Provision External Roles as Business Roles
Specifies whether EmpowerID should provision Business roles for external account store roles
If you are using Dynamic Hierarchy policies to generate custom external roles and locations, this options should be left disabled.
Default Person Business Role
Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Default Person Location (leave blank to use account container)
Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Special Use Settings
Automatically Join Account to a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.
Automatically Create a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.
Inventory Settings
Inventory Schedule Interval
Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.
Inventory Enabled
Allows EmpowerID to inventory the user information in the account store.
Edit the account store settings as needed and then enable inventory as shown below.
Step 11 – Enable Inventory on the account store
By default, EmpowerID inventories account stores once every 10 minutes. However, Workday updates user data once every 24 hours. As this is the case, EmpowerID recommends that you set the interval level to once every 12 hours or once every 24 hours. If you do not change the default, inventory still occurs, but the data in the account store will not update until Workday updates.
On the Account Store Settings page, select the Inventory tab.
Under Inventory Schedule Interval, do the following:
Optionally, select a Start and End date for inventory to occur
Select Hour Interval
Interval – Enter either 12 or 24.
Inventory Enabled – Toggle to enable EmpowerID to inventory Workday.
Click Save to save your changes to the account store.
Now that inventory is enabled for the account store, the next step is to turn on the Account Inbox permanent workflow. This workflow is responsible for fetching and processing new user accounts.
Step 12 – Enable the Account Inbox Permanent Workflow
On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.
On the Permanent Workflows page, click the Display Name link for Account Inbox.
On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.
Check Enabled.
Click Save to save your changes.
Step 13 - Map Role and Locations
EmpowerID Role and Location mappings allow multiple AD, LDAP or other external directory containers to be visually mapped to one or more roles and logical locations in EmpowerID for unified and easy management. For roles, when a mapping occurs, all the external roles are assigned to a corresponding EmpowerID Business Role. This ensures that users with roles in the external directory will have those same roles in EmpowerID.
For locations, when a mapping occurs, all the resources or objects located in the directory container are assigned to a corresponding EmpowerID location, allowing you to use those locations for delegating user access and setting default policy settings. If you create these mappings before your first inventory, all new people discovered by EmpowerID during the inventory process will be provisioned in EmpowerID locations (instead of directory locations), and those EmpowerID locations will be assigned to them as the "Location" portion of their Business Role and Location (BRL). For example, if you have a user named "Barney Smythe" in a London > Contractors OU and a user named "Kris McClure" in a London > Employees OU and you map both of those London OUs to a single London location in EmpowerID, when you turn on your inventory the Location portion of the BRL for both Barney Smythe and Kris McClure would be the EmpowerID location and not the external OUs.
In situations where you need to create custom external roles and locations using Dynamic Hierarchy policies, you will need to map roles and locations after inventory. When this is the case, EmpowerID places users discovered during inventory in the Temporary Role and Temporary Location. Once mapping is complete, the Role and Location Compiler job creates inbox entries for those users and the Role and Location Processor job processes those entries and places those users in the appropriate Business Role and Location.
On the navbar, expand Identity Lifecycle and select Role and Location Mapper.
Select the Role Mapper tab.
In the External Source Business Role pane of the Role Mapper tab, do the following:
In the first (upper) field - Search for and select the external directory containing the role you want to map, and
In the second (lower) field - Enter the name of the external role you want to map and press ENTER to load the role.
Select the role from the tree.
Select the Location Mapper tab.
In the External Source Location pane of the Location Mapper tab, do the following:
In the first (upper) field - Search for and select the external directory containing the location you want to map and
In the second (lower) field - Enter the name of the external location you want to map and press ENTER to load the location.
Select the location from the tree.
In the Internal Destination Location pane, enter the name of the EmpowerID location to which you want to map the external directory location and then select the location from the tree.
Click Save to save the mapping.
Repeat for any other mappings you wish to create.
If you select an external role or an external location that is a parent role or location, the children of that role or location will be mapped to the selected EmpowerID location.
See Also
Use Dynamic Hierarchy Policies to Create External Roles and Locations
IN THIS ARTICLE
- No labels