Workday
Connect your Workday tenant to Opal
Opal's integration with Workday lets you leverage HRIS data as an additional source of truth for users, employee metadata, and their attributes IDP/HRIS Integration. The integration also allows you to manage access to entitlements such as Workday Security Groups and Roles.
Getting Started
To get started, go to the Apps page, click + at the top right, and click Workday. Then, click on the Workday tile.
You will see a form to be completed. Since Workday configures permissions on the field level, the set up process will involve creating a Workday Integration System User and Workday Integration Security Group to ensure it has the necessary permissions. To connect your Workday tenant to Opal, please continue on to the below instructions.
Step 1 - In Workday, Create an Integration System User (ISU)
Navigate to the Workday Search bar, enter Create Integration System User, and select the corresponding Task
In the Create Integration System User modal, enter the Account Information, including User Name, Password, and set the Session Timeout Minutes: 0 (recommended to prevent session expiry as it may lead to the integration timing out before completion)
Step 2 - In Workday, Create a Security Group and assign it an Integration System User
Navigate to the Workday Search bar, enter Create Security Group, and select the corresponding Task
In the Create Security Group modal, for the Type of Tenanted Security Group, select Integration System Security Group (Unconstrained) and enter a Name to represent the ISU.
Once created, Edit the Security Group to associate it with the Integration System User you created in Step 1.
Step 3 - In Workday, Configure Domain Security Policy Permissions
Navigate to the Workday Search bar, enter Maintain Permissions for Security Group, and select the corresponding Task
In the task modal, first set the Operation to Maintain and set the Source Security Group to the Security Group you created in Step 2.
Then, edit the Domain Security Policy Permissions and add the following GET ONLY operations:
| View/Modify Access | Domain Security Policy |
|---|---|
| GET ONLY | Person Data: Work Contact Information |
| GET ONLY | Worker Data: Current Staffing Information |
| GET ONLY | Worker Data: Organization Information |
| GET ONLY | Worker Data: Workers |
| GET ONLY | Worker Data: All Positions |
| GET ONLY | Worker Data: Worker ID |
| GET ONLY | Worker Data: Active and Terminated Workers |
| GET ONLY | Worker Data: Public Worker Reports |
| GET ONLY | Worker Data: Employment Data |
| GET ONLY | Workday Accounts |
| GET ONLY | Integration Build |
In Workday, you can add each by clicking on the + button on the top left of the table, for example:
Step 4 - In Workday, Activate Security Policy Changes
Navigate to the Workday Search bar, enter Activate Pending Security Policy Changes, and select the corresponding Task.
Review and check the Confirm box to activate the Security Policy Changes
Step 5 - In Workday, Manage Authentication Policies
Navigate to the Workday Search bar, enter Manage Authentication Policies, and select the corresponding Report.
Depending on your policy set up, you can choose to edit an existing policy or create a new one.
To create a new one, select Add Authentication Policy on the page.
- Then, select from the dropdown the corresponding Environment you would like the policy to apply to.
- In the table below, add an Authentication Ruleset by selecting the + button on the top left.
- Provide an Authentication Rule Name, set the Security Group to the one you created in Step 2.
- For the Authentication Conditions, select Any
- For Allowed Authentication Types, select User Name Password
Step 6 - In Workday, Activate All Pending Authentication Policy Changes
Navigate to the Workday Search bar, enter Activate All Pending Authentication Policy Changes, and select the corresponding Task.
Add any comments, review, and check the Confirm box to activate the Authentication Policy Changes
Step 7 - In Workday, Obtain the Web Services Endpoint for tenant
Navigate to the Workday Search bar, enter Public Web Services, and select the corresponding Report.
In the table, locate the Human Resources (Public) Web Service, hover over it and click on the ... to the right of the text. Under Web Service, select View WSDL. This will open another page in the browser.
In the new page containing the document tree, you can use Cmd + F / Ctrl + F to find /service, and you should see a URL address that looks like the following:
The corresponding highlighted URL segment up to the /service path will be your Workday Web Services Endpoint. Note that each tenant may have a different endpoint, so a new endpoint would need to be created for each environment you would like to connect. The text directly after /service should represent your Workday Tenant Name. As an example, if your Workday log in URL is https://impl.workday.com/HelloWorld, your Workday Tenant Name would be HelloWorld.
Step 8 - Complete the Opal Form to Connect Workday
In Opal, enter the details based on the Workday items you configured in the previous steps:
- Workday Integration System User username (Step 1)
- Workday Integration System User password (Step 1)
- Workday tenant URL subdomain (Step 7)
- Workday Tenant Name
Once all the information has been correctly filled out, click Create, and your connection should be set up and running!
Updated 11 days ago
Check out how to use Workday as an IDP/HRIS integration