Workday

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) using SAML and provisioning for Workday.

About Workday

Workday is a SaaS (Software as a Service) based human capital management system and supports the financial management system for the organizations. Workday offers one system for all your organizational activity such as finance, inventory, recruiting, and payroll.

After integrating Workday with Oracle Identity Cloud Service:

• Users can access Workday using their Oracle Identity Cloud Service login credentials.
• Users can start Workday using the Oracle Identity Cloud Service My Apps console.
• Admins can assign and revoke user access to the Workday app using the Oracle Identity Cloud Service administration console.

What Do You Need?

• An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
• A Workday account with authorization rights to configure federated authentication.
• Ensure that the User Name of each user in Workday matches the User Name of the Oracle Identity Cloud Service account.

Configuring the Workday App in Oracle Identity Cloud Service

Use this section to register and activate the Workday app, and to enable provisioning and synchronization for Workday. You can then assign users or groups to the Workday app and start the user provisioning process.

Prerequisite Step

A tenant name and a workday host name are required before you can register and activate the Workday app. You obtain these values from the Workday team.

The tenant name and workday host name appears in the Workday home URL: https://<Workday_Host>/<Tenant_Name>/login-saml2.htmld.

A user name and password of a Workday user (known as an integration system user) is required before you can configure provisioning in Workday connector.

1. Access Workday using the URL: https://<Your_Workday_URL>/login.flex?redirect=n. If you log into https://xyz.workday.com/login-auth.html, your Workday URL is: https://xyz.workday.com.

2. Search for Create Integration System User, click Create Integration System User, and then OK. The Create Integration System User page appears.

3. Enter a new user name, new password, new password verify, and then click OK.

4. Create a new Security Group.

   a. Search for Create Security Group, and then click Create Security Group. The Create Security Group page appears.

   b. Select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group drop-down list, enter a new group in the Name field, and then click OK. The Edit Integration System Security Group (Unconstrained) page appears.

   c. Enter your integration system user name in the Integration System Users field, and then click OK.

   Note: If you need to edit this group in future, search for your security group name in the search box.

5. Ensure that the group (which you created) has access to the following business domains required for Workday integration.

   a. Search for Domain Security Configuration, and then click Domain Security Configuration. The Domain Security Configuration page appears.

   b. Enter the domain name in the Domain field, and then click OK.

   c. On the next page, click the ellipsis (a set of dots) next to domain name, and then navigate to Domain > Edit Security Policy Permissions.

   d. Under Integrated Permissions, click the add icon, enter your security group (which you created), and then select the Get and Put check boxes as per the business domain.

   e. Click OK.

   Repeat steps 4a–4e for the following domains:
   • Worker Data: All Positions
   • Worker Data: Business Title on Worker Profile
   • Worker Data: Current Staffing Information
   • Worker Data: Public Worker Reports

6. Activate the integration user account to have the necessary permissions.

   a. Search for Activate Pending Security Policy Changes, and then click Activate Pending Security Policy Changes. The Activate Pending Security Policy Changes page appears.

   b. Enter a comment (required).

   c. Select the Confirm check box.

   d. Click OK to activate.

Obtaining the Oracle Identity Cloud Service Metadata and Certificate

An identity provider metadata is required to configure SSO for Workday. Use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata, and then save as a .xml file.

Steps to obtain the X509 Certificate into a format that is suitable for Workday.

1. Open the metadata file, locate the md:IDPSSODescriptor tag.

2. Copy the content between the dsig:X509Certificate tags into a text file. This content is the Oracle Identity Cloud Service certificate.

3. Add -----BEGIN CERTIFICATE----- at the beginning of the content.

4. Add -----END CERTIFICATE----- at the end of the content.

5. Save the file with an extension of .crt.

   Tip: Use this file later during the Workday configuration in the "Configuring SSO for Workday and Obtaining Workday Signing Certificate" section.

Configuring SSO for Workday and Obtaining Workday Signing Certificate

1. Access Workday as an administrator using the URL: https://<Workday_Host>/wday/authgwy/<Tenant_Name>/login.htmld. The Workday home page appears.

2. In the upper-left corner, search for Edit Tenant Setup - Security, and then click Edit Tenant Setup - Security.

3. Under the Single Sign-on section, click the add row (+) icon.

4. Use the table to update the federated authentication attributes.

   Attribute	Settings
   Redirect Type	Select the Single URL radio button.
   Login Redirect URL	Enter the Login Redirect URL: https://<Workday_Host>/<Tenant_Name>/login-saml2.htmld.
   Logout Redirect URL	Enter the Logout Redirect URL: https://<Workday_Host>/<Tenant_Name>/login.htmld?redirect=n.
   Environment	Select the appropriate option from the drop-down list. Select the Workday Environment (such as Conversion Testing, Implementation, Production, Sales, Sandbox, or Testing) to which these URLs apply.

5. Under the SAML Setup section, click the Enable SAML Authentication check box, and then click the add row (+) icon.

6. Use the table to update the federated authentication attributes.

   Attribute	Settings
   Identity Provider Name	Enter the Identity Provider Name.
   Issuer	Enter the Identity Provider Entity ID/Issuer URL. Use the metadata file that you created earlier to obtain the Entity ID/Issuer URL. See the "Obtaining the Oracle Identity Cloud Service Metadata and Certificate" section.
   x509 Certificate	Click Create x509 Public Key from the drop-down list.
   Name	Enter a name for the certificate.
   Certificate	Copy the certificate contents from the certificate that you created while performing the steps in the "Obtaining the Oracle Identity Cloud Service Metadata and Certificate" section, then paste into the Certificate box, and then click OK.
   Enable Workday Initiated Logout	Select the check box.
   Logout Request URL	Enter the Logout Request URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/slo.
   Use Unspecified Name ID Format for Logout Request	Select the check box.
   SP Initiated	Select the check box.
   IdP SSO Service URL	Enter the IdP SSO Service URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
   Used for Environments	Select the appropriate option from the drop-down list. Select the Workday Environment (such as Conversion Testing, Implementation, Production, Sales, Sandbox, or Testing) to which these URLs apply.
   x509 Private Key Pair	Click Create x509 Private Key Pair from the drop-down list.
   Name	Enter a name for the certificate, and then click OK.
   Service Provider ID	Enter the Service Provider ID: http://www.workday.com.
   Enable SP Initiated SAML Authentication (Will be Deprecated)	Select the check box.
   Sign SP-initiated Authentication Request	Select the check box.
   Do Not Deflate SP-initiated Authentication Request	Select the check box.
   Authentication Request Signature Method	Select SHA256 from the drop-down list.

7. Click OK.

8. In the x509 Private Key Pair field, click Related Actions(...), and then click x509 Private Key Pair.

9. Copy the entire content of the Public key field.

10. Create a file with an extension of .crt and save it.

    Tip: Use this file later during the Workday "Registering and Activating the Workday App" section.

11. Click Done.

Note:

1. Enabling SSO deactivates the ability to log in using the Workday user name and password. Remain logged in to the Workday session until you complete the next section to verify that Identity Provider initiated SSO from Oracle Identity Cloud Service works.

2. You can access the Workday using Workday user name and password using the URL: https://<Workday_Host>/<Tenant_Name>/login.htmld?redirect=n.

Registering and Activating the Workday App

1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

2. Click App Catalog.

3. Search for Workday, and then click Add.

4. In the App Details section, enter the Workday Host and Tenant Name, and then click Next.

   Note: These are the values that you obtained in the "Prerequisite Step" section.

5. In the App Details section, click Upload to upload signing certificate.

   Tip: This is the file that you created during the Workday configuration in the "Configuring SSO for Workday and Obtaining Workday Signing Certificate" section.

6. Click Next to enable provisioning and synchronization for Workday. For details, see the "Enabling Provisioning and Synchronization for Workday" section.

7. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

8. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for Workday

Use this section to enable provisioning and synchronization for managing user accounts in Workday through Oracle Identity Cloud Service.

Enabling Provisioning

1. On the Provisioning page, select Enable Provisioning.

2. Use the table to update the provisioning attributes, and then click Test Connectivity. A success message is displayed stating that the connection is successful.

   This table lists the provisioning attributes that you must set to enable provisioning.

   Attribute	Settings
   Workday Service Host	Enter the Workday service host name. You obtain this value from the Workday team.
   Tenant Name	Enter the tenant name that you obtained while performing the steps in the "Prerequisite Step" section.
   User Name	Enter the user name that you obtained while performing the steps in the "Prerequisite Step" section.
   Password	Enter the password that you obtained while performing the steps in the "Prerequisite Step" section.
   Get Workers with Workday Account (Optional)	Select the check box. This allows you to import only Workday workers who have Workday accounts. Note: If this check box is not selected, this allows you to import all workers including Non-Workday workers. In this case, a Non-Workday worker account gets created in Oracle Identity Cloud Service with Workday Employee ID instead of user name.

3. To view predefined attribute mappings between the user account fields defined in Workday and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, click Application to Identity Cloud, and then click OK.

   Predefined attributes: account.firstName, account.lastName, account.name, account.emailAddress, account.active, and account.uid.

   Optional attributes: employeeNumber, workerType, positionTitle, fullName, municipality, streetAddress, state, postalCode, phoneNumberWork, phoneNumberHome, costCenter, supervisoryOrg, country, prefix, suffix, hireDate, originalHireDate, and terminationDate.

   Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the Workday Account, Maps to, and User columns, and then click OK. For example, if you want to add the Position Title field, enter $(position.title) in the Workday Account column, and then select the corresponding fields from the drop-down list in the Maps to and User columns.

4. Under Select Provisioning Operations section, select the Authoritative Sync check box.

Enabling Synchronization

On the Provisioning page, select Enable Synchronization.

After enabling provisioning and synchronization for Workday, you can synchronize the existing account details from Workday with Oracle Identity Cloud Service. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) or from Workday (SP initiated SSO or SLO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the Workday app. Oracle Identity Cloud Service displays a shortcut to Workday under My Apps.

3. Click Workday. The Workday home page appears.

4. Confirm that the user that is logged in is the same for both Workday and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Workday

1. Access Workday using the URL: https://<Workday_Host>/<Tenant_Name>/login-saml2.htmld. You are redirected to the Oracle Identity Cloud Service login page.

2. Log in using credentials for a user that is assigned to the Workday app. The Workday home page appears.

3. Confirm that the user that is logged in is the same for both Workday and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Workday works.

Verifying Single Log-Out (SLO) from Workday

1. Access Workday from the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole. The Workday home page appears.

2. Log out from the Workday.

3. Confirm that the user is logged out of the Oracle Identity Cloud Service My Profile console login page.

   This confirms that SLO that is initiated from Workday works.

   Note: The user is logged out of both Oracle Identity Cloud Service and the Workday app when log out is initiated from the Workday app.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Workday displays the message, “Invalid user name or password, please try again. Note: You may not be able to change or reset your password from Workday if your account uses a corporate password."

Cause: The user name attribute sent by Oracle Identity Cloud Service during SSO does not match any existing user in Workday.

Solution: Ensure that the user name that you assign to the Workday app has an account in both Oracle Identity Cloud Service and Workday with the same user name.

Oracle Identity Cloud Service displays the message, “You are not authorized to access the app. Contact your system administrator." or “There is a problem with your account. Please contact Support."

Cause: The SAML 2.0 integration between the Oracle Identity Cloud Service Workday app and Workday is deactivated.

Solution:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Workday.
• In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Oracle Identity Cloud Service displays the message, “You are not authorized to access the app. Contact your system administrator."

Cause: The administrator revokes access for the user at the same time that the user tries to access the Workday app using Oracle Identity Cloud Service.

Solution:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Workday.
• In the App Details section, select Users, and then click Assign to re-assign the user.

In case of all Workday worker accounts are not created in the Workday.

Solution: Ensure that the user account that you imported in the Workday has a first name, last name and email.

Unknown Issues

For unknown issues, contact Oracle Support:

1. Go to https://support.oracle.com.

2. Select Cloud Support, and then sign in with your support credentials.

3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

4. Select Oracle Identity Cloud Service as the service type.

5. Complete your service request.