1 About the Workday Connectors
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
The Workday connector lets you create and onboard Workday applications in Oracle Identity Governance.
Note:
- In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application.
- The term Provisioning in this guide refers to Updating Worker Contact Details operation only.
From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.
Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
You can use Workday connectors to create and onboard Target applications and Authoritative applications in Oracle Identity Governance. The connector bundle provides two separate versions (XML files) of the connector for this purpose.
The following topics provide a high-level overview of the connector:
Note:
In this guide, Workday connectors refers to connectors for both Authoritative and a Target application.
1.1 Certified Components
These are the software components and their versions required for installing and using the connector.
Table 1-1 Certified Components
Component | Requirement for AOB Application |
---|---|
Oracle Identity Governance |
You can use one of the following releases:
|
Target System |
Workday 2020 R1 or later |
Connector Server |
11.1.2.1.0 or 12.2.1.3.0 |
Connector Server JDK |
JDK 1.8 or later |
1.2 Usage Recommendation
If you are using Oracle Identity Governance 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English (US)
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
Operation | Supported for Authoritative Connector? | Supported for Target Connector? |
---|---|---|
User Management |
||
Create Workday Account |
No |
Yes |
Update Workday Account |
No |
Yes |
Reset Workday Account Password |
No |
Yes |
Reconcile Worker |
Yes |
Yes |
Update Contact Details |
No |
Yes |
Secondary Phone Numbers Management |
||
Add secondary phone number |
No |
Yes |
Update secondary phone number |
No |
Yes |
Remove secondary phone number |
No |
Yes |
Secondary Email Management |
||
Add secondary email |
No |
Yes |
Update secondary email |
No |
Yes |
Remove secondary email |
No |
Yes |
Security Group Management |
||
Add Group |
No |
Yes |
Remove Group |
No |
Yes |
Note:
Update Contact Details in the guide refers to update of work email, home email, work phone, work phone device type, home phone, and home phone device type attributes.
Note:
Create Workday Account, Update Workday Account, Reset Workday Account Password, and Security Group Management features are supported from version 12.2.1.3.1 (Target Connector).
1.5 Connector Architecture
The connector uses Workday webservices to synchronize user attributes between Oracle Identity Governance and Workday Directory, and is implemented using the Identity Connector Framework (ICF) component.
The ICF is a component that is required to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
You can configure the connector to run in one of the following modes:
- Identity Reconciliation: Identity reconciliation is also known as authoritative or trusted source reconciliation. In this mode, the target system is used as the trusted source and users are directly created and modified on it. During reconciliation, each user record fetched from the target system is compared with existing OIM Users. If a match is found between the target system record and the OIM User, then the OIM User attributes are updated with changes made to the target system record. If no match is found, then the target system record is used to create an OIM User.
- Account Management: Account management is also known as target resource
management. In this mode, the target system is used as a target resource and the
connector enables the following operations:
-
Target Resource Reconciliation: The basic function of this connector is to enable management of employee data on the Workday target application through Oracle Identity Governance. You can create and manage employee records for OIG users through provisioning. In addition, data related to newly created and modified employee records can be reconciled (using scheduled tasks) and linked with existing OIG users and provisioned resources.
-
Update Contact Data: Provisioning involves creating or updating worker contact data (Email and Phone data) on the target system through Oracle Identity Governance.
-
Figure 1-1 shows the architecture of the Workday connector.
Figure 1-1 Connector Architecture of the Workday Target Connector
As shown in this figure, the Workday connector enables you to use the target system as a managed resource (target) of identity data for Oracle Identity Governance.
Through the provisioning operations that are performed on Oracle Identity Governance, contact details are updated in the target system for Oracle Identity Governance Users. During provisioning, the Adapters invoke ICF operation, ICF inturn invokes update operation on the Workday Identity Connector Bundle and then the bundle calls the target system API for provisioning operations. The Workday SOAP API on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters.
During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a sync operation on the Workday Identity Connector Bundle and then the bundle calls Workday Get Workers API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with Workday resources that are already provisioned to OIG Users. If a match is found, then the update made to the Workday record from the target system is copied to the Workday resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each OIG User. If a match is found, then data in the target system record is used to provision a Workday resource to the OIG User.
The Workday Identity Connector Bundle communicates with the Workday Human Resources webservices using the HTTPS protocol. The Workday Human Resources webservices provides programmatic access through SOAP API endpoints. Applications can use the Workday Human Resources webservices to perform read and update operations on users.
See Also:
Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF.1.6 Supported Connector Features Matrix
Provides the list of features supported by the AOB application.
Table 1-3 Supported Connector Features Matrix
Feature | AOB Application |
---|---|
Perform full reconciliation |
Yes |
Perform reconciliation with Transaction Days |
Yes |
Perform incremental reconciliation |
Yes |
Perform limited reconciliation |
Yes |
Reconciliation of Contingent Workers |
Yes |
Reconciliation of Workers Without Account |
Yes |
Use connector server |
Yes |
Configure validation and transformation of account data |
Yes |
Support for pagination |
Yes |
Test connection |
Yes |
Clone applications or create new application instances |
Yes |
Provide secure communication to the target system through SSL |
Yes |
Note: features below are supported from version 12.2.1.3.1(Target Connector). |
|
Perform Provisioning |
Yes |
Reset Password |
Yes |
Add or Remove Security Groups (Entitlement) |
Yes |
Reconcile the Account Attributes and Security Groups |
Yes |
1.7 Connector Features
The features of the connector include full reconciliation, batched reconciliation, limited reconciliation, connection pooling, SSL communication, and so on.
The following are the features of the connector:
1.7.1 Support for Trusted Source and Target Resource Reconciliation
There are two versions of the connectors available to provide support for trusted source (authoritative application) and target resource (Target application) reconciliation.
You can use the Workday authoritative connector to integrate Workday as a trusted source of Oracle Identity Governance. In this mode, the connector reconciles all the person types that are supported by the Workday application.
In the target resource mode, you can use the Workday target connector to create a Target application to provision and reconcile user records from the Workday application.
1.7.2 Support for Full and Incremental Reconciliation
In full reconciliation, all records are fetched from the target system to Oracle Identity Governance. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
You can switch from incremental to full reconciliation at any time after you deploy the connector. See Performing Full and Incremental Reconciliation for more information on performing full and incremental reconciliation runs.
1.7.3 Support for Reconciliation with Transaction Days
To fetch the future hire date for contactors and future termination date for an employee during a reconciliation run, you must specify the value for Transaction Days attribute of the user reconciliation scheduled job.
The Transaction Days attribute helps you to specify the number of days for which the transactions have to be checked for the value of future hire date and future termination date. See Performing Reconciliation with Transaction Days for more information on performing reconciliation for transaction days.
1.7.4 Support for Limited (Filtered) Reconciliation
You can reconcile records from the target system based on a specified filter criterion.
You can set a reconciliation filter as the value of the Filter Query attribute of the user reconciliation scheduled job. This filter specifies the subset of newly added and modified target system records that must be reconciled. The Filter Query attribute helps you to assign filters to the webservices based on which you will get a filtered response from the target system.
See Performing Limited Reconciliation for more information on performing limited reconciliation.
1.7.5 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.7.6 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.7.7 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating an Instance Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.7.8 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required.
You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.
For information on SSL, see Configuring SSL.