Overview
To authenticate your Workday account, you will need to provide the following information:
WSDL
ISU Username
ISU Password
Workday Tenant Name
Prerequisites
Please ensure you fulfill all the requirements to set up the integration:
You have Administrator permissions in your company's Workday instance
Instructions
Step 1: Create an Integration System User (ISU)
In your Workday portal, log into the Workday tenant
In the Search field, type Create Integration System User
Select the Create Integration System User task
On the Create Integration System User page, in the Account Information section, enter a user name, and enter and confirm a password
Click OK
Notes:
Due to xml encoding, "&", "<", and ">" cannot be included in the password
Ensure Require New Password at Next Sign In is NOT checked
You'll want to add this user to the list of System Users to make sure the password doesn't expire. To do this, search for the Maintain Password Rules task and add the ISU to the System Users exempt from password expiration field.
Step 2: Create a Security Group and assign an Integration System User
In the Search field, type Create Security Group
Select the Create Security Group task.Click OK
On the Create Security Group page, from the Type of Tenanted Security Group pull-down menu, select Integration System Security Group (Unconstrained).
In the Name field, enter a name
Click OK
On the Edit Integration System Security Group (Unconstrained) page, in the Name field, enter the same name you entered when creating the ISU in the first section
Click OK
Step 3: Configure domain security policy permissions
In the Search field, type Maintain Permissions for Security Group
Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2
Add the corresponding Domain Security Policies depending on your use case:
If you are connecting Workday HRIS
If you are connecting Workday ATS (Recruiting)
Step 4: Activate security policy changes
In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved
Add any relevant comments on the window that pops up
Confirm the changes in order to accept the changes that are being made
Step 5: Validate the authentication policy is sufficient
Check the Manage Authentication Policies section to ensure the ISU you created is added to a policy that can access the necessary domains. It should not be restricted to only the "SAML" Allowed Authentication Types – if this is the case, you can create a new Authentication Policy with a "User Name Password" Allowed Authentication Type.
Editing authentication policies
Create an Authentication Rule, and add the Security Group to the Rule
Make sure the Allowed Authentication Types is set to a specific User Name Password or set to Any
Step 6: Activate all pending authentication policy changes
In the search bar type, activate all pending authentication policy changes
Proceed to the next screen, and confirm the changes. This will save the Authentication Policy that was just created
Step 7: Obtain the web services endpoint
Search in Workday for Public Web Services
Open Public Web Services Report
Hover over Human resources and click the three dots to access the menu.
If you are integrating with your Workday ATS, please find Recruiting instead and access that menu
Click Web Services > View WSDL
Navigate to the bottom of the page that opens and you'll find the host
Copy everything until you see /service. This should look something like https://wd5-services1.myworkday.com/ccx.
Step 8: Enter credentials into the linking flow
Workday URL: Enter the Web Services Endpoint you found from Step 5 into Merge Link
User ID: Enter the Integration System User name for the user created in Step 1.
Password: Enter the Integration System User password for the user created in Step 1
Workday tenant name: Enter your Workday tenant name.
Example: If you sign in at "https://wd5-services1.workday.com/acme", enter "acme"
Notes
Implementation/sandbox tenant Workday accounts will result in slower syncs, as fewer resources are dedicated to the tenant
The password used when setting up an ISU cannot contain an "&" or "<", ">" signs
Please make sure to exempt the ISU Account from MFA and SSO