Skip to main content

5 Steps to HR-Driven Identity Management Using Workday

Read this whitepaper to learn about the five steps to HR-Driven Identity Management using Workday.

Download PDF

Minimizing Information Access Risk

For many growing companies that have made cloud a strategic business initiative, Workday is quickly becoming the Human Capital Management (HCM) solution of choice. In many organizations, HR is instrumental in the employee on-boarding process and are usually the first department involved when employees enter or exit the company.

The HR department’s role in the hiring process allows them to maintain the most accurate and up-to-date record of employee status, but are often required to delegate authority to the IT department to implement the manual process of provisioning and deprovisioning employee access within the network. Unfortunately, the delay between HR requesting change and IT implementing those changes can open a window of vulnerability that disgruntled employees can easily take advantage of - potentially causing the company irrevocable damage and loss.

HR Regains Ownership of The Employee Identity Lifecycle
To solve these issues and minimize risk, organizations are beginning to place the ownership of employee status changes back into the hands of the business owners - the Human Resources department - helping to relieve the overall burden on IT. This fundamental shift in ownership helps organizations to streamline the hiring process and minimize any window of potential exposure when employees leave the company.

To do this effectively, Workday must therefore become the primary source for user identity within the enterprise to enable seamless access to cloud and other internal network resources - without impacting the integrity of other existing identity repositories.

Streamline User Provisioning Workflows with Workday

Organizations looking to leverage Workday as the primary system of record for user identity and application access control can speed deployment with preconfigured integration into OneLogin’s enterprise identity management system. OneLogin allows enterprises to streamline their user provisioning workflows between Workday, Active Directory (AD) and other cloud applications to simplify user identity and employee lifecycle management processes, provision new applications faster, and strengthen security by removing the need for multiple application user accounts and passwords.

How Do I Get Started?

Step 1: Provision Active Directory with Workday Identity
Once a OneLogin account has been created, the administrator can easily add Workday as the authoritative source of identity for Onelogin and in turn, all other cloud applications used within the organization. For enterprise environments using both Workday and Active Directory, Workday can replace Active Directory as the primary identity repository or feed user data into Active Directory. Accounts can be quickly propagated and provisioned within Active Directory based on the users and groups already existing in Workday.

To do this, OneLogin’s Active Directory Connector is deployed as a Microsoft Windows service behind the firewall. The Active Directory Connector maintains a secure, outbound, persistent SSL connection to OneLogin and is used to synchronise changes between Workday and Active Directory. As user additions and changes are made in Workday, Onelogin ensures that records maintained in Workday are synchronized automatically with Active Directory.

Step 2: Configure SAML For Workday
From the Onelogin console, administrators can quickly configure the SAML Identity Providers and download an X.509 Public Key, which is then used by Workday to verify the authenticity of SAML responses. OneLogin uses SAML to authenticate users into Workday and other application resources without requiring additional password authentication from the user.

In many organizations, roles have become the primary method used to assign access rights and permissions to defined groups of employees. Roles are the key component of OneLogin and are used to grant users access to an application. Roles are typically linked to specific groups in the corporate directory and members of that group are then granted access to the applications in OneLogin.

Step 3: Configure Desktop SSO For Workday, Cloud and Enterprise Applications
OneLogin’s out-of-the-box Workday Connector allows administrators to quickly implement single sign-on functionality within their enterprise environment. Using digital signatures to establish trust between the identity provider and the application, SAML simplifies the centralization of access control by effectively eliminating the need for multiple passwords. This helps to improve the overall security posture of the enterprise and improve employee productivity. OneLogin uses Integrated Windows Authentication (IWA) to automatically sign in users to Workday once they have authenticated to their Windows domain. This integration gives end-users a seamless SSO experience from their desktop for any cloud application as well as their commonly accessed enterprise applications.

With OneLogin, users also have “On The Go” Mobile Access to Workday with more supported mobile platforms and services than anyone else in the industry. OneLogin Mobile enables employees to easily sign into Workday while on the go and gain access to the full Workday application. This provides a seamless user experience across desktops, laptops and mobile devices and equates to lower IT helpdesk requests.

Step 4: Fully Provision Users With Workday-Driven Identity Management
With SAML successfully enabled and single sign-on configured, OneLogin can recognize Workday as a single authoritative source of identity. Updates within Workday will be transparently synchronized with OneLogin. OneLogin then automatically updates LDAP, Active Directory and other cloud-based application identities without IT intervention typically required with manual synchronization processes.

HR personnel can easily create a new employee record in Workday with minimal information such as name, email, title, contact information and a provisioning group identifier. OneLogin then uses the information to map each user to an existing organizational unit within Active Directory, allowing HR personnel to fully provision users from Workday - without the need to access Active Directory directly. This maintains the integrity of both HR and IT system administrative boundaries and avoids any potential conflicts of interest.

Creating or updating a user may also invoke the provisioning to other cloud applications, such as Box, Google Apps, Salesforce and Yammer. OneLogin maps each Active Directory group membership to the Workday role that defines the access policy from a list of available applications. In turn, the real-time synchronization also provides HR with an effective user “kill switch” that automatically deactivates access to user accounts and business critical applications directly from within Workday.

Step 5: Create Custom Identity Fields to Support Extended Attributes
Workday and Active Directory are two solutions that give enterprises the ability to leverage a broad set of extensible identity attributes to further define a user’s identity. OneLogin is able to recognize these attributes previously defined in Workday when synchronized to Active Directory.

OneLogin can also import any identity attributes from Workday through Workday Reports by mapping the custom attribute fields that generated in Workday to field values within OneLogin. Once the user fields have been mapped, Workday can successfully export users automatically with their defined attributes to Onelogin.

Today, any change in employee status requires involvement by the IT department. Onelogin’s seamless integration with Workday allows the HR Department to contribute to the management of the employee lifecycle and simplify the process of employee on- and off-boarding. OneLogin can eliminate the delay in communicating employee status change between HR and the IT department, effectively closing any windows of vulnerability.

By taking these 5 steps to Workday-driven identity lifecycle management, your organization can utilize Workday as the primary system of record for user identity and application access control. OneLogin’s integration with Workday allows enterprises to minimize risk and close these windows of vulnerability by streamlining user provisioning workflows between Workday, Active Directory (AD) and other cloud applications. The value in this integration goes way beyond simplifying the employee lifecycle process. It also enables IT to deliver new applications faster, strengthens security by removing the need for maintaining multiple accounts and passwords per user, and relieves the burden on IT resources by providing basic identity and access management capability to HR Driven Identity Management using Workday.