Skip to main content

5 Reasons to User Provision in the Cloud with Workday Driven Identity Management

Learn about the five reasons to user provision in the cloud with Workday driven Identity Management.

Download PDF


Employers collect and store a substantial amount of personal information about their employees - from evaluating applicants during the hiring process, to administering payroll and employee benefit plans, to managing terminations and other post-employment benefits. As more enterprises adopt HR management systems - for example, Workday - more personal data is being transferred and shared within and between organizations to manage the entire employee lifecycle.

Many of these same enterprises use another data store, Active Directory (AD), to manage another set of employee-related data. Initially AD stored employee IT-related data only, but AD has been expanded over the years to include basic employee identity data as well. Examples include public information (name, work location), private information (salary), logon credentials (username, password), remote access (VPN) and web (URL) information. It is estimated that 95 percent of medium to large enterprises use AD, making it the de facto directory standard.

Though AD and Workday manage and store different employee data attributes, their combined collective information can be used to manage the entire employee lifecycle. While an increasing number of enterprises are moving in that direction, securing this data represents a business challenge for the enterprise. Misuse or loss of employee data opens up the enterprise to risk and liability.

Simplifying and Securing Employee Data Stores

Another layer of complexity exists because the technical challenge of migrating, integrating, synchronizing, and managing these two directories to provide for employee lifecycle management requires specific knowledge of both products, significant time, and experienced personnel. Even in a “best case” scenario, it takes weeks or sometimes months for a system integrator to plan and complete the project.

To further complicate matters, extending AD into non-Windows environments such as the cloud - or alternative sources of identity - requires federation services. Microsoft’s solution to cloud integration for AD centric networks is to use AD Federation Services (ADFS). While ADFS is “free”, it requires additional hardware, software and IT resource costs that can increase the complexity of the infrastructure and the resource burden on IT. These costs and complexities are detailed in our whitepaper “Total Cost of Ownership AD FS vs OneLogin”.

OneLogin and Workday - Seamless User Provisioning in the AD Centric Network

The integration of Workday and OneLogin alleviates the pain of managing AD. With OneLogin, IT designates Workday as a single authoritative source of identity and hands over the driving of basic user app provisioning and deprovisioning to HR - without affecting the existing AD deployment configuration.

Enterprises that use Workday augment the role AD plays for user provisioning and deprovisioning by leveraging OneLogin for Workday as a true HR-driven identity lifecycle management solution. While IT still maintains ownership of policy for role-based access to IT resources, OneLogin’s integration with Workday gives HR the ability to securely, instantly on and off-board users without burdening IT. This eliminates the delay in communicating employee status change between departments to effectively close any windows of risk when terminating employee’s and their access to company resources.

From a technical perspective, there are 5 reasons to user provision apps with Workday-driven identity management. These 5 reasons underscore where OneLogin, Workday and AD work together to increase compliance and make IT and HR’s jobs easier.

Streamline Data Flow And Synchronization

OneLogin for Workday solves the enterprise single sign on problem and permits the flow Workday information into AD. Updates within Workday can be transparently synchronized with OneLogin, which in turn automatically synchronizes those changes with AD and other cloud-based applications.

Automate New Employee Record Mapping Into AD

Once HR personnel create a new employee record, OneLogin can then use the employee record information from Workday to map each user to an existing organizational unit within AD. This enables HR personnel to easily, fully on and off board users within the network.

Custom Map Extended Attributes

Extended attributes are critical when combining an HR solution with AD. OneLogin can build a custom report that maps OneLogin fields to the extended Workday attributes, which then propagates that data into OneLogin. In turn, OneLogin can then relay the data from these fields into AD. This solves the problem of manually replicating and maintaining identity data in two separate repositories.

Increase Policy Definition

A minimum, default set of attributes are used in AD to define a user’s identity. However, organizations often require the use of extended attributes to provide a more descriptive definition of identity. Extended attributes in Workday can be easily mapped via OneLogin to increase the granularity of access control and application policies within AD. Now, policies granting access to IT resources can be created based on humanistic, non-default attributes within Workday such as “Worker Type”, “Location”, “Business Unit”, “Manager ID”, or “Manager Username”.

Maintain Administrative System Boundaries

With the integration of Workday into OneLogin, HR can provision and deprovision users in AD without requiring direct administrative access into the AD directory structure itself. This allows IT to maintain their control of the most critical aspects of managing network and application access, while at the same time relinquishing the responsibility for user account creation, suspension or removal to the HR department.


Modern Employee Lifecycle Management can now leverage two complementary data directories: Active Directory and Workday. These data stores contain necessary, yet sensitive, information on each employee and are the core for on/off boarding and employee record changes. Securing this data is vital because of the business risk of unsecured employee data.

The technical complexity of AD and Workday integration is also a challenge, as it requires specific expertise, dedicated resources and time. It also requires the integration of additional products such as AD Federation Services (ADFS), which requires its own hardware and software support ecosystem.

OneLogin reduces the risk and complexity of implementing Workday-driven identity management integrated with Active Directory while eliminating the need for any additional on-premise hardware or software. Enterprises can now automate their user provisioning workflows between Workday and AD, secure employee data, simplify the employee lifecycle processes, increase compliance, and ease both IT and HR’s workload.