1. Overview
For our connection with Workday, we support two authentication methods:
Below are instructions to connect your Workday account via either of these methods:
2. Connecting to Workday via Basic Authentication
To connect via "Basic Authentication", you'll need the following details to authenticate your Workday account:
- Web Service URL (WSDL)
- ISU Username
- ISU Password
- Workday Tenant Name
Follow these steps to gather these details from Workday:
2.1. Create and Set Up your Integration System User (ISU)
Steps to create your ISU include:
- In your Workday Tenant, in the Search field, type "Create Integration System User". Then select the Create Integration System User task
- Set a user name and password for this user. You can use "Firstbase_ISU" as the user name.
- Keep "Require New Password at Next Sign In" unchecked.
- To ensure the password doesn't expire, you'll want to add this new user to the list of System Users. To do this, search for the Maintain Password Rules task.
- Add the ISU to the System Users exempt from password expiration field.
- Save the user name and password. You'll need the to connect later in the setup flow.
2.2. Create Integration System Security Group
- In Workday, search for "Create Security Group
- On the Create Security Group page, select Integration System Security Group (Unconstrained) from the Type of Tenanted Security Group pull-down menu.
- In the Name field, enter a name for the security group (e.g. Firstbase_Security_Group) and click OK.
- On the Edit Integration System Security Group (Unconstrained) page, in the Integration System Users field, enter the same name you entered when creating the ISU in the first section.
- Click OK and save this security group.
2.3. Configure domain security policy permissions for your Security Group
- In the Search field, type Maintain Permissions for Security Group
- Make sure the Operation is Maintain, and the Source Security Group is the same as the security group that was assigned in Step 2
- On the next screen, add the corresponding Domain Security Policies. You'll need the following policies set up:
-
Operation Domain Security Policy Get Only Person Data: Name Get Only Person Data: Personal Data Get Only Person Data: Public Home Email Address Integration Get Only Person Data: Private Home Email Address Integration Get Only Person Data: Home Contact Information Get Only Person Data: Work Contact Information Get Only Person Data: Home Address Get Only Worker Data: Workers Get Only Worker Data: All Positions Get Only Worker Data: Active Employees Get Only Worker Data: Active and Terminated Employees Get Only Worker Data: Public Worker Reports Get Only Worker Data: Current Staffing Information
Get Only Worker Data: Employment Data Get Only Worker Data: Organization Information Get Only Worker Data: Current Staffing Information Get Only Manage: Locations Get Only Workday Accounts
2.4. Activate domain security policy changes
- In the search bar, type "Activate Pending Security Policy Changes" to view a summary of the changes in the security policy that needs to be approved.
-
Add any relevant comments, confirm the changes and hit OK.
2.5. Validate your authentication policy
- Search for Manage Authentication Policies
- Click Edit on the authentication policy row.
- Create an Authentication Rule.
- Enter a name, add the Security Group, and ensure Allowed Authentication Types is set to Specific User Name Password or Any.
- Note: You don't have to create a new Authentication Rule if you already have an existing one set to User Name Password or Any. You can add the ISU you created to that rule instead. You will need to create a new rule if SAML is the only Authentication Rule you see for "Allowed Authentication Types."
2.6. Activate all pending authentication policy changes
- In the search bar type, Activate all pending authentication policy changes.
- Proceed to the next screen and confirm the changes. This will save the Authentication Policy that was just created or edited
2.7. Obtain the web services endpoint URL
- Search in Workday for Public Web Services.
- Find Human Resources (Public) if you are connecting Workday HRIS.
- Click the three dots to access the menu. Click Web Services > View WSDL.
- Navigate to the bottom of the page that opens (it may take a few seconds to load)
- Copy the full URL provided under Human_ResourcesService (Workday HRIS) or RecruitingService (Workday ATS). The URL will have a format similar to: https://wd2-impl-services1.workday.com/ccx/service/acme/Human_Resources/v43.0
2.8. Connect to Workday via the Firstbase "Integrations" Page
- Login to the Firstbase App and visit the "Integrations" Page
- Find "Workday" under the list of Available integrations" and Click on it to start the connection process. Select the "Use my credentials" option.
- Confirm you are an Admin for Workday
- Add the Workday ISU's User ID and Password you created previously
- Enter the Web Services Endpoint URL into the linking flow. Click Next.
- You are all set. Once connected, you should see Workday appear under the list of "Active Integrations.
3. Connecting to Workday via OAuth
To connect via "OAuth", you'll need the following details to authenticate your Workday account:
- Web Service URL (WSDL)
- Workday subdomain
- Client ID
- Client Secret
- Refresh Token
- Refresh Token URL
Follow these steps to gather these details from Workday:
3.1. Generate a Web Services URL (WSDL)
- Follow steps 2.1 - 2.7 above. Once this has been done, you should have a web services endpoint similar to:
- https://wd2-impl-services1.workday.com/ccx/service/acme/Human_Resources/v43.0
- Save this URL and proceed to the next step.
3.2. Find your Workday subdomain
- Enter your subdomain of the Workday account environment. Your subdomain will be the part of the url immediately after https://test.workday.com/
- For example, if you sign in at https://restapi-sandboxgmspreviewhotpatch.workdaysuv.com/gms/d/task/2997$16127.htmld?contextualsearchpill=false your subdomain would be gms.
3.3. Register an API Client in Workday
- Search in Workday for Register API client for intregrations.
- Enter a name for your API Client. You can call it "Firstbase_Integration"
- Select the Non-Expiring Refresh Tokens option.
- Specify the scope of access for the API client.
- You'll need to include the following scopes:
- Integration
- Contact Information
- Onboarding
- Personal Data
- Public Data
- Staffing
- Worker Profile and Skills
- User Provisioning
- You'll need to include the following scopes:
- Click OK to generate the Client ID and Client Secret.
- Save the Client Secret and Client ID.
- Click Done.
3.4. Generate a non-expiry refresh token
- Type View API Clients in the search field in Workday. Select the View API Clients task
- Navigate to API Clients for Integrations tab.
- Select the API client you registered in the preceding steps.
- Click API Client > Manage Refresh Tokens for Integrations.
- On the Manage Refresh Tokens for Integrations page, in the Workday Account field, enter the Workday account of the user you created in steps 2.1-2.7.
- Click OK.
- Go back to the Workday Home Page.
- In the Search field, type Register API client for integration.
- Click on "Delete or Regenerate Refresh Token". Select the Generate New Refresh Token option.
- Click OK.
- On the Successfully Regenerated Refresh Token Page, copy the new refresh token.
- Click Done to complete the process.
3.5. Find your Workday OAuth Token Endpoint URL
- Log in to the Workday tenant.
- In the Search field, type View API Client.
- Select the View API Clients task.
- On the View API Clients page, save the URL in the Token Endpoint field.
3.6. Connect to Workday in the Firstbase "Integrations" Page
Login to the Firstbase App and visit the "Integrations" Page
- Find "Workday" under the list of Available integrations" and Click on it to start the connection process. Select the "Use my OAuth credentials" option.
- Confirm you are an Admin for Workday
- Add the Workday Web Services Endpoint URL you created previously.
- Enter your Workday Subdomain. Click Next.
- Enter your Client ID and Client Secret from previous steps. Click Next.
- Enter your Refresh Token URL and Refresh Token. Click Next.
- You are all set. Once connected, you should see Workday appear under the list of "Active Integrations"