Connecting Workday

Last updated: October 8, 2024

Background

This article walks through the steps for connecting Workday to Lumos and helps you resolve common setup issues.

Required plan & roles

There's no minimum plan required to connect the Workday integration.

The specific permissions required by the Workday integration user account are outlined in further detail in the setup steps below.

Workday Steps

The section below walks through the steps you need to take in Workday to connect it to Lumos.

Stage 1: Create an Integration System User.

It's highly-recommended that you connect Workday to Lumos with an Integration System User. To create the user, follow the steps below:

Visit the Create Integration System User page in Workday (find it via the search bar)
Click the Create Integration System User button.
Enter a User Name (such as "Lumos-ISU") and create a strong password for the account, then click Ok.

Stage 2: Add the Integration System User to a Security Group.

Once you've created the ISU, you need to add it to a Security Group by following the steps below.

Visit the Create Security Group page in Workday (find it via the search bar)
Click the Create Security Group button.
In the Type of Tenanted Security Group dropdown, select “Integration System Security Group” and enter a name, such as "Lumos Security Group".
On the Edit Integration System Security Group (Unconstrained) page, enter the name of the ISU you created in Stage 1 above (e.g. “Lumos-ISU”), then click Ok.

Stage 3: Set Policy Permissions

Click into the Security Group you created in Stage 2 and select "Domain Security Policy Permissions".
Select the permissions in the table below.
Search for Activate Pending Security Policy Changes in the search bar and approve the changes you just proposed.

Permission Name

Person Data: Name

Person Data: Work Contact Information

Worker Data: Workers

Worker Data: All Positions

Worker Data: Current Staffing Information

Worker Data: Public Worker Reports

Worker Data: Employment Data

Worker Data: Organization Information

View: Supervisory Organization

Worker Data: Business Title on Worker Profile

Worker Data: General staffing information

Worker Data: Active and terminated workers

Person Data: Work Email

Workday Accounts

Workday Accounts (Functional area: System)

User-Based Security Group Administration

Security Configuration

Self-Service: Current Staffing Information

Stage 4: Create an API Client for the integration

Next, you'll create a Workday API Client to use in Lumos.

Visit the View API Clients page in Workday (find it via the search bar).
Click the Register API Client for Integration button and fill out the form that appears with the info from the table below.
Securely store the generated Client ID, Client Secret, Workday REST API Endpoint, Token Endpoint, and Authorization Endpoint.
Next, select Action > API Client > Manage Refresh Tokens for Integrations.
For the Workday Account, select the ISU user that you created in stage 1.
Generate a new Refresh Token and securely store the value.

Field	Value
Client Name	Lumos Integration
Grant type	Authorization Code Grant
Access token	Bearer
Redirection URI	https://app.lumosidentity.com/integrations/workday_oauth2_callback
Disabled	(Make sure the box is unchecked) ❌
Non-Expiring Refresh Tokens	(Make sure the box is checked) ✅
Scope (Functional Areas)	Make sure to select: Staffing System Contact Information Personal Data Organization and Roles
Include Workday Owned Scope	(Make sure the box is checked) ✅

Stage 5: Workday Public SOAP API Access

At this stage, you'll be determining where Lumos can make calls to your tenant over the internet.

Visit the Public Web Services page (find it via the search bar).
Open the Public Web Services Report.
Hover over Human Resources and click on the three dots menu.
Click Web Services > View WSDL.
Within the WSDL, there should be a URL with a format like https://{domain}/ccx/service/{tenant}/hcm
. Securely store the domain and tenant value for later.

Lumos Steps

1. Click on the Workday card in your Lumos integrations (Reconnect or add new).

2. In the Connection section, enter the following values:

Workday tenant name: The tenant name from Stage 5 above.
Workday domain name: The domain name from Stage 5 above.
Client ID: The client ID from Stage 4 above.
Client Secret: The client secret from Stage 4 above.
Refresh Token: The refresh token from Stage 4 above.

3. Click Connect Workday to connect the integration.

FAQ

What fields do you need from Workday's API?

We are ingesting the following fields from the Worker_Data payload in the Get_Workers operation.

Field Name	Path
`First_Name`	`Worker_Data -> Personal_Information_Data -> Person_Name_Data -> Preferred_Name_Data -> First_Name`
`Last_Name`	`Worker_Data -> Personal_Information_Data -> Person_Name_Data -> Preferred_Name_Data -> Last_Name`
`Email_Address`	`Worker_Data -> Personal_Information_Data -> Contact_Information_Data -> Email_Address_Information_Data -> Email_Address`
`Position_Title`	`Worker_Data -> Employment_Data -> Worker_Job_Data -> Position_Data -> Position_Title`
`Manager_as_of_last_detected_manager_change_Reference`	`Worker_Data -> Employment_Data -> Worker_Job_Data -> Position_Data -> Manager_as_of_last_detected_manager_change_Reference`
`Position_Organization_Data`	`Worker_Data -> Employment_Data -> Worker_Job_Data -> Position_Organizations_Data -> Position_Organization_Data`
`Active`	`Worker_Data -> Employment_Data -> Worker_Status_Data -> Active`
`Hire_Date`	`Worker_Data -> Employment_Data -> Worker_Status_Data -> Hire_Date`
`Original_Hire_Date`	`Worker_Data -> Employment_Data -> Worker_Status_Data -> Original_Hire_Date`
`Termination_Date`	`Worker_Data -> Employment_Data -> Worker_Status_Data -> Termination_Date`
`Termination_Last_Day_of_Work`	`Worker_Data -> Employment_Data -> Worker_Status_Data -> Termination_Last_Day_of_Work`
`User_Name`	`Worker_Data -> System_User_for_Worker_Data -> User_Name`