# Workday Connection
To set up your Workday integration, first, connect your Workday instance to Workato.
# How to connect to Workday on Workato
The Workday connector uses the Workday Web Services (opens new window), RaaS, and REST API (opens new window). Workday recommends using an Integration System User (ISU) for integration using third party services like Workato.
Both the Workday Web Services and RaaS requires basic authentication. REST API requires an additional OAuth client setup.
Workday REST API is used to work with custom objects in your Workday instance. If this is required by your use case, indicate that you are using custom objects. See instruction on how to register a Workday API client here.
# Connect to Workday on Workato
Workday connection fields
| Connection field | Description |
|---|---|
| Connection name | Give this Workday connection a unique name that identifies which Workday tenant it is connected to. |
| Login name | This should be the login name for the ISU. |
| Password | This should be the login password for the ISU. |
| Tenant ID | Tenant ID is found in the URL when you are logged into Workday. For example, if the URL of your Workday tenant is https://impl.workday.com/sample_company/d/home.html (opens new window), tenant ID is sample_company |
| WSDL URL | This URL is used to generate schema and forms the base URI for every API requests. Find out how to obtain this URL from this Workday article (opens new window). The default is https://wd2-impl-services1.workday.com/ccx/service/ (opens new window) |
| Use custom objects? | Choose No if your use cases do not involve custom objects. Choose Yes if it does. Additional client information will be required. |
| Client ID | Client ID of the API Client you created to connect to Workato. Only required if using custom objects. |
| Client secret | Client secret of the API Client you created to connect to Workato. Only required if using custom objects. |
| Authorization endpoint | Authorization endpoint of the API Client you created to connect to Workato. Only required if using custom objects. |
| Token endpoint | Token endpoint of the API Client you created to connect to Workato. Only required if using custom objects. |
# Register Integration System User
We do not recommend using a user account of a worker to run integrations. There are a few reasons for this.
Firstly, all operations performed by the integration will be logged under this worker instead of one dedicated for integration and workflow processes.
Furthermore, if this worker security profile changes, or if the worker is terminated, integrations that rely on this worker's user account will no longer work.
The recommended approach to access web services is through an Integration System User (ISU) account. For security reasons, each ISU should be restricted to a single integration system (like Workato).
The ISU should have all the permissions needed to perform the required actions for your integration scenario. When building recipes, you may encounter a 403 error, it means that the ISU does not have sufficient permission for the action.
Error message when ISU does not have enough permission
# Create an ISU
| Step | Description |
|---|---|
| Create Security Group | Access the Create Security Group task and create an Integration System Security Group.  Add Security Group |
| Grant Domain access to Security Group | To grant the security group access to the domains required by your integration, follow these steps for each domain:
Next, access the Activate Pending Security Policy Changes task and activate these changes.  Edit Permissions for Security Policy |
| Create ISU account | Access the Create Integration System User task and configure a Workday user account for the integration.  Create Integration System User Keep the Session Timeout Minutes default value of 0 to prevent session expiration. An expired session can cause the integration to time out before it successfully completes. Select the Do Not Allow UI Sessions checkbox if you wish to prevent the integration system user from signing in to Workday through the UI. To avoid integration errors caused by expired passwords, Workday recommends that you prevent Workday user passwords from expiring. Access the Maintain Password Rules task and add the integration system user to the System Users exempt from password expiration field. |
| Assign Security Group to ISU | As a related action on the Workday user, select Security Profile > Assign Integration System Security Groups. At the Integration System Security Group to Assign prompt, select the security group that you created. Access the View Integration System report and access the Connector or Studio integration. Select Workday Account > Edit as a related action on the integration system. On the Edit Account for Integration System task, select the ISU account that you created. |
| Optional | In the Global Preferences area, select a preferred locale and display language for the integration system user. These settings control what language Workday uses for the integration data. An outbound integration sends data in the preferred language and an inbound integration saves data in the preferred language. If you leave these fields blank, Workday uses the default locale and display language for integration data. |
Find out more about setting up an ISU here (opens new window).
# Register API Client
This step is required only if you wish to work with custom objects in Workday. The Workday connector uses the Workday REST API, which uses an OAuth 2.0 for authentication. You need to register an API Client to allow connection to the REST API.
Registering a new client
Navigate to "Register API Client" in your Workday instance.
- Select Authorization Grant
- Use
https://www.workato.com/oauth/callbackas the Redirection URL - Add the necessary scope you wish to grant access for
API client details
Remember to save the Client ID, Client Secret, Authorization Endpoint and Token Endpoint. They will be required for the Workday integration connector setup.