In order to connect to Workday you will need to create an Integration System User with the correct permissions and provide the login information to Finch.

Step by step guide

  1. Create an Integration System User in Workday

    1. Log in to your Workday portal
    2. In the search bar at the top of the page, search for “Create Integration System User”
    3. Select the “Create Integration System User” task
    4. Enter a username and password of your choosing for the new Integration System User. Save this information as it will be required throughout the connection process.
      Make sure the password does not contain any of the following characters: “&”, “<”, “>” Workday-Finch-Connect-1.png
    5. Ensure that “Require New Password at Next Sign In” is not checked
    6. Set “Session Timeout Minutes” to 0
    7. Ensure that “Do Not Allow UI Sessions” is checked
    8. Click “OK” to create the Integration System User

  2. Configure a Security Group

    1. In the search bar at the top of the page, search for “Create Security Group”
    2. Select the “Create Security Group” task
    3. On the “Create Security Group” page, from the “Type of Tenanted Security Group” dropdown, select “Integration System Security Group (Unconstrained)”
    4. Enter a name for the security group in the “Name” field
    5. Click “OK” to create the security group
    6. On the “Edit Integration System Security Group (Unconstrained)” page enter the name of the Integration System User you created in the “Integration System Users” field Workday-Finch-Connect-2.png
    7. Click “OK” to assign the Integration System User to the security group

  3. Configure the Domain Security Policy Permissions

    1. In the search bar at the top of the page, search for “Maintain Permissions for Security Group”
    2. Select the “Maintain Permissions for Security Group” task
    3. Make sure the “Operation” is “Maintain”, and the “Source Security Group” is the security group you created
    4. Configure the Domain Security Policy Permissions based on the requirements of the Workday integration you are connection and the information below

    Required Domain Security Policies
    The following Domain Security Policies are the minimum set that are required in order to connect via Finch:

    View/Modify AccessDomain Security PolicyNotes
    Get OnlySet Up: Company GeneralRequired for authentication
    Get OnlyWorker Data: Public Worker ReportsRequired to fetch basic employee data that is typically made publicly accessible by other employees
    Get OnlyWorker Data: Current Staffing InformationRequired to fetch basic employee job role data

    Optional Domain Security Policies
    The following Domain Security Policies enable Finch to retrieve additional data, if required:

    View/Modify AccessDomain Security PolicyNotes
    Get OnlyWorker Data: Compensation by OrganizationEnables fetching employee compensation info on the /employment endpoint
    Get OnlyPerson Data: ID InformationEnables fetching employee social security numbers (SSN) on the /individual endpoint
    Get OnlyPerson Data: Date of BirthEnables fetching employee date of birth (DOB) on the /individual endpoint
    Get OnlyPerson Data: GenderEnables fetching employee gender on the /individual endpoint
    Get OnlyPerson Data: EthnicityEnables fetching employee ethnicity on the /individual endpoint

  4. Activate Security Policy Changes

    1. In the search bar at the top of the page, search for “Activate Pending Security Policy Changes”
    2. Select the “Activate Pending Security Policy Changes” task
    3. View the summary of changes waiting to be approved and check the “Confirm” checkbox Workday-Finch-Connect-3.png

  5. Configure Authentication Policy

    1. In the search bar at the top of the page, search for “Manage Authentication Policies”
    2. Select the “Manage Authentication Policies” report
    3. Verify that the Security Group is assigned to a policy that has an “Allowed Authentication Type” of “User Name Password” or “Any”.
      If this is not the case you must edit the relevant Authentication Policy to add a rule using the steps below:
      • Edit the Authentication Policy for the environment you want Finch to retrieve data from
      • Add a new Authentication Rule for the policy
      • Set the “Authentication Rule Name” to a unique value to identify the rule
      • Set the “Security Group” to the Security Group you created
      • Set the “Authentication Conditions” to “Any” and the “Allowed Authentication Types” to “Specific > User Name Password” Workday-Finch-Connect-4.png Workday-Finch-Connect-5.png Workday-Finch-Connect-6.png

  6. Activate Authentication Policy Changes

    1. In the search bar at the top of the page, search for “Activate Pending Authentication Policy Changes”
    2. Select the “Activate Pending Authentication Policy Changes” task
    3. View the summary of changes waiting to be approved and check the “Confirm” checkbox Workday-Finch-Connect-7.png

  7. Obtain the Web Services Endpoint URL

    1. In the search bar at the top of the page, search for “Public Web Services”
    2. Select the “Public Web Services” report
    3. Find the “Human Resources (Public)” item in the “Web Service” column and hover over it so you can click the “…” menu that appears
    4. In the “…” menu click “Web Service > View WSDL”
    5. A new page will open containing the technical specifications for the Workday Human Resources Web Service
    6. Scroll all the way to the bottom of the page and locate the line containing soapbind:address location=
      • You can also search within the page using Ctrl+F or Cmd+F for the text soapbind:address location=
    7. Copy the URL up until /service The resulting URL should look something like https://wd5-services1.myworkday.com/ccx Workday-Finch-Connect-8.png
    8. Save this URL to provide to Finch

  8. Connect Using Finch Connect

    1. Paste the username and password for the Integration System User into the “Username” and “Password” fields
    2. Paste your Workday tenant ID into the “Tenant ID” field. You can find this value in the URL of your web browser when on the Workday home page:
      • If the URL looks like https://impl.workday.com/somecompany then your tenant ID is somecompany
      • If the URL looks like https://somecompany.workday.com then your tenant ID is somecompany
    3. Paste the Web Services Endpoint URL you copied earlier into the “API Base URL” field
    4. Click “Connect”

  9. Select a Company to Connect

Finch Connect will ask you to select which company you’d like to connect. This is a list of companies retrieved from your Workday system that employees area assigned to.

The company you connect will be the only company Finch will retrieve data for. If you have other companies you also want to connect you will have to repeat the “Connect Using Finch Connect” section for each one.

Was this page helpful?

UKG Ready API