Skip to main content

Workday

  • Updated

This document outlines the steps required to establish a secure connection between Wisq and your Workday environment.

CONTENTS

  1. Supported Authentication Methods
  2. Create an Integration System User (ISU)
  3. Create an Integration System Security Group (ISSG)
  4. Assign Domain Security Permissions
  5. Choose and Configure Your Authentication Method
  6. Provide Credentials to Wisq
  7. Final Checklist

1. Supported Authentication Methods

Wisq supports two authentication methods for connecting to Workday:

🔐 Option A — Basic Authentication

  • Uses a dedicated Integration System User (ISU) username and password
  • Credentials are sent with each API request via the HTTP Basic Authentication header
  • Simpler to configure — no OAuth client registration required

✅ Option B — OAuth 2.0 (Refresh Token)

  • Uses enterprise-grade, token-based authentication that does not require user interaction after initial setup
  • Authenticated via a registered API Client with a Client ID, Client Secret, and Refresh Token
  • Wisq uses the Refresh Token to obtain short-lived access tokens automatically — no ongoing action required after setup

Both methods require a dedicated Integration System User (ISU) with appropriate domain permissions. Complete Sections 2–4 first, then follow the instructions for your chosen authentication method in Section 5.

2. Create an Integration System User (ISU)

An Integration System User (ISU) is a dedicated service account used for API integrations. We strongly recommend using a dedicated ISU rather than a personal admin account.

  1. Search for and open the Create Integration System User task in Workday.
  2. Enter a descriptive username (e.g., ISU_Wisq) and set a strong password. Record both.
  3. Set Session Timeout Minutes to 0 to prevent the session from expiring.
  4. Select the Do Not Allow UI Sessions checkbox to restrict this account to API use only.
  5. Search for and open the Maintain Password Rules task.
  6. (Optional but recommended) add the ISU to "System Users exempt from password expiration" to prevent credential disruption.

If your organization requires periodic credential rotation, please notify Wisq before rotating so the connection can be updated without downtime.

3. Create an Integration System Security Group (ISSG)

A dedicated security group keeps the ISU's API permissions isolated and auditable.

  1. Search for and open the Create Security Group task.
  2. Select Integration System Security Group (Unconstrained) as the type.
  3. Name the group ISSG_Wisq (or follow your organization's naming convention).
  4. Save the group.

Assign the ISU to the ISSG:

  1. Open the All Workday Accounts report and locate the ISU created in Section 2.
  2. From the ISU's action menu, select Assign Integration System Security Groups.
  3. Add ISSG_Wisq to the ISU.

4. Assign Domain Security Permissions

The ISSG must be granted the domain permissions needed for the integration to function.

  1. Navigate to the ISSG using the View Security Group report.
  2. From the action menu, select Maintain Domain Permissions for Security Group.
  3. Add the required domain permissions. Grant GET permissions to the following domains. If integration requires, PUT access should also be granted:
    • Integration
    • Worker Data
    • Worker Personal Data
    • Worker Contact Information
    • Worker Job Data
    • Worker Organization Data
    • Worker Employment Data
  4. Save your changes.
  5. Search for and run the Activate Pending Security Policy Changes task to apply the permissions.

We recommend least-privilege access aligned to the integration requirements. Contact your Workday security team if you need assistance identifying the correct domain policies.

5. Choose and Configure Your Authentication Method

Complete the section below that matches your chosen authentication method. If you are unsure which method to use, consult your Wisq Agent Strategist contact.

Option A — Basic Authentication

No additional Workday configuration is required beyond the ISU, security group, and permissions you set up in Sections 2–4.

Prepare the ISU Credentials

  1. Determine the login format. Workday Basic Authentication requires the username in the format: For example, if your ISU is ISU_Wisq and your tenant is acme_corp, the username is:

    ISU_Username@Tenant_Name
    ISU_Wisq@acme_corp
  2. Locate your Tenant Name. You can find this in the Workday URL you use to log in — it appears as the subdirectory after the domain (e.g., https://wd2.myworkday.com/acme_corp/). You can also confirm it via the View API Clients report.
  3. Record the ISU password you set during creation in Section 2.

⚠️ Important: If your organization uses a Workday implementation partner or sandbox environment, the tenant name may differ from your production tenant. Confirm you are using the correct tenant name for the target environment.

Confirm the Web Services Endpoint

Wisq connects via Workday's SOAP Web Services API. The endpoint URL follows this format:

https://<host>/ccx/service/<tenant>/<service_name>/<version>
ComponentDescriptionExample
HostYour Workday data center hostnameimpl-services1.wd12.myworkday.com
TenantYour Workday tenant nameacme_corp
Service NameThe Workday web service being accessedHuman_Resources
VersionThe web service API versionv45.1

Example full URL:

<https://impl-services1.wd12.myworkday.com/ccx/service/acme_corp/Human_Resources/v45.1>

To find your Web Services Endpoint:

  1. Search for and open the Public Web Services report in Workday.
  2. Locate the relevant web service (e.g., Human_Resources).
  3. Click the service to view its WSDL URL — the endpoint base is the portion before the ?wsdl parameter.

Your Wisq Agent Strategist contact will confirm which service name and version to use.

Credentials Summary — Basic Authentication

Wisq Connection FieldWhat to Provide
Connection NameA friendly identifier (e.g., "Acme Corp – Workday")
Web Services EndpointYour Workday SOAP Web Services URL (see above)
UsernameISU username in ISU_Username@Tenant_Name format
PasswordThe ISU password

Proceed to Section 6 to transmit these credentials securely to Wisq.

Option B — OAuth 2.0 (Refresh Token)

Step 1 — Enable OAuth 2.0 Clients (Tenant Setting)

Before creating an API Client, confirm that OAuth 2.0 is enabled on your Workday tenant.

  1. Search for and open the Edit Tenant Setup – Security task.
  2. Navigate to the OAuth 2.0 Settings section.
  3. Ensure the OAuth 2.0 Clients Enabled option is checked.
  4. Save if any changes were made.

Step 2 — Register an API Client for Integrations

⚠️ Important: Use the "Register API Client for Integrations" task — not the generic "Register API Client" task. These are distinct in Workday.

  1. Search for and open the Register API Client for Integrations task.
  2. Enter the following:
    • Client Name: Wisq (or similar)
    • Non-Expiring Refresh Tokens: Select this option
  3. Add the required Scope (Functional Areas). At minimum, include:
    • Integration
    • Human Resources
    • Staffing
    • Organizations and Roles
  4. Click OK to register the client.
  5. The Client ID and Client Secret are displayed immediately after registration. Copy and save both values now — the Client Secret cannot be retrieved again after you leave this screen.
  6. Navigate to the View API Clients report. Note the Token Endpoint and Workday REST API Endpoint displayed for the client you just registered.

Step 3 — Provision a Refresh Token for the ISU

  1. From the View API Clients report, select the API Clients for Integrations tab.
  2. Locate the Wisq API Client you just registered.
  3. From the related actions menu, select Manage Refresh Tokens for Integrations.
  4. Add the ISU Account you created in Section 2 to the API Client.
  5. Click Generate Refresh Token.
  6. Copy and save the Refresh Token now.

⚠️ Important: If Non-Expiring Refresh Tokens was enabled during registration, this token will not expire. If it was not enabled, the Refresh Token will have a limited lifespan and may need to be regenerated. Notify Wisq before regenerating so the connection can be updated without downtime.

Confirm API Endpoints

Both the Token Endpoint and REST API Endpoint are available from the View API Clients report.

  1. Search for and open the View API Clients report.
  2. Select the API Clients for Integrations tab.
  3. Locate the Wisq API Client you registered.
  4. Record the following URLs displayed on the client detail page:
EndpointExample Format
Token Endpointhttps://<host>/ccx/oauth2/<tenant>/token
Workday REST API Endpointhttps://<host>/ccx/api/v1/<tenant>

Provide these exact URLs to Wisq — do not modify the paths.

Credentials Summary — OAuth 2.0

Wisq Connection FieldWhat to Provide
Connection NameA friendly identifier (e.g., "Acme Corp – Workday")
Client IDGenerated when registering the API Client for Integrations
Client SecretGenerated when registering the API Client for Integrations
Refresh TokenProvisioned via Manage Refresh Tokens for Integrations
Token EndpointYour Workday OAuth 2.0 token URL
Web Services EndpointYour Workday SOAP Web Services URL

Proceed to Section 6 to transmit these credentials securely to Wisq.

6. Provide Credentials to Wisq

Because this integration involves privileged API access, credentials must be transmitted securely.

For Basic Authentication, you are transmitting a username and password. These are highly sensitive and must be transmitted using one of the secure methods below.

For OAuth 2.0, the values you are sending (Client ID, Client Secret, Refresh Token, Token Endpoint, REST API Endpoint) define the scope of API access to your Workday environment and should be treated as sensitive.

✅ Preferred Method: Encrypted Email

Examples:

  • Proton Mail
  • Microsoft Purview Message Encryption
  • Mimecast Secure Messaging

Send to your Wisq Agent Strategist contact.

Subject line:

[Company Name] – Workday Integration Credentials (Encrypted)

Acceptable Alternatives

  • Secure password managers (1Password, Bitwarden, etc.)
  • Secure file transfer portal
  • Enterprise encrypted messaging platform

❌ Please do not send credentials in plain text email, chat platforms, or ticket systems.

Final Checklist

Basic Authentication

  • [ ] Integration System User (ISU) created with non-expiring session and password (Section 2)
  • [ ] Integration System Security Group (ISSG) created and ISU assigned (Section 3)
  • [ ] Domain security permissions granted and activated (Section 4)
  • [ ] Username recorded in ISU_Username@Tenant_Name format (Section 5A)
  • [ ] ISU password recorded
  • [ ] Web Services Endpoint URL recorded (Section 5A)
  • [ ] Credentials transmitted securely to Wisq (Section 6)

OAuth 2.0 with Refresh Token

  • [ ] OAuth 2.0 Clients enabled in Workday tenant settings (Section 5B, Step 1)
  • [ ] Integration System User (ISU) created with non-expiring session and password (Section 2)
  • [ ] Integration System Security Group (ISSG) created and ISU assigned (Section 3)
  • [ ] Domain security permissions granted and activated (Section 4)
  • [ ] API Client for Integrations registered with Non-Expiring Refresh Tokens enabled (Section 5B, Step 2)
  • [ ] Client ID recorded
  • [ ] Client Secret recorded (only visible at time of creation)
  • [ ] Refresh Token generated and recorded (Section 5B, Step 3)
  • [ ] Token Endpoint URL recorded (Section 5B)
  • [ ] Credentials transmitted securely to Wisq (Section 6)

Need Assistance?

If your IT team would like support during configuration, Wisq's Agent Operations team is happy to join a working session.

Confidential — For Client IT Teams Only