Integrating Workday with SailPoint Identity Security Cloud: Lessons from the field

Workday is often your authoritative source of truth for workforce data. Integrating it with ISC enables you to:

• Trigger joiner, mover, and leaver workflows in near real-time
• Maintain consistent identity profiles across all connected systems
• Eliminate manual HR file uploads and batch syncs
• Improve onboarding speed and provisioning accuracy
• Write back updates (email, phone) to Workday for complete data integrity

“By moving from batch uploads to real-time provisioning with Workday–SailPoint ISC, one ProofID client reduced average onboarding time from 5 days to less than 4 hours — without increasing IT workload.”

Dave Randall, SVP Delivery, Americas

There are two main integration paths:

1. SaaS Connector (Cloud-Based)

• Quick to deploy
• Follows SailPoint schema rules
• Account ID locked to FILENUMBER

2. VA-Based Connector (Virtual Appliance)

• Greater flexibility for custom mapping
• Can change Account ID to something stable like Employee ID

By default, the SaaS connector forces FILENUMBER as the Account ID. If FILENUMBER changes (e.g., provisional → permanent), ISC will treat it as a new identity, creating duplicates and breaking historical links.

Why stable IDs matter
If your Account ID changes, ISC sees it as a new person. That means:

• Duplicate identities
• Orphaned accounts
• Reprovisioning from scratch
• Possible licensing bloat

Solution
Use a VA-Based connector to set Employee ID (or another stable attribute) as the Account ID.

If you’ve switched aggregation to Employee ID, ISC won’t write back updates (email, phone) unless you still have a connector using FILENUMBER.

Solution
Keep two connectors:

• Aggregation Connector → Employee ID as Account ID
• Writeback Connector → FILENUMBER as Account ID

Out of the box, ISC often throws errors like: Not Valid ID value for type=”Phone_Device_Type_ID”.

This is because Workday uses tenant-specific phone device IDs. The connector defaults may not match your Workday tenant.

Solution

• SaaS Connector: Change via UI (e.g., “Landline” → “Telephone”)
• VA-Based Connector: Edit Phone_Device_Type_ID in source config (VS Code)

ISC can aggregate pre-hire, active, terminated, and rescinded identities by default — even if you don’t need them.

Offsets let you control this:

• Termination Offset: Only include terminated users within the past X days e.g. Termination Offset = 30 days
• Rescinded Offset: Exclude hires rescinded before a set number of days e.g. Rescinded Offset = 14 days

This keeps ISC clean, reduces license usage, and avoids unnecessary processing.

Integrating Workday with SailPoint ISC is not just about connector setup. It’s about understanding Workday’s data behaviors, mapping them to ISC’s rules, and making adjustments to avoid common pitfalls.

• Don’t change FILENUMBER in the SaaS connector.
• Use VA-Based for custom Account IDs.
• Keep a FILENUMBER connector for writeback.
• Adjust phone device type IDs before phone number writebacks.
• Use offsets to save licenses and keep ISC clean.

ProofID has designed, deployed, and optimized countless SailPoint integrations. Whether you’re starting fresh or refining an existing setup, we can get you to your end goal faster.