WRITTEN BY:

ProofID

Share

TOPICS

Categories: Blog, IAM, Ping Identity

Integrating Workday with SailPoint Identity Security Cloud (ISC) is one of the most common — and most valuable — identity automation projects I work on. On paper, the connector makes it seem straightforward, but in reality, successful enterprise integration takes more than following the documentation.

In this post, I’ll share lessons learned from real-world projects — the quirks, gotchas, and optimizations that can save you hours of troubleshooting and ensure your integration is robust, scalable, and compliant.

Integrating Workday with SailPoint Identity Security Cloud (ISC) is one of the most common — and most valuable — identity automation projects I work on. On paper, the connector makes it seem straightforward, but in reality, successful enterprise integration takes more than following the documentation.

In this post, I’ll share lessons learned from real-world projects — the quirks, gotchas, and optimizations that can save you hours of troubleshooting and ensure your integration is robust, scalable, and compliant.

Why Workday Integration Matters

Workday is often your authoritative source of truth for workforce data. Integrating it with ISC enables you to:

  • Trigger joiner, mover, and leaver workflows in near real-time
  • Maintain consistent identity profiles across all connected systems
  • Eliminate manual HR file uploads and batch syncs
  • Improve onboarding speed and provisioning accuracy
  • Write back updates (email, phone) to Workday for complete data integrity

“By moving from batch uploads to real-time provisioning with Workday–SailPoint ISC, one ProofID client reduced average onboarding time from * days to less than * hours — without increasing IT workload.”

Dave Randal, SVP Delivery, Americas

Integration Architecture

There are two main integration paths:

1. SaaS Connector (Cloud-Based)

  • Quick to deploy
  • Follows SailPoint schema rules
  • Account ID locked to FILENUMBER

2. VA-Based Connector (Virtual Appliance)

  • Greater flexibility for custom mapping
  • Can change Account ID to something stable like Employee ID

Field Lessons

Key Finding 1

Account ID handling can make or break the integration

By default, the SaaS connector forces FILENUMBER as the Account ID. If FILENUMBER changes (e.g., provisional → permanent), ISC will treat it as a new identity, creating duplicates and breaking historical links.

Why stable IDs matter
If your Account ID changes, ISC sees it as a new person. That means:

  • Duplicate identities
  • Orphaned accounts
  • Reprovisioning from scratch
  • Possible licensing bloat

Solution
Use a VA-Based connector to set Employee ID (or another stable attribute) as the Account ID.

Key Finding 2

Writeback Still Needs FILENUMBER

If you’ve switched aggregation to Employee ID, ISC won’t write back updates (email, phone) unless you still have a connector using FILENUMBER.

Solution
Keep two connectors:

  • Aggregation Connector → Employee ID as Account ID
  • Writeback Connector → FILENUMBER as Account ID

Key Finding 3

Phone Number Writeback Isn’t Plug-and-Play

Out of the box, ISC often throws errors like: Not Valid ID value for type=”Phone_Device_Type_ID”.

This is because Workday uses tenant-specific phone device IDs. The connector defaults may not match your Workday tenant.

Solution

  • SaaS Connector: Change via UI (e.g., “Landline” → “Telephone”)
  • VA-Based Connector: Edit Phone_Device_Type_ID in source config (VS Code)

Tip:
Keep a reference table of your tenant’s phone device type IDs handy for all future provisioning changes.

Key Finding 4

Use Offsets to Filter Out Unwanted Users

ISC can aggregate pre-hire, active, terminated, and rescinded identities by default — even if you don’t need them.

Offsets let you control this:

  • Termination Offset: Only include terminated users within the past X days e.g. Termination Offset = 30 days
  • Rescinded Offset: Exclude hires rescinded before a set number of days e.g. Rescinded Offset = 14 days

This keeps ISC clean, reduces license usage, and avoids unnecessary processing.

Key Takeaways

Integrating Workday with SailPoint ISC is not just about connector setup. It’s about understanding Workday’s data behaviors, mapping them to ISC’s rules, and making adjustments to avoid common pitfalls.

  • Don’t change FILENUMBER in the SaaS connector.
  • Use VA-Based for custom Account IDs.
  • Keep a FILENUMBER connector for writeback.
  • Adjust phone device type IDs before phone number writebacks.
  • Use offsets to save licenses and keep ISC clean.

ProofID has designed, deployed, and optimized countless SailPoint integrations. Whether you’re starting fresh or refining an existing setup, we can get you to your end goal faster.

Need help with your
Workday–SailPoint ISC project?

Be the first to hear about news, product updates, and innovation from proofid