Integrating Workday with SailPoint Identity Security Cloud (ISC) is one of the most common — and most valuable — identity automation projects I work on. On paper, the connector makes it seem straightforward, but in reality, successful enterprise integration takes more than following the documentation.
In this post, I’ll share lessons learned from real-world projects — the quirks, gotchas, and optimizations that can save you hours of troubleshooting and ensure your integration is robust, scalable, and compliant.
Integrating Workday with SailPoint Identity Security Cloud (ISC) is one of the most common — and most valuable — identity automation projects I work on. On paper, the connector makes it seem straightforward, but in reality, successful enterprise integration takes more than following the documentation.
In this post, I’ll share lessons learned from real-world projects — the quirks, gotchas, and optimizations that can save you hours of troubleshooting and ensure your integration is robust, scalable, and compliant.
Why Workday Integration Matters
Workday is often your authoritative source of truth for workforce data. Integrating it with ISC enables you to:
- Trigger joiner, mover, and leaver workflows in near real-time
- Maintain consistent identity profiles across all connected systems
- Eliminate manual HR file uploads and batch syncs
- Improve onboarding speed and provisioning accuracy
- Write back updates (email, phone) to Workday for complete data integrity
“By moving from batch uploads to real-time provisioning with Workday–SailPoint ISC, one ProofID client reduced average onboarding time from * days to less than * hours — without increasing IT workload.”
Dave Randal, SVP Delivery, Americas
Integration Architecture
There are two main integration paths:
1. SaaS Connector (Cloud-Based)
- Quick to deploy
- Follows SailPoint schema rules
- Account ID locked to FILENUMBER
2. VA-Based Connector (Virtual Appliance)
- Greater flexibility for custom mapping
- Can change Account ID to something stable like Employee ID
Field Lessons
Key Finding 1
Account ID handling can make or break the integration
By default, the SaaS connector forces FILENUMBER as the Account ID. If FILENUMBER changes (e.g., provisional → permanent), ISC will treat it as a new identity, creating duplicates and breaking historical links.
Why stable IDs matter
If your Account ID changes, ISC sees it as a new person. That means:
- Duplicate identities
- Orphaned accounts
- Reprovisioning from scratch
- Possible licensing bloat
Solution
Use a VA-Based connector to set Employee ID (or another stable attribute) as the Account ID.
Key Finding 2
Writeback Still Needs FILENUMBER
If you’ve switched aggregation to Employee ID, ISC won’t write back updates (email, phone) unless you still have a connector using FILENUMBER.
Solution
Keep two connectors:
- Aggregation Connector → Employee ID as Account ID
- Writeback Connector → FILENUMBER as Account ID
Key Finding 3
Phone Number Writeback Isn’t Plug-and-Play
Out of the box, ISC often throws errors like: Not Valid ID value for type=”Phone_Device_Type_ID”.
This is because Workday uses tenant-specific phone device IDs. The connector defaults may not match your Workday tenant.
Solution
- SaaS Connector: Change via UI (e.g., “Landline” → “Telephone”)
- VA-Based Connector: Edit Phone_Device_Type_ID in source config (VS Code)
Tip:
Keep a reference table of your tenant’s phone device type IDs handy for all future provisioning changes.
Key Finding 4
Use Offsets to Filter Out Unwanted Users
ISC can aggregate pre-hire, active, terminated, and rescinded identities by default — even if you don’t need them.
Offsets let you control this:
- Termination Offset: Only include terminated users within the past X days e.g. Termination Offset = 30 days
- Rescinded Offset: Exclude hires rescinded before a set number of days e.g. Rescinded Offset = 14 days
This keeps ISC clean, reduces license usage, and avoids unnecessary processing.
Key Takeaways
Integrating Workday with SailPoint ISC is not just about connector setup. It’s about understanding Workday’s data behaviors, mapping them to ISC’s rules, and making adjustments to avoid common pitfalls.
- Don’t change FILENUMBER in the SaaS connector.
- Use VA-Based for custom Account IDs.
- Keep a FILENUMBER connector for writeback.
- Adjust phone device type IDs before phone number writebacks.
- Use offsets to save licenses and keep ISC clean.
ProofID has designed, deployed, and optimized countless SailPoint integrations. Whether you’re starting fresh or refining an existing setup, we can get you to your end goal faster.
Be the first to hear about news, product updates, and innovation from proofid
