Friday 30 October 2015

Workday integration with IDM systems

<<This article has outdated information as some of the IGA vendors like SailPoint and Okta now provide out-of-the-box connector for Workday>>
Identity Management (IDM) systems commonly use an Authoritative or Trusted Source as their source of user information which flows down into the system. In other words, Creation, Modification and Deletion of user Identities are originated in an Authoritative Source. A corporate Directory (LDAP store) is a good example, but in most of the cases, HR management system is used as a Trusted Source of user information. There are many HR management systems today which have been used in organizations to fulfill the need of their HR Processes. Some common examples are Oracle EBS, SAP HCM, Workday, and PeopleSoft.

It wouldn’t be wrong if I call IDM’s integration with Authoritative Source as “Backbone of the IDM implementation”, as the most important information for an IDM system, User Identity, is being reconciled from this source. A well implemented integration with user identities source adds great value and quality throughout the value chain of Identity Management implementation.

Most of the IDM systems today, include a rich set of pre-defined (built in) connectors to integrate with common Directories, Databases, Operating Systems and Enterprise Applications including HR Management Systems. When a predefined connector is available, IDM Systems recommend it as a preferred integration method to connect with target system. It’s due to the fact that predefined connectors are designed specifically for that application, and offer the quickest integration method. These built-in connectors use target system recommended integration technologies and are pre-configured and pre-tested with target system-specific attributes.

Though we can always custom build an IDM integration with Trusted Source by using available integration option which could be a Flat File, a Database staging table, a Direct pull based access to source data (DB, LDAP etc.), an Abstract pull from source data (using API, Web Service etc.) or an Event Driven push from Authoritative source to IDM system. But a pre-built connector should always be prioritized to avoid complexities (trust me there are a lot :) ) of connecting two different technologies especially in case where Trusted source is an HR system.

Almost all famous IDM systems provide a list of pre-defined connectors for known business applications including HR systems (Oracle EBS, PeopleSoft, SAP HR and JD Edward etc.) and technology applications (Microsoft AD, Unix, Databases, RSA ClearTrust etc.). Unfortunately, Workday HRMS is not in the list of pre-defined connectors of any known IDM vendor, which compels IDM experts to implement a custom integration with Workday system whenever required.

Following is a list known of IDM systems that have also been nominated as Leaders in Gartner Magic Quadrant for Identity Governance and Administration 2015.

  •          SailPoint IdentityIQ
  •          RSA Via LifeCycle
  •          Oracle Identity Manager
  •          IBM Security Identity Manager
  •          Courion Identity Manager
  •          NetIQ Identity Manager


All (or at-least most) of the above IDM systems have been providing pre-defined connectors for common authoritative sources i.e.

  •           Oracle E-business suite
  •           Peoplesoft
  •           SAP HR
  •           MS Active Directory
  •           Siebel
  •           Salesforce
  •           Azure Active Directory



Same is true for following other well-known IDM systems, which have also been providing pre-defined connectors for famous HR systems except Workday.
  •          CA Identity Manager
  •          SAP  IDM
  •          NetIQ Identity Manager
  •          Dell One Identity Manager
  •          Hitachi ID Identity Manager
  •          OpenIAM Identity Manager
  •          Microsoft Identity Manager
  •          ForgeRock OpenIDM



As pre-defined connectors of IDM systems are not built without the support of target system and require a handshake between both the parties, I hope Workday will soon be ready to support and provide public documents and external interfaces for such integrations.