Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Workday Integration in Saviynt using X509 Certificate based authentication

fullmoon_rout
New Contributor III
New Contributor III

Hi team,

 

We are integrating Workday with Saviynt using X509 based authentication.

We are using Workday_SOAP(workday) type of connector to update email_address back to workday. As this supports both OAuth2.0 and X509 cert based authentication, client is inclined to X509 as it is more secure.

We followed below documentation to configure it in Saviynt :

(https://docs.saviyntcloud.com/bundle/WD2-v2022x/page/Content/Importing-Users.htm)

 

We have imported the SSL certificate from Workday into Saviynt. And in the connection object, we have passed the Private Key and Public Certificate (which is shared with Workday team to register API client). However when we do a test connection, we get below error:

 

"2023-12-13T05:20:32.353+00:00","ecm","provisoning.SoapProvisioningService","http-nio-8080-exec-3-ltmnm","DEBUG","Calling SOAP Webservice:: https://removed.myworkday.com/ccx/service/****/Human_Resources/v39.0 "

"2023-12-13T05:20:32.353+00:00","ecm","provisoning.SoapProvisioningService","http-nio-8080-exec-3-ltmnm","DEBUG","SOAPACTION "

"2023-12-13T05:20:32.368+00:00","ecm","provisoning.SoapProvisioningService","http-nio-8080-exec-3-ltmnm","DEBUG","setting timeout to 900 seconds"

"2023-12-13T05:20:32.370+00:00","ecm","provisoning.SoapProvisioningService","http-nio-8080-exec-3-ltmnm","ERROR","Error while calling webservice https://removed.myworkday.com/ccx/service/****/Human_Resources/v39.0 : "

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm","","AxisFault"

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException"

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultSubcode: "

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultString: org.xml.sax.SAXParseException; Premature end of file."

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultActor: "

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultNode: "

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm",""," faultDetail: "

"2023-12-13T05:20:32.571+00:00","ecm","","null-ltmnm","","                {http://xml.apache.org/axis/}stackTrace:org.xml.sax.SAXParseException; Premature end of file."

Screenshot from connector:

fullmoon_rout_1-1702446271069.png

 

fullmoon_rout_0-1702446202965.png

 

Kindly let me know if any other configuration missing.

Regards,

Fullmoon

[This message has been edited by moderator to mask url]

9 REPLIES 9

fullmoon_rout
New Contributor III
New Contributor III

Hi team,

 

Any update would be appreciated.

 

Regards,

Fullmoon

rushikeshvartak
All-Star
All-Star

Refer https://forums.saviynt.com/t5/identity-governance/workday-connector-error-soap/m-p/46269#M27422


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

fullmoon_rout
New Contributor III
New Contributor III

Hi Rushikesh,

 

We are using X509 cert, which means we do not have password right? How can i use Connection JSON as you shared the link ? what to provide in the password field ? 

It is bit unclear, can you elaborate the solution ?

Also the link says at end the above steps did not help in resolution too.

Kindly suggest.

Regards,

Fullmoon

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @fullmoon_rout,

As this certificate is been generated via the openssl, this consist some special character which require to be eradicated, for removing the white first copy the notepad++ see the CRLF .
Also in the above screenshot you mentioned States "Begin Private RSA Key" , it should be only private key see the document , Below screenshot for reference,

sudeshjaiswal_0-1702548869956.png

For Ref : https://docs.saviyntcloud.com/bundle/WD2-v23x/page/Content/Preparing-for-Integration.htm 

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

fullmoon_rout
New Contributor III
New Contributor III

Hi Sudesh,

We tried regenerating the certificate, and also removing all white spaces. Still it gives same error. The same works fine in postman, so there is no issue in the key. Please suggest.

Regards,

Fullmoon

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @fullmoon_rout,

Please redo the steps and share the result.

Step 1: Please use the below command to generate the Key and Certificate,

openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


Step 2 :

Multiple files will be generated, and you must choose the following:
- server.key (Should start with -----BEGIN PRIVATE KEY-----)
- server.crt  (Should start with -----BEGIN CERTIFICATE-----)
PFA Screenshot for reference 

sudeshjaiswal_0-1704776299759.png

Step 3 :
After downloading these files, use Notepad++ to remove the carriage return (CR) and line feed (LF) symbols from them. Refer to the document below for guidance on removing the CR and LF symbols.
https://superuser.com/questions/545461/replace-carriage-return-and-line-feed-in-notepad 

Step 4 : 
After completing the aforementioned steps, it is necessary to position the certificate file on the workday. For detailed instructions, please refer the document provided below.
https://docs.saviyntcloud.com/bundle/WD2-v23x/page/Content/Preparing-for-Integration.htm 

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

fullmoon_rout
New Contributor III
New Contributor III

Hi Sudesh,

As discussed over meeting today, the configurations are correct from Saviynt and Workday side. Also, we checked the success response from Postman. 
Request you to kindly share the ticket details, so that i can share the logs over the ticket to engineering team.

 

Regards,

Fullmoon

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @fullmoon_rout,

Can you create a new connection of connection type "Workday" not template and try with the creds we created today?

Thanks.
If you find the above response useful, Kindly Mark it as "Accept As Solution".

sudeshjaiswal
Saviynt Employee
Saviynt Employee

 

Hello @fullmoon_rout,

Here are the prerequisites you need to follow:

1. Create the ISU user with the proper permissions following the steps outlined in "Preparing Workday for Integration".

2. Download the SSL Certificate in the DER-encoded binary X.509(.CER) format from Workday.

3. Generate the certificate and private key for X509 authentication using the following commands:

```
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt (valid for 365 days)
```

4. Remove the Carriage Symbol from the Private Key and Certificate (LR/CF) Symbol using Notepad++.

5. Register the certificate in Workday (Search for the Create x509 Public Key task) and add the certificate created in Step 3. Tag the certificate with the ISU user. Refer to the document for detailed steps (7.b and 7.c).
Note: Configuring required permissions for this user to access the necessary web services is beyond the scope of this document.

6. Create a new connection in Saviynt with the following details in Connection Params.

a. Connection type: Workday_SOAP(Workday).
b. Add the SSL certificate generated from Workday in SSL Certificate.
c. Provide the BASE_URL, e.g., https://wd-test.workday.com
d. API_VERSION, e.g., v34.0
e. TENANT_NAME, e.g., Saviynt-pt1
f. USE_OAUTH: FALSE
g. USE_X509AUTH_FOR_SOAP: TRUE
h. X509_KEY: Place the Private Key generated in Step 3
i. X509_CERT: Place the Certificate generated in Step 3
j. USERNAME: Username created in Step 1
k. CUSTOM_CONFIG: {"httpVersion": "1.1"}

Save and test the connection. It should be successfull.

Thanks.
Sudesh

If you find the above response useful, Kindly Mark it as "Accept As Solution".