This guide walks you through setting up the necessary credentials in Workday to authenticate Sentinel using OAuth 2.0. It includes creating an integration system user, registering an API client, generating secrets, and entering the information into Sentinel.
Step 1: Enable OAuth 2.0 in Workday
Activating OAuth 2.0 support in your Workday tenant is a prerequisite for registering API clients and issuing tokens. Without this, OAuth-based integrations cannot be configured.
Log in to your Workday tenant with administrative access.
In the search bar, type Edit Tenant Setup - Security.
Scroll to the OAuth 2.0 Settings section.
Check OAuth 2.0 Clients Enabled.
Click OK to save changes.
Step 2: Create an Integration System User (ISU)
An ISU acts as a dedicated system identity for integrations, allowing for secure and controlled access to Workday data. It ensures that integration activities are performed under a specific user context.
Search for Create Integration System User.
Enter a username (e.g., SentinelISU) and strong password.
Uncheck Require New Password at Next Sign In.
Set Session Timeout Minutes to 0.
Click OK.
Step 3: Assign Security Group and Permissions
Assigning the ISU to an appropriate security group with the necessary domain permissions ensures that the integration has access only to the required data and operations within Workday.
Search for Create Security Group.
Select Integration System Security Group (Unconstrained).
Name it (e.g., SentinelISUGroup) and click OK.
Add the ISU to this group.
Search for Maintain Permissions for Security Group.
Set Operation to Maintain.
Set Source Security Group to the group you just created (e.g., SentinelISUGroup).
Click OK.
Add two domain security rules:
GET only for Integration Events
GET only for Integration Process
Click OK.
Search and complete Activate Pending Security Policy Changes.
Step 4: Register an API Client for Integration
Registering an API client provides the credentials necessary for OAuth 2.0 authentication. This step is crucial for establishing a secure connection between Sentinel and Workday.
Search for Register API Client for Integrations.
Enter a Client Name (e.g., SentinelClient).
Set Grant Type to Refresh Token.
Set Token Expiration to Never.
(Optional) Configure IP ranges if needed.
Set the Scope to Integration.
Click OK.
Record the generated Client ID (you will generate the Client Secret in Step 5).
Step 5: Generate a Client Secret and Refresh Token
A client secret and refresh token together allow Sentinel to securely request access tokens to retrieve Workday data. The client secret authenticates the app, and the refresh token allows continuous access without user intervention.
Search for View API Clients.
Click the section for API Clients for Integration, then locate and select your SentinelClient.
Hover over the client name, click the ellipsis (...) to open related actions, then navigate to:
API Client > Generate New Client Secret, check the confirmation box, and click OK.
Record the generated Client ID (you will generate the Client Secret in Step 5), then click Done.
Hover over the client name again, click the ellipsis (...) to open related actions, then navigate to:
API Client > Manage Refresh Tokens for Integrations.
In the Workday Account prompt, search for and select the ISU you created earlier (e.g., SentinelISU)
Click OK.
On the next screen, check Generate new refresh token and click OK.
Record and securely store both the Refresh Token.
Step 6: Configure Sentinel with Workday OAuth Credentials
Inputting the obtained credentials into Sentinel finalizes the setup, allowing it to authenticate with Workday and perform the necessary API calls.
In Sentinel UI, go to the Integration Settings or Credentials section.
Enter the following:
Tenant Name (e.g., acme_company)
Data Center (e.g., wd3, us2, etc.)
Client ID
Client Secret
Refresh Token
Click Save to store credentials.