Workday SOAP API : How to authenticate

Question

I'm a newbie to workday soap api and I'm trying to figure out how to send a soap request to authenticate using SOAPUI. Any suggestions, would be greatly appreciated.

SOAP works with WDSL, you should be able to see how to create your message using the definition there, consider import it using SOAPUI, that create the stubs automatically. — Koitoer, Nov 25 '14 at 16:49
Check my answer here: http://stackoverflow.com/questions/31684340/workday-soap-api-user-name-password. That's the envelope that you can use in SoapUI and others. — Yavor, Apr 04 '16 at 19:17
Anyone knows if Workday supports authentication using REST API? — RodrikTheReader, Jan 30 '20 at 09:53

score 24 · Accepted Answer · edited Sep 06 '16 at 06:04

24

Workday APIs use WS-Security for authentication.

Remember that the workday host is multi-tenant. So, you'll use the WSDL endpoint to connect to the correct server, and the user name field will contain both your user name and the tenant on that server.

User name format for SOAP Auth to Workday: [user-name]@[tenant-name]

Example: youUserName@tenant6

Your workday account will need to be in the Integration Developer's group, as well.

You may need to adjust security and permissions beyond that to permit access to certain functional groups and domains which relate to the web service.

If you're using SoapUI, do the following:

Import the WSDL into a project.
In "Integration binding", go to settings.
On the "Service endpoints" tab, set the username as I've described above.
Set the password to your password in the tenant.
The WSS-Type should be set to PasswordText.

Now, you can make a request.

edited Sep 06 '16 at 06:04

Bilesh Ganguly

3,792
3
36
58

answered Dec 26 '14 at 17:58

dbh

1,607
13
18

I get no Settings option in Integration Bindings in SOAP UI 5.2.0. I can set it on each Request as Username, password, and then setting WSS-PasswordType to PasswordText. I was hoping there was a way to set it for all the objects in the imported WSDL. – geoffc Nov 07 '17 at 18:08
Looks like I got this right, but I am missing how to setup security for my user on Workday to allow my account to make SOAP calls. – Aaron C Jun 06 '18 at 20:16
While the premise in this answer remains correct, in more recent versions of SoapUI, the WS-Security configuration has moved. See https://www.soapui.org/docs/soapui-projects/ws-security/ for more details on this. – esqew Sep 08 '20 at 16:34
I’m no longer involved in workday, but @esqew ‘s update is welcome. TY! Happy that people find this question and answer helpful – dbh Sep 08 '20 at 16:47
Is it possible to access to API as a regular user of Workday (mere mortal of one of the tenants)? I mean I have access thru web (obviously) but does it mean I can have access to the same functions via API? – 0andriy Oct 03 '20 at 10:43
1

@0andriy you will need some privileges granted to access certain domains / API areas, as your regular user account, before you can probably access any workday api. – dbh Oct 05 '20 at 13:33

cdonner · Answer 2 · 2014-11-26T14:44:37.397

Not sure what exactly you are referring to. You authenticate implicitly - there is no separate request. The Workday API documentation is published here. You should read it. When you import the WSDL, for example in a .Net solution, it will give you access to various API classes.

For example, to connect to the Compensation API from an SSIS script task I use the following:

// Instantiate and configure compensation client
CompensationPortClient compClient =  // I use custom binding - gives me more control
      new CompensationPortClient(CompensationObjectFactory.getWorkdayBinding(), 
      new EndpointAddress(endpointURL));

compClient.ClientCredentials.UserName.UserName = userName;
compClient.ClientCredentials.UserName.Password = password;

(I created the CompensationObjectFactory to instantiate all the client-side API objects because the process is somewhat formulaic.) Then you can make API calls with the client object, for example, query a one-time award:

Request_OneTime_Payment_RequestType request = 
    CompensationObjectFactory.getOneTimePaymentRequest(
        CompensationObjectFactory.getBusinessProcessParameters(),
        CompensationObjectFactory.getOneTimePaymentData(
                  planId, currency, amount, effDt, emplID, positionID));

Request_OneTime_Payment_ResponseType response = 
          compClient.Request_OneTime_Payment(request);

score 6 · Answer 3 · answered Oct 02 '18 at 21:48

I finally figured this out after debugging a working SOAP UI example by installing wireshark and forcing my request over HTTP!

The previously posted header example did not work for me because it was missing some info. I noticed further that my captured header worked several hours later and I developed a theory that Workday was ignoring everything but username and password. So I tested the following and it worked:

<soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken wsu:Id="bogus">
      <wsse:Username>user@tenant</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[PASSWORD HERE]</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">bogus</wsse:Nonce>
      <wsu:Created>2000-10-02T21:12:28.365Z</wsu:Created>
    </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>

Best of luck if you are reading this. SOAP is a complete nightmare!

score 2 · Answer 4 · edited Oct 03 '18 at 02:09

To add to the responses already here, you may need to also add in your credentials in the SOAP header, like so:

<soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:UsernameToken wsu:Id="bogus">
      <wsse:Username>[user]@[tenant]</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[PASSWORD HERE]</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">bogus</wsse:Nonce>
      <wsu:Created>2000-10-02T21:12:28.365Z</wsu:Created>
    </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>

score 0 · Answer 5 · answered Apr 28 '22 at 17:25

0

Modifying "Request Properties" worked for me. The username is [user-name]@[tenant-name] as mentioned in @dbh's answer

Screenshot:

answered Apr 28 '22 at 17:25

armandino

17,625
17
69
81

Workday SOAP API : How to authenticate

5 Answers5

Linked