This part is optional, but very recommended before you start the configuration to make sure that the SSO authentication is configured between Entra ID and Workday.

Verify SSO authentication between Entra ID and Workday

Before configuring watsonx Orchestrate, verify the SSO authentication between Entra ID and Workday. Use CURL or Postman to run the commands.
1

Set your environment variables

Run the following commands in the terminal.
BASH
export CLIENTID=<entra_app_client_id>
export CLIENTSEC=<entra_app_client_secret>
export WD_TENANT=<entra_directory_tenant_id>
export SCOPE=http://www.workday.com/user_impersonation
export WD_CLIENTID=<workday_api_client_id>
export UNAME=<username_of_user>
export PWD=<password_of_user>
Replace <entra_app_client_id>, <entra_app_client_secret>, <entra_directory_tenant_id>, <workday_api_client_id>, <username_of_user> and <password_of_user> with the appropriate information.
2

Add permissions to access the Workday API

Before you can exchange tokens and access Workday APIs by using Entra ID, you need to configure the permissions for your app in Microsoft Entra.
a. Open Microsoft Entra admin center and navigate to App registrations.
b. Select your application used for token exchange.
c. Go to API permissions and select Add a permission.
d. Choose the Workday API.
e. Select Delegated permissions and add the required scopes.
For detailed steps, see Configure an application to access a web API in the Microsoft documentation.
3

Get a login token from Entra ID

Use the following command to get a login token. The password grant type is used to simulate user logging in to Entra ID.
BASH
curl -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/$WD_TENANT/oauth2/v2.0/token \
  -d "grant_type=password&client_id=$CLIENTID&client_secret=$CLIENTSEC&scope=api://$CLIENTID/default&username=$UNAME&password=$PWD"
4

Exchange the login token for a SAML assertion

Use the following command to get SAML assertion from Entra ID. The JWT bearer grant type is used to exchange the access token for a SAML assertion.Replace the $TOKEN with the token you received in the Step 3.
BASH
curl -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/$WD_TENANT/oauth2/v2.0/token \
  -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=$CLIENTID&client_secret=$CLIENTSEC&assertion=$TOKEN&scope=$SCOPE&requested_token_use=on_behalf_of&requested_token_type=urn:ietf:params:oauth:token-type:saml2"
5

Exchange the SAML assertion for Workday access token

Run the following command to get SAML assertion. Replace the $SAML_ASSERT with the SAML assertion that you received in the Step 4.
BASH
curl -X POST https://<workday_domain>/ccx/oauth2/<workday_tenant>/token \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&client_id=$WD_CLIENTID&assertion=$SAML_ASSERT'
Replace the placeholders with your app’s details.
ParameterDescription
<workday_domain>The domain of your Workday instance. This is where API requests are sent.
<workday_tenant>Your Workday tenant identifier.
$SAML_ASSERTThe SAML assertion token received from Entra ID. Used to request a Workday access token.
6

Trigger the Workday API

Use your access token received from Step 5 to call Workday API.
BASH
curl --location 'https://<workday_domain>/ccx/api/common/v1/<workday_tenant>/workers' \
  --header 'Authorization: Bearer <workday_access_token>'
7

Result

If the token is valid and the API is correctly configured:
  • Workday returns a JSON response containing a list of workers for the specified tenant.