5 E A S Y S T E P S T O W O R K D AY- D R I V E NIDENTIT Y LIFECYCLE MANAGEMENTMinimizing Information Access RiskFor many growing companies that have made cloud a strategic businessinitiative, Workday is quickly becoming the Human Capital Management(HCM) solution of choice. In many organizations, HR is instrumental inthe employee on-boarding process and are usually the first departmentinvolved when employees enter or exit the company.The HR department’s role in the hiring process allows them to maintainthe most accurate and up-to-date record of employee status, but areoften required to delegate authority to the IT department to implementthe manual process of provisioning and deprovisioning employeeaccess within the network. Unfortunately, the delay between HRrequesting change and IT implementing those changes can open awindow of vulnerability that disgruntled employees can easily takeadvantage of - potentially causing the company irrevocable damageand loss.HR Regains Ownership of TheEmployee Identity LifecycleTo solve these issues and minimize risk, organizations are beginning toplace the ownership of employee status changes back into the handsof the business owners - the Human Resources department - helpingto relieve the overall burden on IT. This fundamental shift in ownershiphelps organizations to streamline the hiring process and minimize anywindow of potential exposure when employees leave the company.To do this effectively, Workday must therefore become the primarysource for user identity within the enterprise to enable seamless accessto cloud and other internal network resources - without impacting theintegrity of other existing identity repositories.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

Streamline User ProvisioningWorkflows with WorkdayOrganizations looking to leverage Workday as the primary systemof record for user identity and application access control can speeddeployment with preconfigured integration into OneLogin’s enterpriseidentity management system. OneLogin allows enterprises to streamlinetheir user provisioning workflows between Workday, Active Directory(AD) and other cloud applications to simplify user identity and employeelifecycle management processes, provision new applications faster, andstrengthen security by removing the need for multiple application useraccounts and passwords.How Do I Get Started?The 5 Steps to HR-driven Identity Lifecycle Management150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

H O W D O I G E T S TA R T E D ?S T EP 1 :P ROV ISI O N ACT I V E DI REC TORYWIT H WO R K DAY I DENT I T YOnce a OneLogin account has been created, the administrator caneasily add Workday as the authoritative source of identity for Oneloginand in turn, all other cloud applications used within the organization.For enterprise environments using both Workday and Active Directory,Workday can replace Active Directory as the primary identity repositoryor feed user data into Active Directory. Accounts can be quicklypropagated and provisioned within Active Directory based on the usersand groups already existing in Workday.To do this, OneLogin’s Active Directory Connector is deployed as aMicrosoft Windows service behind the firewall. The Active DirectoryConnector maintains a secure, outbound, persistent SSL connection toOneLogin and is used to synchronise changes between Workday andActive Directory. As user additions and changes are made in Workday,Onelogin ensures that records maintained in Workday are synchronizedautomatically with Active Directory.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

S T EP 2:CO N F IG U R E SAML F OR WORKDAYFrom the Onelogin console, administrators can quickly configurethe SAML Identity Providers and download an X.509 Public Key,which is then used by Workday to verify the authenticity of SAMLresponses. OneLogin uses SAML to authenticate users into Workdayand other application resources without requiring additional passwordauthentication from the user.In many organizations, roles have become the primary method used toassign access rights and permissions to defined groups of employees.Roles are the key component of OneLogin and are used to grant usersaccess to an application. Roles are typically linked to specific groups inthe corporate directory and members of that group are then grantedaccess to the applications in OneLogin.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

S T EP 3 :CO N F IG U R E DESKTOP SSO F ORWO RK DAY, CLOUD AND ENT ERPRI SEA PP L IC AT IO N SOneLogin’s out-of-the-box Workday Connector allows administratorsto quickly implement single sign-on functionality within their enterpriseenvironment. Using digital signatures to establish trust between theidentity provider and the application, SAML simplifies the centralizationof access control by effectively eliminating the need for multiplepasswords. This helps to improve the overall security posture of theenterprise and improve employee productivity.OneLogin uses Integrated Windows Authentication (IWA) toautomatically sign in users to Workday once they have authenticated totheir Windows domain. This integration gives end-users a seamless SSOexperience from their desktop for any cloud application as well as theircommonly accessed enterprise applications.With OneLogin, users also have “On The Go” Mobile Access to Workdaywith more supported mobile platforms and services than anyone elsein the industry. OneLogin Mobile enables employees to easily signinto Workday while on the go and gain access to the full Workdayapplication. This provides a seamless user experience across desktops,laptops and mobile devices and equates to lower IT helpdesk requests.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

S TEP 4 :FU L LY P ROV ISI ON USERS W I T HWO R K DAY-D R I V EN I DENT I T YMA N AG EMEN TWith SAML successfully enabled and single sign-on configured,OneLogin can recognize Workday as a single authoritative source ofidentity. Updates within Workday will be transparently synchronized withOneLogin. OneLogin then automatically updates LDAP, Active Directoryand other cloud-based application identities without IT interventiontypically required with manual synchronization processes.HR personnel can easily create a new employee record in Workday withminimal information such as name, email, title, contact information anda provisioning group identifier. OneLogin then uses the information tomap each user to an existing organizational unit within Active Directory,allowing HR personnel to fully provision users from Workday - withoutthe need to access Active Directory directly. This maintains the integrityof both HR and IT system administrative boundaries and avoids anypotential conflicts of interest.Creating or updating a user may also invoke the provisioning to othercloud applications, such as Box, Google Apps, Salesforce and Yammer.OneLogin maps each Active Directory group membership to theWorkday role that defines the access policy from a list of availableapplications. In turn, the real-time synchronization also provides HRwith an effective user “kill switch” that automatically deactivates accessto user accounts and business critical applications directly from withinWorkday.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

STEP 5:C R EAT E CU STO M I DENT I T Y F I EL DS TOS UPP O RT EX T ENDED AT TRI B UT ESWorkday and Active Directory are two solutions that give enterprises theability to leverage a broad set of extensible identity attributes to furtherdefine a user’s identity. OneLogin is able to recognize these attributesvia custom fields, making it possible to support all the identity attributespreviously defined in Workday when synchronized to Active Directory.OneLogin can also import any identity attributes from Workday throughWorkday Reports by mapping the custom attribute fields that generated inWorkday to field values within OneLogin. Once the user fields have beenmapped, Workday can successfully export users automatically with theirdefined attributes over to OneLogin.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

CO N C LU SIO NToday, any change in employee status requires involvement by the ITdepartment. Onelogin’s seamless integration with Workday allows theHR Department to contribute to the management of the employeelifecycle and simplify the process of employee on- and off-boarding.OneLogin can eliminate the delay in communicating employee statuschange between HR and the IT department, effectively closing anywindows of vulnerability.By taking these 5 steps to Workday-driven identity lifecyclemanagement, your organization can utilize Workday as the primarysystem of record for user identity and application access control.OneLogin’s integration with Workday allows enterprises to minimizerisk and close these windows of vulnerability by streamlining userprovisioning workflows between Workday, Active Directory (AD)and other cloud applications. The value in this integration goes waybeyond simplifying the employee lifecycle process. It also enables ITto deliver new applications faster, strengthens security by removingthe need for maintaining multiple accounts and passwords per user,and relieves the burden on IT resources by providing basic identity andaccess management capability to HR Driven Identity Management usingWorkday.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

AB O UT ONELOGI NOneLogin is the innovator in enterprise identity management andprovides the industry’s fastest, easiest and most secure solution formanaging internal and external users across all devices and applications.The only Challenger in Gartner’s IDaaS MQ, considered a “Major Player”in IAM by IDC, and Ranked #1 in Network World Magazine’s review ofSSO tools, OneLogin’s cloud identity management platform providessecure single sign-on, multi-factor authentication, integration withcommon directory infrastructures such as Active Directory and LDAP,user provisioning and more. OneLogin is SAML-enabled and preintegrated with thousands of applications commonly used by today’senterprises, including Microsoft Office 365, Asure Software, BMCRemedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMCSyncplicity, EchoSign, Google Apps, Innotas, LotusLive, NetSuite, OracleCRM On-Demand, Parature,, SuccessFactors, WebEx,Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin, Inc. isbacked by CRV and The Social Capital Partnership.150 Spear Street, Suite 1400San Francisco, CA 94105 877 979 0411 onelogin

secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more. OneLogin is SAML-enabled and pre-integrated with thousands of applications commonly used by today’s enterpr