Web Service Authentication – Debugging Web Service SignOn Failures

Purpose

This article provides detailed, step-by-step instructions for Workday administrators to identify and resolve ISU (Integration System User) web service SignOn failures related to Auditoria integrations.


Prerequisites

  • Access Level: Workday administrator
  • Permissions:
    • Access to “Signons and Attempted Signons” report
    • Ability to update and activate authentication policies
    • Auditoria integration and security group knowledge
  • Accounts: Know the ISU (for example, ISU_AUDITORIA) associated with your Auditoria setup

Procedure

Step 1: Access the Signons and Attempted Signons Report

  1. In the Workday search field at the top, type Signons and Attempted Signons.
  2. Select Signons and Attempted Signons (Report) from the dropdown. See Figure 1.

Figure 1: Searching and opening the Signons and Attempted Signons report


Step 2: Set the Date Range and Workday Account(s)

  1. In the criteria dialog, set:
    • From Moment: Start date and time for your investigation window.
    • To Moment: End date and time for the investigation window.
  2. Under filter options, select Select Workday Accounts and specify the ISU account (for example, ISU_AUDITORIA). 

    Tip: ISUs typically have naming conventions such as ISU_*

    Figure 2: Specifying date range and Workday account

  3. Click OK to apply the selection and load results.

Tip: For broader troubleshooting, you may use Select All to review all user accounts or apply regular expressions for group selection.    


Step 3: Filter by Authentication Channel

  1. In the report’s results, locate the Authentication Channel column.
  2. Click the filter icon (funnel icon) in the Authentication Channel header.
  3. Select Web Services from the filter dropdown, so that only web services-based authentications display.
  4. Click Filter to show only sessions authenticated using web services (typically OAuth 2.0). See Figure 3.

Figure 3: Filtering Authentication Channel to Web Services.


Step 4: Review SignOn Results for Errors

  1. Scan the filtered results for sign-on attempts with:
    • Failed status
    • Error messages or failure-related details in the results grid
    • User and session details matching the ISU (e.g., ISU_AUDITORIA) and Auditoria integration
  2. Click on failed entries (magnifying glass or detail icon) to view:

    • Error codes/messages (such as authorization errors, invalid credentials, insufficient permissions)
    • Timestamps and IP addresses, in case of suspected access issues

    Note: Common error examples include:

    • Invalid credentials (“Invalid Username or Password”)
    • Expired/Inactive User (“Account Disabled or Expired”)
    • Insufficient Permissions (“Security Group Not Assigned”)
    • Authentication Policy Block (“Policy Restricts Web Services Access”)

Step 5: Remediate Detected Issues

Based on observed errors, perform the following remediation:

Invalid Account Credentials

  • Reset the ISU password or refresh the OAuth 2.0 credentials as applicable.
  • Confirm Auditoria is using the correct client and secret values (for API integrations).

Account Disabled or Expired

  • Reactivate the ISU account.
  • Ensure password policies or account expiry rules have not caused lockout.

Security Group Issues

  • Ensure the ISU is correctly assigned to the Auditoria-specific security group.
  • Verify the security group grants the required permissions for web services.

Policy Restrictions

  • Review and, if necessary, update the authentication policies to allow web services for the ISU and Auditoria use.
  • Specifically, confirm the policy grants access for API/OAuth 2.0 sign-ons.

Step 6: Activate Authentication Policy Changes

  1. After making adjustments to permissions, user assignment, or authentication policy, ensure that all changes are activated or published in Workday.
  2. Some changes may require approval or additional policy publishing steps.
  3. Confirm that policy changes are live before retesting sign-ons.

    Important: Unpublished policy changes will not take effect and may leave integrations nonfunctional.


Tips and Best Practices

  • Document every change: Record what changes were made, by whom, and why.
  • Adopt least-privilege: Only assign the minimum necessary permissions to the ISU.
  • Audit regularly: Periodically review sign-on attempts to detect recurring issues or potential unauthorized access.

Note: If unsure about an error message, consult Workday’s authentication documentation or contact Auditoria technical support (support@auditoria.ai).

Important: Never disclose sensitive credentials or configuration data in support tickets.