Purpose
This article provides detailed, step-by-step instructions for Workday administrators to identify and resolve ISU (Integration System User) web service SignOn failures related to Auditoria integrations.
Prerequisites
- Access Level: Workday administrator
-
Permissions:
- Access to “Signons and Attempted Signons” report
- Ability to update and activate authentication policies
- Auditoria integration and security group knowledge
-
Accounts: Know the ISU (for example,
ISU_AUDITORIA) associated with your Auditoria setup
Procedure
Step 1: Access the Signons and Attempted Signons Report
- In the Workday search field at the top, type
Signons and Attempted Signons. - Select Signons and Attempted Signons (Report) from the dropdown. See Figure 1.
Figure 1: Searching and opening the Signons and Attempted Signons report
Step 2: Set the Date Range and Workday Account(s)
- In the criteria dialog, set:
- From Moment: Start date and time for your investigation window.
- To Moment: End date and time for the investigation window.
-
Under filter options, select Select Workday Accounts and specify the ISU account (for example,
ISU_AUDITORIA).Tip: ISUs typically have naming conventions such as
ISU_*.Figure 2: Specifying date range and Workday account
- Click OK to apply the selection and load results.
Tip: For broader troubleshooting, you may use Select All to review all user accounts or apply regular expressions for group selection.
Step 3: Filter by Authentication Channel
- In the report’s results, locate the Authentication Channel column.
- Click the filter icon (funnel icon) in the Authentication Channel header.
- Select Web Services from the filter dropdown, so that only web services-based authentications display.
- Click Filter to show only sessions authenticated using web services (typically OAuth 2.0). See Figure 3.
Figure 3: Filtering Authentication Channel to Web Services.
Step 4: Review SignOn Results for Errors
- Scan the filtered results for sign-on attempts with:
- Failed status
- Error messages or failure-related details in the results grid
- User and session details matching the ISU (e.g.,
ISU_AUDITORIA) and Auditoria integration
-
Click on failed entries (magnifying glass or detail icon) to view:
- Error codes/messages (such as authorization errors, invalid credentials, insufficient permissions)
- Timestamps and IP addresses, in case of suspected access issues
Note: Common error examples include:
- Invalid credentials (“Invalid Username or Password”)
- Expired/Inactive User (“Account Disabled or Expired”)
- Insufficient Permissions (“Security Group Not Assigned”)
- Authentication Policy Block (“Policy Restricts Web Services Access”)
Step 5: Remediate Detected Issues
Based on observed errors, perform the following remediation:
Invalid Account Credentials
- Reset the ISU password or refresh the OAuth 2.0 credentials as applicable.
- Confirm Auditoria is using the correct client and secret values (for API integrations).
Account Disabled or Expired
- Reactivate the ISU account.
- Ensure password policies or account expiry rules have not caused lockout.
Security Group Issues
- Ensure the ISU is correctly assigned to the Auditoria-specific security group.
- Verify the security group grants the required permissions for web services.
Policy Restrictions
- Review and, if necessary, update the authentication policies to allow web services for the ISU and Auditoria use.
- Specifically, confirm the policy grants access for API/OAuth 2.0 sign-ons.
Step 6: Activate Authentication Policy Changes
- After making adjustments to permissions, user assignment, or authentication policy, ensure that all changes are activated or published in Workday.
- Some changes may require approval or additional policy publishing steps.
-
Confirm that policy changes are live before retesting sign-ons.
Important: Unpublished policy changes will not take effect and may leave integrations nonfunctional.
Tips and Best Practices
- Document every change: Record what changes were made, by whom, and why.
- Adopt least-privilege: Only assign the minimum necessary permissions to the ISU.
- Audit regularly: Periodically review sign-on attempts to detect recurring issues or potential unauthorized access.
Note: If unsure about an error message, consult Workday’s authentication documentation or contact Auditoria technical support (support@auditoria.ai).
Important: Never disclose sensitive credentials or configuration data in support tickets.