ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
06 December 2018

Top 5 identity challenges for HCM SaaS integration – and how to overcome them

Written by Matt Owen

The key identity and access management challenges you need to address to ensure successful HCM SaaS deployment.

So, your organisations’ on-premises Human Capital Management (HCM) solution is due an upgrade and your HR department have made the decision to move their HCM system into the cloud, using something like Workday, SuccessFactors, ADP or BambooHR. There is no disputing the many benefits of cloud-based SaaS HCM solutions, such as, employee self-service, faster onboarding/offboarding of new users, better employee engagement and reduced costs and administration time.

HCM systems are one of the most widely-adopted technologies in business, but despite their popularity, implementation and adoption challenges remain. As with any new system deployment, however easy the vendor may make it sound, there are some important challenges you should consider to ensure successful integration with existing IAM systems and to maintain critical security and access governance procedures.

5 IAM challenges that could prevent a successful HCM SaaS deployment

Here is our list of the top 5 HCM SaaS deployment challenges you need to address to avoid identity synchronisation headaches and access governance pitfalls:

Challenge 1: Migrating employee data to your new HCM SaaS solution

HR, rightly so, should be the department that knows first about joiners, movers and leavers (JML), so it makes sense to update and maintain all this information in the Cloud HCM system. You want the HCM SaaS solution to be the new authoritative source, the ‘single source of truth’ for employee identity, but can you get the data in easily? Have you considered how to deal with the migration?

You may well encounter data quality issues upon migration of data and records into your new HR solution. Common issues include (but are not limited to) incomplete / incorrect staff records or a mismatch between IT accounts and HR accounts, or your Active Directory having vastly more ‘dormant’ accounts from a lack of directory maintenance.

You may also need assistance in securely and reliably writing back information from your current authoritative source (Active directory or other) to the new HCM SaaS solution. A common example of this is with writing back telephone numbers and email addresses (we do this a lot).

Challenge 2: How do you get the information OUT to support your IAM and JML processes?

Now that your cloud HR tool is the authoritative source the IT department will want to get timely and detailed data out quickly and easily, to feed the hungry IAM system and provision access for JML processes.

The first hurdle to overcome with HCM SaaS solutions is that programmatic interfaces to these new cloud systems are often not designed for bulk data transfer, but more likely to only support the “tell me which employee you are interested in and I’ll give you that information” model (an API based only around single employees’ queries). SaaS applications can sometimes be a little too simplistic in terms of reporting functionality, often because they are designed with a more commercially orientated front-end and UI, as opposed to their more detailed (and sometimes a little less snazzy) IAM counterparts.

As a starting point, it’s well worth taking a look at the Microsoft tutorials for automatic user provisioning with Workday.

We recognise that no organisation is the same, however, so it’s also possible that your organisation may need to configure a more unique interface, where you can extract full or delta employee information to fit your own processes.

Timing is everything

When can HR make JML information available to IT for provisioning of accounts? Can IT provision accounts before the user start date (that would be nice!).

With regards to joiners – any delays in synchronisation (even just overnight) will mean disruption and a less than optimal day one experience for a new starter, as they struggle to log in to key systems. Processes need to be fully automated to avoid manual procedures and human error. And avoid admin tasks from both HR and IT department where possible.

With regards to movers and leavers – the goal is to enable proper maintenance processes, to ensure data governance and control over user access and security.

If you can’t get the info out easily and on time, then this will create big synchronisation headaches for IT and HR.

Solve identity and access headaches caused by HCM SaaS solutions

Solve identity and access headaches caused by HCM SaaS solutions

Watch our webinar on-demand now and discover how to:

  • Overcome common SaaS app integration complications
  • Ensure effective data governance and compliance
Watch now

Challenge 3: Can your new Cloud HCM solution deal with more complex access requirements?

Most of the new SaaS HCM systems provide all the core functionality for role-based security, but many are not comprehensive enough to deal with more advanced access requirements, such as time limited access permission, protecting privileged access accounts or monitoring privilege escalations. You may well need to integrate your HCM solution with tools such as PIM/PAM to effectively grant ‘just in time’ administrator access.

Challenge 4: How to you deliver a productive and secure integration

HR and employee ‘self-service’, for maximum productivity, is a great idea! You want to provide it. Employees want it. We want to help you to achieve it!

Self-service is a huge driver and benefit of HCM SaaS solutions, but how can you integrate and secure it properly in a manner that compliments your existing IAM Strategy?

A typical first reaction from an HR solution provider is “we have our own secure access model that makes this really easy for you” – let me translate for you “we have our own user accounts database” – We don’t think you want that.

We would strongly recommend that you aim to integrate your HR solution with Azure AD rather than opting for the HCM supplied ‘self-service’ access accounts database, as otherwise you are dealing with yet another ID store (another account to manage and protect).

For Workday integrations with Azure AD you should start by reviewing the Microsoft tutorial “Azure Active Directory integration with Workday”. Or, if you’re looking at an alternative HCM SaaS Solution, like SuccessFactors, then take a look more integration guidance here.

Once you have integrated your SaaS HCM solution with your existing Azure AD, you will be able to control access, enable easy self-service with single sign-on (SSO) and manage/synchronise your accounts from just one central location. Once the HCM solution is integrated with Azure AD, we would also recommend implementing MFA for extra security.

Before selecting your HCM solution, you should check the Azure Active Directory Application Gallery to see if your chosen cloud HR solution already supports Azure SSO.

If not, all is not lost because Microsoft also support SSO to applications which are not (yet) in the application gallery. Your options would be SAML, password-based SSO or federated (or linked access) access (ADFS etc.).

Lastly, have you also thought about how to get users into your SaaS HCM solution if not all your users are ‘connected’? (For example, non-computer facing staff, contractors, freelancers.) In this instance, it may be necessary to integrate your SaaS HR tool with both a cloud directory like Azure AD and an on-premises Active Directory… this is where it can get a little more complicated.

Challenge 5: Secure distribution of new employee credentials

So now you have your authoritative source for employees sorted, and you can provision users to your on-premise and cloud-based applications, all configured for secure SSO (naturally), but, upon launch, how do you securely distribute a user’s first set of credentials to them?

Print them out? Email them? Leave a sticky not on their desk? Or tell their line manager what they are?


This a where a clever little tool called Access Centre Activation can come in very handy to allow simple and secure management of initial password setting, flexible methods of authentication and reduced chances of users setting weak or insecure passwords.


Whether you are contemplating implementing or have already implemented a SaaS HR solution and would like help configuring it as an authoritative source for your IAM solution, or if you need help providing secure SSO to your HR (or any other) cloud-based solution, we can help.

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

About Matt Owen


Matt joined ThirdSpace as an Architect in 2020, with a particular focus on identity solutions. With nearly 30 years of industry experience, working for clients as diverse as banks, broadcasters, insurance providers and government departments, there are very few challenges that he has not seen before.


You may also like...


How the SolarWinds breach highlights the dangers of federated authentication – and what you can do to protect against it


What is Microsoft Identity Manager (MIM)? Everything you need to know


Uniting disparate directories: What is Azure AD Connect cloud provisioning?

Recent Blog Articles

View All
Related topics

Watch now: Solve HCM SaaS app headaches

Overcome common integration complications and ensure effective data governance.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.