ThirdSpace ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more

A clean bill of health: Workday SaaS HR solution deployed at international healthcare group


Our client (who wishes to remain anonymous), a global healthcare giant, needed help integrating the Workday cloud SaaS app with their Active Directory, Azure AD and Microsoft Identity Manager (MIM) systems.

They had limitations with their global joiner-leaver-mover (JML) processes, including integration and adoption of internal technologies and services, which had developed as the business had grown.

They wanted to introduce the Workday HCM solution as the new authoritative source – the ‘single source of truth’ for identities – to help streamline JML processes and maintain secure access governance. This needed to cater for both ‘wired’ and ‘unwired’ users and integrate seamlessly with another of their important HR and IAM SaaS applications, ServiceNow.


  • Bulk migration of multiple sets of user data into Workday.
  • Integration of Workday with various IAM platforms.
  • Secure joiner processes for provisioning new user identities.
  • Bespoke IAM auditing and reporting capabilities.
  • Ongoing managed support to support in-house IT.

The problem

The IT team at our client’s HQ were tasked by the Board to deliver on a very important project:

“To deliver a single source of truth for HR and IAM and to make available a number of common services to employees globally through digitising their experience.”

Our client is a globally federated organisation with a common brand and common goals, but they had limitations on the global integration and adoption of internal technologies and services, which had developed as the business grew. These included:

  • Multiple HR systems
  • Multiple active directories (AD)
  • The mixture of processes and tools being used
  • A large number of employees in a ‘Care Services’ population that were not actively using IT within their day-to-day job roles

As a large organisation with multiple HR systems, active directories and other tools in place, they had an identity problem across the business that was inhibiting their ability to collaborate, work efficiently and ensure secure access to systems and information.

Our client also had a unique challenge of different user requirements for access to IT systems and applications between what they referred to as ‘wired’ or ‘unwired’ users. A ‘wired user’ needed identities synced with Azure AD for single sign-on access to business applications and systems. Whereas an ‘unwired user’ (such as a janitor or cleaner) did not have access or require access to IT, and therefore just needed identities synced to a standard on-premises Active Directory.

They wanted to introduce the Workday HCM solution as the new authoritative source – the “single source of truth” – to help streamline JML processes and maintain secure access governance.

The project had a number of important deployment and integration objectives, including:

  • Enabling all of the client’s companies to use federated identity to interface with the Workday cloud HR tool.
  • Fully integrate Workday with existing IAM systems including ServiceNow, NetIQ (in the UK) and IBM ID manager (in Spain), Active Directory and Azure Active Directory.
  • Design a process to manage the JML life cycle of a large number of wired and unwired users.
  • Integrate a solution to enable user single sign-on and user ‘self-service’ through Workday for both wired and unwired users.

Solve identity and access headaches caused by HCM SaaS solutions

Watch our webinar on-demand now and discover how to:

  • Overcome common SaaS app integration complications
  • Ensure effective data governance and compliance
Watch now

The solution

Multiple options were considered for a global system provider, including IBM, OKTA, Microsoft and Amazon Web Services. After internal considerations of cost, in-house knowledge and integration with current services and infrastructure, our client decided to move forward with the project using Microsoft technologies.

They then needed to decide on a vendor. The client had a strong existing relationship with ThirdSpace, as the business deployed their original Microsoft Forefront Identity Manager (FIM) solution within the UK. The in-house expertise and knowledge from the ThirdSpace consultants had been proven from previous engagements and the relationship was good.

ThirdSpace started the project off by helping plan the deployment and integration of Workday into the organisation. This started off with a number of exercises to migrate data out of the many global company directories into Workday and establish it as the authoritative source for all identities. This project also included some specific development work to write back company email addresses and other bespoke pieces of information.

Once Workday was set-up as the authoritative source, we then got onto helping with the integration and synchronisation of identities. This ensured that new user data would flow seamlessly into ServiceNow, as well as their many global Active Directory tenancies and Azure Active Directory.

Diagram showing Workday as the authoritative source, with data flowing into global Active Directory tenancies and Azure AD.

Once Workday was integrated successfully into ServiceNow, MIM, Active Directory and Azure AD, we then built and deployed the processes for all their JML user case requirements. Our client had a unique challenge requiring three specific user provisioning (and resulting access) journeys.

  • Journey 1: They needed a “pre-day 1” identity set up for new staff, so they could undertake and pass training and credential check requirements ahead of their start date. For example, standard health and safety training or advanced health care related training. In this user case, an Azure AD account was needed, but not a full employee account.
  • Journey 2: A joiner process for ‘unwired’ users (for example, janitors, cleaners, temporary staff), so that they would have full Workday accounts created and then have identities provisioned into local on-premises active directories.
  • Journey 3: Our client wanted to streamline and digitise the JML process for the bulk of its staff by synchronising Workday identities with Azure AD to enable secure single sign-on to company tools and applications while providing user Workday ‘self-service’ functionality.

As part of the Workday integration project, the ThirdSpace team also provided some additional auditing and reporting tools from their partner (SoftwareIDM) to augment the Workday SaaS reporting functionality.

Need to overcome challenges common to SaaS app integration? Watch our webinar on-demand and find out how you can solve identity and access headaches caused by HCM SaaS solutions.

Learn more about...


Identity and Access Management


Top 5 identity challenges for HCM SaaS integration – and how to overcome them

The client

Our client’s purpose is to help people live longer, healthier, happier lives.

As a leading international healthcare group, they run care homes, health centres, dental centres and hospitals, offering personal and company health insurance as well as providing workplace health services around the globe.

They provide healthcare to over 14.5 million people through clinics and hospitals and have 15.5 million health insurance customers. They employ over 78,000 people, principally in the UK, but also Australia, Spain, Poland, Chile, New Zealand, Hong Kong, the USA, Brazil, the Middle East and Ireland.


Free Identity and Access Governance Roundtable

Join us in London for an in-depth and tailored discussion on the key areas of access governance and compliance in hybrid IT environments.

  • Understand how to use attribute-based access controls inside Microsoft Identity Manager (MIM).
  • Learn how to audit and detect access governance violations, so your business stays compliant.
Learn more

Identity and Access Management Envisioning Workshop

Automate the management of users, control corporate access and achieve business security. Book your free half-day Identity and Access Management Envisioning Workshop today.

Apply for a free workshop
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.


Welcome to ThirdSpace, the new home (and new name) for Oxford Computer Group UK.

Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".

Continue to ThirdSpace
ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.