Adaptive REST API Calls for Platform Customers with User Sync Enabled

How to Make Adaptive REST API Calls for Platform Customers with User Sync Enabled

If you’re a platform customer (HCM + FINS + Adaptive) or using Workday HCM or Financials alongside Adaptive and want to create custom scripts leveraging Adaptive’s REST API (XML), you’ve likely encountered a key requirement: providing Adaptive user credentials (username and password). For standalone customers or those not using user sync, this typically involves creating an integration user in Adaptive. Easy peasy. 

But what if you’re using user sync? How do you supply credentials for API calls in the XML input?

In this article, I’ll guide you through the steps to generate the necessary credentials when user sync is enabled. I’ll also share helpful links to official documentation to ensure a smooth integration process.


1. Overview

The process allows Workday-synchronized users to make API calls to Adaptive Planning using Workday credentials. The key steps involve:

  • Generating an OAuth token using Workday's API.
  • Using this token (instead of a username and password) in Adaptive API requests.

This is essential for organizations where user synchronization is enabled between Workday and Adaptive Planning, as standalone Adaptive credentials cannot be created.


2. Key Concepts

  • Integration System User (ISU): A special type of user set up specifically for integrations. For API access, this ISU must:
    • Be created in Workday.
    • Be mapped to an Adaptive Planning user account.
    • Have the necessary permissions.
  • Certificates: Used to ensure secure authentication between Workday and Adaptive APIs.
  • Tokens:
    • Workday Access Token: Generated using the JWT and used to retrieve the Adaptive-specific API token.
    • AdaptiveAPIAccessToken: A token that allows interaction with Adaptive APIs.


3. Prerequisites

Before proceeding:

  1. Workday Security Domain and Groups: Ensure ISUs are added to the correct security domain for API access: Set up: Adaptive Planning API Access.
  2. Workday Setup:
    • Enable Single Sign-On (SSO) and Public API options for Adaptive Planning (within the User Sign-on tab, in the Adpative Planning tab)
    • Create and map the ISU to an Adaptive Planning user account.
  3. Adaptive Setup:
    • Verify the ISU (starting with PublicAPIISU_) appears in the Adaptive Planning users list and has the required permissions.

4. Step-by-Step Process

Step 1: Get a Certificate and Extract Public Key

  • Generate or acquire an X.509 certificate in Workday.
    • Extract the public key to upload to Workday.
    • Retain the private key for signing the JWT (used in the script).

Step 2: Register an API Client in Workday

  • Register a new API client in Workday with these details:
    • Grant Type: JWT Bearer Grant.
    • Scope (Functional Area): Adaptive Planning.
    • X.509 Certificate: Upload the public key from Step 1.
  • After registration, note the following details for later:
    • Workday REST API Endpoint.
    • Token Endpoint.
    • Authorization Endpoint.
  • More info on how to register an API client on Workday's documentation - click here. --> you need a community account to access this documentation

Step 3: Generate Tokens with CURL examples

  • Generate a JWT Workday Access token:
    • In your script, use your private key to generate a signed JWT with the required claims (iss, sub, aud, and exp). Examples are provided on Workday's documentation here (open documentation)
  • Retrieve Workday Access Token:
    • Make a POST request to the Token Endpoint with the JWT.
    • Example of an endpoint: https://{host or gateway}/ccx/oauth2/{tenant}/token
    • curl --request POST 'https://{host}/ccx/oauth2/{tenant}/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
--data-urlencode 'assertion={{jwt_assertion}}'
  • Retrieve AdaptiveAPIAccessToken:
    • Use the Workday Access Token to fetch the Adaptive-specific token from the appropriate Workday endpoint.
    • Example: 
https://{host or gateway}/ccx/api/planning/v1/{tenant}/adaptiveAPIAccessToken
    • curl --request GET 'https://{host or gateway}/ccx/api/planning/v1/{tenant}/adaptiveAPIAccessToken' \
      --header 'Authorization: Bearer {{the prior access_token value}}' \
      --data-raw ''

Step 4: Adaptive Planning API

  • Use the AdaptiveAPIAccessToken in the credentials element of your Adaptive API request XML.
  • Example from Workday's doc: 
  • curl -H "Content-Type: text/xml" -d '<?xml version='1.0' encoding='UTF-8'?><call method="exportLevels" callerName="a string that identifies your client application"><credentials token="ID eyJhbDci0iJSUzUxMiIsUmtpZCI6IdvcmtkYXlfa2V5In0.eyJpc3KiOiJXb3JrZGFZIiwiYXV0aF90aW1lIjoxNTczMTY3NjU2LBjzeXnfynnJd.bztQzBmHeTj1amnHA96TdrJK0MXMghUFF1KyjxqIq63Eche7SEcoZBVGX4wJgna106pmCqgrrVWMf13Hg_sb_szabal2XN1KEEk1qh8z1IDlbt6qJIL_xyW3J2nNSs5ima3vJUYU5sRQXwXst0GuFWXpy464GyB4oKcscrg28X3dnPO_ytdohMKHsWkqyHQKXFQwoQUj0lpOZX8C9oBHDYA58IXxGkqKLJVNPvDND6rGY5fTHQ-yxpe1nz-WqB0boiq9a-dv8b3EBzbelxj2fCPdMbng6kzygDcA2at_7BNQiyzfIovS5AG"/><include versionID="3" inaccessibleValues="false"/><sheet id="3" /></call>' -X POST https://api.adaptiveplanning.com/api/v23
  • The XML in a more readable way is basically:
<call method="exportLevels" callerName="ClientApp">
    <credentials token="Your_Adaptive_API_Access_Token"/>
    <include versionID="123" inaccessibleValues="false"/>
    <sheet id="99" /> 
</call>


Go to the official documentation for more details and view script examples.
Their online doc provides 2 examples, one in Java and one in C#.
  • Java: Sample code provided to generate a JWT token, call Workday API, and use the tokens for Adaptive requests.
  • C#: Similar functionality to the Java script, leveraging libraries for JWT generation and signing.

How it Works - summary

  1. JWT Authentication:
    • Ensures secure and temporary access to Workday APIs.
  2. Token Exchange:
    • Workday Access Token authenticates against Workday.
    • AdaptiveAPIAccessToken allows interaction with Adaptive Planning APIs.
  3. XML API Requests:
    • Once the Adaptive token is acquired, it's included in API calls to access or modify data in Adaptive Planning.

Example in Python


import jwt 
import time

# Inputs
private_key_file = "path/to/private_key.pem"  # Path to your private key file
client_id = "your-client-id"                 # The client ID from Workday API client registration
isu = "your-isu"                             # The Integration System User (ISU)
audience = "wd"                              # The audience, typically "wd"
expiration_time = 300                        # Token validity in seconds

# Generate JWT
def generate_jwt(client_id, isu, audience, private_key_file, expiration_time):
    # Read private key
    with open(private_key_file, "r") as key_file:
        private_key = key_file.read()
    
    # Define JWT claims
    payload = {
        "iss": client_id,                    # Issuer
        "sub": isu,                          # Subject
        "aud": audience,                     # Audience
        "exp": int(time.time()) + expiration_time  # Expiration time (current time + 300 seconds)
    }
    
    # Generate JWT token
    token = jwt.encode(payload, private_key, algorithm="RS256")
    return token

# Generate the token
try:
    jwt_token = generate_jwt(client_id, isu, audience, private_key_file, expiration_time)
    print("Generated JWT Token:")
    print(jwt_token)
except Exception as e:
    print("Error generating JWT:", str(e))

Explanation
  1. Private Key:
    • The private_key.pem file contains the private key you use to sign the JWT.
    • This key corresponds to the public key uploaded to Workday during the API client registration.
  2. Payload (Claims):
    • iss: Client ID provided by Workday.
    • sub: The ISU you created for API access.
    • aud: "wd" is the standard audience for Workday.
    • exp: Expiry time in seconds from the current Unix timestamp.
  3. Signing:
    • The jwt.encode() method signs the token using your private key and the RS256 algorithm.
  4. Output:
    • The output is a JWT that you can use in Workday API requests.
Sample Output
Here’s an example of what the token might look like:
eyJhbGciOiJSUzI1NiIsInR5cyJpc3MiOiJ5b3VyLWNsaWVudC1pZCIsInN1YiI6InlvdXItaXN1IiwiYXVkIjoid2QiLCJleHAiOjE2ODk3MTIwMDB9.NjM2YzAx...



























Location:
San Francisco, CA, USA

























Popular posts from this blog









Introduction to Adaptive's API





















To integrate data in Workday Adaptive Planning, customers typically use the integration module to connect with ERPs, SFTPs, AWS S3, Snowflake, SalesForce, Excel, and Google Sheets, etc.  You can also use third party platforms such as Tray.ai , Boomi , Matilion etc. which leverage Adaptive's APIs in a user friendly setup.  And lastly, you can write your very own scripts (C#, Python, Powershell...) to make these API calls.  Most  common Adaptive's API use cases Import Data from ERPs Actual summaries Actual transactions Assets, amortization, depreciation Transactional details by Supplier Payroll details and taxes Import Sales data from CRMs or datalakes Pipeline, churn, opportunities and customer list Billings and bookings ARR and MRR Import Headcount data from an HRIS Current headcount Terminated Hired, not started Wages and compensation plans Benefits Other Demographics Import Other data: Exchange Rates Weather Import Meta data: currencies, attributes, dimensions such...








Read more










What is OAuth 2.0 and how to set it up in Adaptive?




















Image







Uh Oh... OAuth? Was ist das? Adaptive can connect with other applications's via REST APIs using the OAuth 2.0 authentication.  I will explain what OAUTH is so you will no longer ask: "What is this?" (Was ist das?) and feel like someone is talking a foreign language to you!   What is OAUTH 2 really? How does it work and what do you need to do in Adaptive? Let me give you 2 sets of explanations: a real life illustration to demistify OAuth 2.0 and a more technical summary. And lastly high level steps on the setup in Adaptive. If you have no idea what OAUTH is, continue reading, otherwise jump to the 2nd section.  In this example: imagine you need to connect to Microsoft Sharepoint and you want to bring CSV files  into Adaptive. 1) Illustrational explanation for total newbs: OAuth Access vs Hotel Access! OAuth 2.0 can sound overwhelming at first, but it's essentially a way for applications to securely talk to each other and access data. Let me break it down into sim...








Read more