In the world of corporate acquisitions, technological integration is often the most complex challenge to face. When an industrial group in the paper production sector approached us, the problem was not so much related to their business as to the technological stratification resulting from years of growth through acquisitions. With an IT infrastructure comprised of more than fifteen different domains, they needed to fully centralize and automate digital identity management processes.
Our client, an important industrial group with multiple companies acquired over time, was managing an infrastructure complexity that was becoming unsustainable. The peculiarity of the situation lay in presence of about fifteen domains Active Directory distributed on separate forests, the legacy of the various corporate acquisitions.
The critical issues emerged in three main areas. The first concerned the need to centralize HR processes of user onboarding, management, and offboarding on Workday HCM. Despite the adoption of this central platform, processes remained fragmented.
The second critical area was the Manual and error-prone IT operations. User creation, license management, permission assignment: everything was done manually on each domain, with frequent divergences from the standard flow to follow.
The third challenge was the management of cross-forest managers. Situations where a user of a group company had as manager a person from another company in the group - technically two domains in two completely separate AD forests - made manual management extremely complicated and prone to errors.
Workday Human Capital Management represents one of the most advanced HCM platforms on the market, but its real power emerges when it is deeply integrated with the company's IT infrastructure. In our context, Workday is not just a system for HR, but it becomes the single source of truth for the entire management of digital identities.
Workday's SOAP APIs, while complex, provide full access to all organizational data. Every employee, with their role, department, manager and hierarchical structure, is represented in Workday with a wealth of details that goes far beyond the simple organization chart. The platform natively manages complex scenarios such as interim managers, matrix reports, and massive reorganizations, always maintaining the consistency of the data.
Integrating with Workday in multi-domain environments presents unique challenges. It's not just a matter of reading data and writing it elsewhere: it's necessary to interpret Workday's unified organizational vision and translate it into a fragmented Active Directory infrastructure, where each domain can have different schemes, different naming conventions, and different security policies. Complexity increases exponentially when it comes to managing cross-forest relationships, where a Workday manager may be in a completely different AD forest from his subordinate.
In our case, we have took advantage of Workday's ability to expose not only static data but also events of change. This has allowed us to implement efficient incremental synchronization that only processes changes, drastically reducing the load on the system and allowing almost real-time updates of the entire identity infrastructure.
We have developed a Smart sync job What opera as an orchestrator between Workday and the Microsoft ecosystem, automatically managing all the complexities of the multi-domain environment.
The service interrogates Workday every 60 minutes to identify any changes that have occurred in the organization. Synchronization is unidirectional from Workday to Enter ID and the various on-premises Active Directories, establishing Workday as the authoritative source for all HR data.
For the management of cross-forest managers, we have implemented a sophisticated mechanism that maintains hierarchical relationships even when a direct reference between different forests is not technically possible.
The job automatically manages the entire user lifecycle: onboarding with account creation and appropriate permissions, updates to propagate role or manager changes, and offboarding with disabling according to company policies.
The development presented significant challenges that we had to overcome. The analysis of the existing IAM architecture was particularly complex, having to map all the Entra ID and Active Directory domains with their trust relationships.
Interfacing with Workday's notoriously complex SOAP APIs required in-depth work to properly manage pagination, transient errors, and performance with thousands of users.
Making the job work while managing all the edge cases was another critical challenge. The system had to remain resilient while maintaining the possibility of manual interventions outside the system for exceptional situations.
The solution was created with:
The choice of a local Windows Service instead of a cloud job was dictated by the need to directly access on-premises Active Directories without exposing public endpoints.
The implementation has radically transformed the management of digital identities for our client.
The centralization of HR operations in Workday has led to a estimated savings of hundreds of hours per month in routine operations only, eliminating manual coordination between HR and IT.
The system now centrally manages more than 15 Active Directory domains, coordinating the identities of about 6,000 users across the entire organization. Every new employee is automatically provisioned on as many systems as needed within an hour.
Automation has eliminated divergences from the standard process, improving both efficiency and safety. The management of cross-forest managers, once complex, now works completely automatically.
The Modern Apps team responds swiftly to IT needs where software development is the core component, including solutions that integrate artificial intelligence. The technical staff is trained specifically in delivering software projects based on Microsoft technology stacks and has expertise in managing both agile and long-term projects.
