Credential Administrator

Table of Contents

When planning to build an application that leverages Workday Credentials, Cred Admin is the first place to come and start your interactions with the platform. In order to gain access to Cred Admin, you'll need to be provisioned an Organization, which is a manual step.

Once you've been provisioned an Organization, you'll receive a link to log into Cred Admin. Upon authenticating, you'll likely see a single user (yourself) in your Org.

Users screen with only one user

To enable more users to build issuance and verification apps, they will need to be added here. First, however, they will need to be users of the platform. The easiest way to get users onto the platform is to issue them a credential. This will send the user an invitation to join the platform. Once they install the mobile application & finish creating an account, they'll be available to add to the screen above.

This, of course, begs the question: How do you issue users a credential? The Issuers section below covers the process of creating an Issuer and Credential, which are necessary configuration steps before a credential can actually be created & offered to a user. Since credentials are communicated to your user by way of their email address, the simplest verifiable credential to issue them is an Email credential (since they'll have to have control of the email address to receive the offer).

Applications

No applications yet

Authentication with both the issuance & verification APIs is performed using credentials associated with a Cred Admin Application. If your intent is to use Workday Credentials' APIs to issue or verify credentials, the first step is to create a new Application. If you plan, solely, only issuing credentials from the Cred Admin UI, you may skip creating an application and leave the option blank when creating an issuer or verifier.

Create a new application

The Application Name can be whatever you choose. The Redirect URL can be left empty for now.

Upon clicking save, you will be prompted to save the Application's key pair to a file. THIS IS YOUR ONE AND ONLY CHANCE TO SAVE THE PRIVATE KEY. For security reasons Workday Credentials never saves this value and once it's in your possession, there is no way to retreive it again. If a key is lost, the public and private keys will need to be rotated using the utility shown.

Remember to save your keys when you create a new application

In addition to the public and private key, take note of the new application's Client ID. This, along with the private key, are they pieces you'll need in order to formulate a proper JWT token for API authentication.

Concept: Issuers

An issuer is an organization or entity that creates, manages, and issues verifiable credentials to users. To define and issue credentials, you must have created at least 1 issuer on the Workday Credentials platform. Workday Credentials creates a pair of cryptographic keys for each issuer. Workday Credentials manages the private key and uses it to sign the values of any credentials that you issue. The public ledger uses the public key when creating a decentralized identifier (DID) document. A credential recipient can look up the public key of the issuer and verify the digital signature of the credential to verify its authenticity. This process is part of the foundation for establishing trust in verifiable credentials. Note that the Workday Credentials platform follows the W3C standards for Decentralized Identifiers (DIDs) v1.0.

Steps: Create Issuers

Prerequisites

You must have an instance of the Workday Credentials platform.

Context

You can use the Workday Credentials platform UI to create the issuers of verifiable credentials.

Steps

  1. Access the Admin Settings > Issuers page and click Create.
  2. Enter the information requested on the New Issuer form.
    • Note that you have the option to select one or multiple applications. An application is not needed if you do not invoke the Create Credential Offer API with this issuer. However, if you invoke the Create Credential Offer API, one of the selected applications must be used to authenticate the associated issuer.
  3. Click Submit.

Result

The Admin Settings > Issuers page lists the new issuer that you can then edit or delete.

Concept: Credential Templates

When you create a credential template, you’re declaring that you want to issue a specific type of credential at some point in the future. A cryptographic key pair and public DID document represent each credential template on the Workday Credentials platform. Each credential template binds an issuer to a specific type of data, otherwise known as a schema. Each schema contains its own set of fields, so you must ensure that you select the correct schema for each credential template. Note that the Workday Credentials platform follows the W3C standards for Verifiable Credentials Data Model 1.0

Steps: Create a Credential Template

Prerequisites

You must have at least 1 issuer on the Workday Credentials platform.

Context

You can use the Workday Credentials platform UI to create credential templates and issue verifiable credentials.

Steps

  1. Access the Credentials page and click Create.
  2. Enter the name of your credential template and the associated issuer.
  3. Select a schema for the template.
  4. Click Next to review the template details, and then click Submit.

Result

The Workday Credentials platform adds your credential template to the list of templates on the Credentials page.

Concept: Badges as Verifiable Credentials

When you create a new credential template, you can designate that template as a badge template. The difference between a credential template and a badge credential template is that the badge credential template requires an image, description, and criteria as mandatory. To request a verifiable credential, a verifier sends a proof request to the user. The user then decides whether to share the credential with the verifier from their WayTo by Workday app. While badges are also verifiable credentials, users can share badges directly to a third-party site without a proof request. Note that badges issued from the Workday Credentials platform follow the IMS Global standards for Open Badges v2.0.

Steps: Create a badge credential template

Prerequisites

You must have at least 1 issuer on the Workday Credentials platform.

Context

You can use the Workday Credentials platform UI to create badge credential templates that help to build verifiable badge credentials. Issuers offer badges to users so that they can publicly share their employment history, education, certifications, skills, and other types of credentials.

Steps

  1. Access the Credentials page and click Create.
  2. Enter the name of your badge credential template and the associated issuer.
  3. Click the switch to create a badge credential template.
  4. Upload a PNG format image and add a description and criteria.
    • Note that if a credential holder publicly shares a badge, the image, description, and criteria are displayed.
  5. Select a schema for the template.
  6. Click Next to review the template details, and then click Submit.

Result

The Workday Credentials platform adds your badge credential template to the list of templates on the Credentials page.

Steps: Issue a Credential

Prerequisites

You must have at least 1 credential template or badge credential template on the Workday Credentials platform.

Context

When you create a credential template or a badge credential template, you can use that template to offer a credential or badge to an individual.

Steps

  1. Access the Credentials page and select a credential or badge template from the list.
  2. Click Issue and select Individual.
  3. Enter the credential or badge information on the Issue Credential form.
    • Note that the associated schema for each credential or badge template generates the fields on the form.
  4. Click Next to review the credential information, and then click Submit.

Result

The Workday Credentials platform emails the credential or badge offer to the individual. Each credential or badge template on the Credentials page has a Receipts tab where you can check the progress of your credential issuances.

Steps: Issue a credential to multiple users

Prerequisites

You must have at least 1 credential template or badge credential template on the Workday Credentials platform.

Context

You can issue a credential or a badge to multiple users at once with the Batch Issue feature on the Workday Credentials platform.

Steps

  1. Access the Credentials page and select a credential or badge template from the list.
  2. Click Issue and select Batch, which opens the Issue a Batch of Credentials window.
  3. Click Download to download the template to your computer.
  4. Enter the credential information in the CSV template and save your changes.
    • Note that you must submit all date attributes in the format YYYY-MM-DD. If you're using Excel, you must change the default formatting otherwise the data in the CSV file will be incorrect.
  5. Upload the updated CSV file by dragging and dropping the file or selecting it from your hard drive.
  6. Verify the correct file is ready for upload, then click Issue.

Result

The Workday Credentials platform attempts to issue the credential or badge offers to the list of individuals specified in the CSV template. You can monitor each batch status by opening the Batches tab on any credential template. When you click any COMPLETED status, you can download a copy of the original CSV that has a Receipt ID appended to the end of each record. When you click any FAILED status, you can download a copy of the original CSV that includes an error message appended for each failed record. Note that the CSV reports on the Batches tab are only available for 30 days after the creation of each associated batch.

Steps: Issue a credential with the Create Credential Offer API

Prerequisites

You must have at least 1 credential template or badge credential template on the Workday Credentials platform.

Context

To invoke the Create Credential Offer API, you can find the details you'll need and some samples in the Developer Details related actions menu in each credential template.

Steps

  1. Access the Credentials page and select a credential template.
  2. Click the related actions menu (the ellipsis icon) and select Developer Details.
    • The Developer Details prompt displays the DID for your credential template, the URL that you can use to invoke the API, and a sample of the invocation payload.

Result

When you submit a request to issue a credential, the API first validates the credential’s attributes. You can find the expected attribute format on the Create Credential Template modal or the Edit Credential Template modal. You can also refer to the Schemas page for more information.

Concept: Revoking a Credential

Any credential that was previously issued from the Workday Credentials platform can subsequently be revoked. For example, you may decide to revoke a credential if:

  • The credential was issued in error.
  • Newly acquired information renders the credential invalid.
  • You have any reason to revoke the credential.
    • Note that the details of a revocation are not shared with the holder.

Steps: Revoke a Credential

Prerequisites

You must have issued at least 1 credential from the Workday Credentials platform and you must be able to locate the associated issuance receipt.

Context

You can use the Credential Administrator UI to revoke any previously issued credentials.

Steps

  1. Access the Receipts page.
  2. Select either Email, Receipt ID, or Badge ID from the drop-down menu.
  3. Enter the email address, receipt ID, or badge ID in the search field and click Search.
  4. Locate the receipt for the credential that you want to revoke. You have 4 options to start the revocation process:
    1. Select the check box for the credential receipt, and click Revoke at the bottom of the page.
    2. Click the Receipt ID, which opens the Receipt Details prompt. Click Revoke.
    3. Click the related actions menu for the credential receipt (the ellipsis icon) and then click Revoke.
    4. Click the related actions menu for the credential receipt (the ellipsis icon) and then click View Details. Click Revoke.
  5. Review the information in the Revoke Credentials prompt, and then click Revoke.

Result

The Workday Credentials platform revokes the credential and the Credential Administrator UI updates the receipt status.

Verifiers

If you're looking to build applications that request verifiable credentials from users, you start by defining a Verifier in Cred Admin and associating that Verifier with one or more of your Applications (again, for authentication). The process of creating a verifier is similar, on the surface, to creating an Issuer, but without the need to issue, there is no need to generate cryptographic keys or declare anything on a public ledger.

The parameters for a Verifier are the same as those for an Issuer:

  • Verifier Name - Can be any value.
  • Application(s) - Select one or many. When invoking the Verification API, any of the selected applications' credentials may be used to authenticate.
  • Logo - A logo for your Verifier that will be used for larger displays, like within Cred Admin.
  • Icon - A smaller image for use in smaller displays, like when a user is fulfilling a proof request.

New verifier

Proof Requests

Prerequisites

You must have at least 1 verifier on the Workday Credentials platform.

Context

You can use the Workday Credentials platform UI to create proof requests to request credential information from individuals.

Steps

  1. Access the Proof Request page and click Create.
  2. Select an associated verifier, enter the name of your proof request, and optionally, enter a Callback URI.
  3. Click Next.
  4. Add 1 or more challenges by clicking Add Challenge.
  5. To add a challenge:
    1. Enter a challenge name.
    2. Select a schema for the information to request.
    3. Specify internal or external issuers you trust as the source of information.
    4. Specify which data is required and option to be shared by an individual.
    5. Optionally, you can specify conditions on required fields to display relevant credentials an individual can share.
    • Note: The platform supports both static and variable comparisons. For variable comparisons, you can specify a variable in this format: %variableName%. You will pass the variable when generating the proof request instance by calling /v1/proof-requests-instance (see https://credentials.workday.com/docs/verification).
  6. Click Next to review the proof request details, and then click Submit.

Result

The Workday Credentials platform adds your proof request to the list on the Proof Requests page.

Schemas

Schemas are at the heart of what defines a credential. A Schema defines the shape (the list of fields and their data types) of the data that will, eventually, be signed by an Issuer and offered to a user. Workday Credentials will validate a credential's data against it's Schema at several points in the lifetime of a credential, starting when the Credential offer is created.

Workday Credentials comes with a set of Schemas pre-defined. It also allows organizations to define their own custom Schemas to supplement the pre-defined set. Both sets of Schemas can be found in the Schemas section of Cred Admin.

Schemas home

To create a new Schema, simply click the New Schema button:

New Schema

On the next screen choose the Schema's category. The category is used to help organize Schemas and Credentials.

Schema category

Finally, define the attributes for your Schema.

Schema attributes

With your new Schema created, navigate to the Credentials page and use it to create a new Credential Template.

For more information on schemas, see the Schemas page.