Returning Associate Unable to login to Workday SSO with matching username and primary email: Troubleshooting
SOP: Re-Activating Workday Accounts for Rehired Associates
Organization: HHM Hotels
Subject: Clearing Account Expiration Dates for Returning Employees
Purpose: To ensure rehired associates who retain their previous @hhmhotels.com primary email address can successfully authenticate via Google SSO without receiving the "System Account expired" error.
1. Overview
When an associate is terminated in Workday, the system automatically populates the Account Expiration Date on their Workday Account based on their termination date. Upon rehire, while the Worker Profile becomes "Active," the underlying technical account remains "Expired" in the security settings. This must be manually cleared to restore access via Google SSO.
2. Prerequisites
Security Permissions: You must have Security Administrator or User Management functional area access.
Timing: This should be performed as soon as the Rehire Business Process is initiated or completed.
3. Step-by-Step Instructions
Step 1: Locate the Workday Account
In the Workday search bar, type
Edit Workday Account.Select the task Edit Workday Account.
In the Workday Account field, search for the associate by name or their
@hhmhotels.comemail address.Click OK.
Step 2: Clear the Expiration Date
Navigate to the Account History / Status section of the page.
Locate the field labeled Account Expiration Date.
Note: This field will likely show the associate's previous termination date.
Highlight the date and press Delete/Backspace to leave the field completely blank.
Ensure the Account Disabled checkbox is unchecked.
Step 3: Verify Username & Save
Confirm the Workday User Name matches the associate's primary Google email address exactly.
Click Submit.
Click Done.
4. Verification
System Check: View the associate's Security Profile. The "Account Locked, Disabled, or Expired" column in the sign-on audit should now reflect "No."
User Action: Ask the associate to attempt a login via the HHM Google SSO portal.
5. Troubleshooting
Troubleshooting Guide: Sign-On Errors via Workday Audit
This reference guide details how to use the Signons and Attempted Signons report to diagnose authentication failures for returning HHM associates.
1. Generating the Audit Report
To investigate a specific user's login failure, such as the "System Account expired" error, follow these steps in the Signons and Attempted Signons task:
From/To Moment: Set the date range to include the associate's recent failed attempts.
Select Workday Accounts: Choose this radio button to filter the report for a specific individual.
Account Selection: Enter the associate's name or HHM email (e.g.,
joseph.mojica@hhmhotels.com) in the selection box.Run Report: Click OK to generate the audit log.
e.g;
2. Key Audit Fields to Verify
Once the report loads, look for the following indicators in the results table:
| Field | What to Look For | Significance |
| Authentication Failure Message | "System Account expired" | Confirms that the Account Expiration Date on the Workday Account is in the past and must be cleared. |
| Failed Signon | "Yes" | Indicates the system actively blocked the attempt. |
| Account Locked, Disabled or Expired | "Yes" | Confirms the account is currently unusable due to security settings. |
| Authentication Type for Signon | "SAML" | Confirms the attempt was made via HHM's Google SSO. |
3. Immediate Action for "System Account expired"
If the audit report matches the data above, the issue is internal to Workday security, not the Google SSO credentials.
Search for the Edit Workday Account task.
Search for the affected user.
Delete the entry in the Account Expiration Date field (this date was likely set during their previous termination).
Ensure Account Disabled is unchecked.
Submit to restore access immediately.
Understanding the "Account Locked" vs. "Expired" Error
While both statuses result in a failed login, the Signons and Attempted Signons report helps you distinguish between a security lockout (too many bad passwords) and a profile configuration issue (the rehire "Expired" bug).
| Error Message | Audit Column: Account Locked... | Primary Cause | Solution |
| "System Account expired" | Yes | The Account Expiration Date was never cleared from their previous term. | Run Edit Workday Account and delete the expiration date. |
| "Invalid user name or password" | No | Usually a mismatch between the Google email and the Workday Username. | Verify the Workday User Name matches the Google primary email exactly. |
| "Account is locked" | Yes | Too many failed attempts (usually applies to local logins, rarely SSO). | Use the Manage Workday Account task to "Unlock" the account. |
Reference: Using the Signon Audit for Rehires
When troubleshooting a returning HHM associate, use the Select Workday Accounts filter to isolate their specific history.
Filter by Associate: Use the Select Workday Accounts field to search for the specific rehire.
Verify Failure Message: Look specifically for "System Account expired" in the Authentication Failure Message column.
Confirm SAML Channel: Ensure the Authentication Channel is "UI" and the Type is "SAML" to confirm they are hitting the Google SSO path correctly.
Identify "Account Locked, Disabled or Expired": If this column says Yes despite the worker being active, it confirms a manual update to the Workday Account is required.
Quick Resolution Steps
Step 1: Run Edit Workday Account for the associate.
Step 2: Locate the Account Expiration Date.
Step 3: Highlight and Delete the old date (leaving it blank).
Step 4: Ensure Account Disabled is not checked and Submit.
| Issue | Potential Cause | Resolution |
| Error Persists | Browser Cache | Have the user clear their browser cache or use an Incognito window. |
| SAML Failure | Google Sync | Ensure the user is active in the Google Admin Console and assigned to the Workday SAML app. |
| Login Timeout | Security Policy | Ensure the "Rehire" or "Pre-Hire" security groups are included in your SAML Authentication Policy. |
Related Articles
Workday - OCR Invoice Requirements
Workday OCR Invoice Requirements: ***All supplier invoices/credit memos must be submitted directly from the suppliers to invoices@hhmhotels.com, per the OCR requirements below ***If suppliers are sending invoices to the property via email, mail, etc. ...How to Access Workday
From your HHM Hotels email inbox, calendar, contact list or Google Drive you can access Google Apps in the top right of the screen. Click on the Apps icon and scroll down in the list to select Workday. Access will be verified through Google SSO:Workday - Incognito Google Chrome Tab Help Document
To load a new tab in Google Chrome in "Incognito" mode, follow the below steps: Navigate to the icon in the top right of the Chrome browser window and then click New Incognito Window (Ctrl+Shift+N)0 This will open a new tab. Open Gmail and login with ...Workday - Match Exception Help Document
Match exceptions are part of the 3-Way Match process noted in this P2P Process Summary Document. The match is calculated on the (1) Purchase Order, (2) Receipt and (3) Invoice per line item. If the receipt is missing and / or if there is a variance ...Workday - Find Suppliers Help Doc
Please see attached help doc....