PrerequisitesOkta SetupWorkday Setup
Workday Real Time Sync (RTS) allows Okta to receive user creation, update, and termination events from Workday on a real-time basis. Improvements include the following features:
Updates to Workday user information are immediately reflected in Okta and in downstream apps.
Real-time termination improves security, as the feature instantly removes a terminated employee’s access to sensitive files and email.
Real-time sync uses incremental updates to improve import performance. Existing scheduled imports can potentially contain thousands of users, taking 10 or more hours to complete.
It is highly recommended that RTS be used in combination with scheduled imports that are run on a 1-2 day interval. This is because some less frequent actions in Workday will not trigger RTS, so scheduled imports are required to reconcile these actions. In fact, there are some RTS actions that are supported in Workday and some that are not.
Workday actions supported by real-time sync:
Worker hire, update, terminate, and re-hire triggers a RTS update to Okta.
Any updates to the standard Workday App User Base Profile attributes imported into Okta. With the exception of Manager Username, these actions trigger RTS.
Most changes to custom attributes trigger RTS.
Workday changes in Provisioning Group membership trigger updates to group membership in Okta.
Workday actions not supported by real-time sync:
Rescind actions do not trigger RTS.
The Manager Username attribute does not trigger RTS.
The addition of new provisioning groups does not trigger RTS.
Some changes to custom attributes may not trigger RTS.
- RTS does not add pre-start hires into Okta.
Okta performs a query to determine if any workers have been terminated in the last 24 hours, or will become terminated within the next 24 hours. Workers that fall into this category will have the following rules applied:
- If the termination reason of the worker matches one of the configured immediate termination reasons within Okta, the worker is deactivated. Note that the termination date is not consulted if the termination reason matches. Thus a worker with an immediate termination reason that will become terminated within the next 24 hours will become terminated immediately on import/real time sync within Okta.
- If the termination reasons are not matched, then the termination/last day worked date of the worker are compared to the current time. Okta relies on the timezone provided by Workday within the termination date when determining if the deactivation time has come to pass.
- NOTE: Workday processes terminations at midnight PST. Thus customers in more Easterly time zones will see a delay of several or more hours until the worker is considered terminated by Workday.
The chart below illustrates various outcomes based upon termination variables:
|Pre-hire interval set?||Immediate termination reason matches?||Use last day of work?||Outcome|
|N||N||N||Worker will become deactivated after their termination date has come to pass |
|N||N||Y||Worker will become deactivated after their last day of work has come to pass|
|N||Y||N||Worker will become deactivated 1 day prior to their termination date coming to pass|
|N||Y||Y||Worker will become deactivated 1 day prior to their termination date coming to pass|
|Y||N||N||Worker will become deactivated after their termination date has come to pass|
|Y||N||Y||Worker will become deactivated after their last day of work has come to pass|
|Y||Y||N||Worker will become deactivated after their termination date has come to pass|
|Y||Y||Y||Worker will become deactivated after their last day of work has come to pass|
Setting a Termination Reason
What are the Immediate Termination Reasons?
By default, Okta waits until the end of the day to take actions on a terminated Worker in Workday. Such actions might include un-assigning them from the Workday app and/or deactivating them. However, if the termination reasons for the Worker match those specified in Immediate Termination Reasons and the termination date is set to the current date, Okta will take action immediately after receiving the event from Workday.
To do so, do the following:
- Under the Provisioning tab for the Workday app, edit the text input box “Immediate Termination Reasons” with the required termination sub category, as stated in Workday.
- Multiple values can be added with each separated by a pipe (|). Regex expressions are accepted.
Example: Terminate_Employee_Involuntary* would mean that all terminated Workers with that prefix in any of their Termination_Subcategory_ID(s) would be immediately unassigned from the Workday app and deactivated in Okta.
Also keep in mind that
There can be no default value for this text box.
Termination Reasons are selected in Workday under Reason and Secondary Reasons in Workday, as shown below.
- Termination_Subcategory_ID(s) that identify each termination reason can be found by searching for the following in Workday: ‘Integration IDs’ then selecting the Business Object:‘Termination subcategory’.
Setup consists of the following:
A. Creating an Integration System
B. Adding Integration Attributes to the Integration System
C. Adding Subscriptions to the Integration System
D. Associate the Integration User to the Integration System
E. Editing Business Process for adding the Integration System
A: Creating an Integration System
- Login into Workday as an admin.
- Type Create Integration System into the text input search box on the top left corner of the screen.
- Enter the values as shown below:
On the following screen, select Enable All Services and make sure that all check boxes under the Enabled column, are selected.
After confirming the values, the page is directed to the Integration System page.
B: Adding Integration Attributes to the Integration System
- Click the related action button next to the Integration System (3-dotted button) as shown below and navigate to Integration system > Configure Integration Attributes.
- On the following screen, click on the (+) sign under Okta API Endpoint and Okta API Token to add a new entry and enter the following.
Okta API Endpoint
Use the bulleted elements in the following URL: https://<ENVIRONMENT>/api/v1/app/<Identity Provider ID>/activities.
Environment: Example: acme.okta.com, mycompany.okta.com
Identity Provider ID: From the View Setup Instructions link under the Sign On tab for the Workday app. See the screenshot below for the Number 7 value.
SAML Setup Page
Obtaining the Okta API Token
- From the Okta Dashboard page, navigate to Security > API.
- Use the Create Token button to create token, then enter a relevant name for it.
- Copy the token and use it in the form detailed above.
C: Adding Subscriptions to the Integration System
- Click on related actions (3-dotted button) and navigate to Integration System > Edit Subscriptions, as shown below.
Under Subscribe to specific Transaction Types, select items as per the types of events that are required. (Refer to Table 3 for specifications on the types of transactions).
Click the (–) sign below External Endpoints to remove the configuration for External Endpoint.
Click Add Launch Integration and add the values shown in Table 1 below:
|Workers||Determine Value at Runtime||Transaction Targets|
|As of Entry Moment ||Determine Value at Runtime||Transaction Entry Moment|
|Effective Date||Determine Value at Runtime||Transaction Effective Moment|
If you receive an error, try inputting Transaction Targets as Workers
instead of Transaction Targets
.D: Associate the Integration User to the Integration System.
This Integration System User
should be created as instructed in the Workday Deployment Guide Version 4.1
, which is also associated under Provisioning tab under the Workday app.
Navigate to edit the Workday account, as shown below.
On the next page, select the Integration System User under Workday Account and add it. This associates the Integration User to the System and completes the setup of the Integration System.
E: Editing Business Process for Adding the Integration System
We will use Hire for this example. Refer to Table 3 for the appropriate business process type.
Type in bp: hire in the Workday search box.
Select Hire for <local org>. Example: Hire for Acme Inc. Do not select the default business process.
Navigate to Edit Definition, as shown below.
We need to add a new step, which will be invoked after the hire process is complete. Find the order lettering which has the column set to complete as shown below. (In this example its set to a).
Click on the plus sign (+) to add a new step. (Located on the top left corner of the table).
Set the Order value to b since we need the Business process to invoke real time sync after the completion step, which is set to a.
Select type as Integration and click the OK button to save. This returns us to the Business process landing page.
There will be a new Configure Integration System button. Click the button to start the configuration process.
Select the Integration system that was created as per step A in the next screen, and then click the OK button.
On the following screen, add the values as shown in Table 2, shown below.
|Workers||Determine Value at Runtime||Worker|
|As of Entry Moment ||Determine Value at Runtime||Date and Time Completed|
|Effective Date||Determine Value at Runtime||Effective Date|
This completes the steps for adding the Integration System event to the Business Process.
For the sync between Workday and Okta, refer to Table 3 below for the optimal combination of Business Process and Transaction Type.
|1||Business Process||Hire||New hire|
|3||Business Process||Job Change||Job, Supervisory org. Manager|
|4||Business Process||Title||Job Title Change|
|5||Transaction Type||Account Provisioning - Event Lite Type||Workday ID change|
|6||Transaction Type||Contact Change - Contact Information||Phone number, email change|
|7||Transaction Type||Edit Workday Account - Edit Workday Account ||Username, Employee ID change|
|8||Transaction Type|| Legal Name Change - Legal Name Change Event ||Name change|
|9||Transaction Type||Person Address Change - Event Lite Type ||Address change (Work Address)|
Maintain Termination Categories in Workday
There are 2 ways to edit and/or view the categories for termination:
Search for maintain termination categories in the Search box and select termination for results.
Termination IDs via the integration IDs report: search for integration ids and then select the appropriate values, as shown in the two images below.