Workday as a Master - converting Employee to contractor disables Okta account Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0tuia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Eric TiptonEric Tipton 

Workday as a Master - converting Employee to contractor disables Okta account

We are WDaaM and looking for a way to better deal with Contractor (contingent) to Employee conversions. Currently, when the worker type is changed in Workday, the user is deprovosioned from all apps in Okta and disabled. When we opened a case with Okta, we were provided with a document on how to deal with this issue but NOT how to prevent it from occuring. I understand why Okta treats the tranistion this way but having a user lose access is causing a lot of issues for us and I was wondering how others with WDaaM are adressing this. 

Thanks in advance for any input or suggestions.
Best Answer chosen by Eric Tipton
Eric TiptonEric Tipton
Despite what I have been told previosly (multiple times by multiple people), it appears that there actually IS a feature flag to deal with this issue. The flag is "profile_sync_user_reactivation" and from what I understand it will automatically re-enable the Okta account when the conversion is complete (when the person has been hired as an FTE in Workday). 

It's a darn shame that I had to go to Oktane to find out about it...since again, I am sure this is affecting a LOT of people. 

I have a case open to have it turned on in our Preview environment and will update this thread with my testing results. 

--Eric

All Answers

James FloresJames Flores (Okta, Inc.)
Hi Eric, 

Is the flow you were recomended this ?

1)Manually disconnect the user in Okta before conversion.
2) Then import the user after conversion which should auto link to the existing user.

If profile sync reactivation is enabled this will be nearly seamless, you'd only have to manaully disconnect the user or you could this via the Okta API. 

Have you reached out the Workday about this?  For those who don't know, the issues is caused when the user is converted, their unique identifier changes and this is the ID that Okta uses to connect to users in Workday. So when the ID changes, Okta sees them as an entirley new user. The same is true in Active Directory but no attribute changes in AD change the unique ID the only way this happens is when a user is deleted and recreated. The case is similar in O365, Salesforce etc. That is why this issue is unique to how Workday handles the conversion.
Eric TiptonEric Tipton
Thanks, that is helpful. When I opened an Okta support case to ask about this,  I was provided with an Okta document titled "Workday_ContingentTOFulltime_Flow.pdf". It was sent as an attachment and I don't see a way to upload here. Steps listed are: 
  1. Hire Contingent Worker in Workday
  2. Push/Match User to Okta/AD to become Workday Mastered
  3. Convert employee in WD from Contingent to Employee status
  4. Enable AD/Okta account associated with previously hired Contingent worker
  5. Match AD user with Okta user – make AD mastered user in Okta
  6. Run Okta Workday Import
  7. Match Workday user with existing AD mastered user in Okta
  8. User is now Full Time and Workday Mastered in Okta
That's not even a workaround, IMHO since the account still gets disabled.  Your solution is an improvement -- assuming we can get the advance notice of the covnersion.

I actually did just reach out to Workday and am posting the same question in their Community. FWIW, the response from Okta support when I asked whether their was a way to prevent the account from becoming disabled to begin with was "Correct, today that's the behavior when a Workday user is termed." Since I assume this is a common issue, it would behoove Okta to try to make sure their WDaaM customers are equipped to deal with the issue. Just my .02
NikiNiki (Okta, Inc.) 
Hi Eric,

thanks for the feedback on your experience and expectation. I will share your post with our Product team for consideration. If you have any other suggestions or feature requests, don't hesitate to post them in the Ideas section of this community.

Thank you,
Niki
Tim GuTim Gu (Okta, Inc.)
Hi Eric,

Thanks for your feedback and we're aware that the Contractor-to-Employee conversion flow is not a seamless transition today. We're investigating ways to make it better, although I do not have specifics to share at the moment. 

Thanks,
Tim
Eric TiptonEric Tipton
Thanks guys. The recommendation from James Flores above is actually a big improvement over the document Support sent us. I reached out to Workday and I gather they are in communication with Okta to improve the process as well. 
Eric TiptonEric Tipton
Ok, @James Flores - that suggestion did NOT work AT ALL. As soon as the account was disconencted from Workday, it was disabled in Okta and AD & deprovisioned from everything. We had to re-enable everything to get him back up and running only to have to go through this all over again when the conversion was made in Workday. 

Come on, Okta - there HAS to be a better way!
Eric TiptonEric Tipton
@Tim Gru - I understand that your are the PM and I understand this is "expected behavior". Can you address James Flores workaround suggestion? 
Eric TiptonEric Tipton
Based on the lastest from Okta Support and my own testing, James' suggestion will NOT work. Any other WDaaM users out there? How are you dealing with this issue? 
Eric TiptonEric Tipton
Despite what I have been told previosly (multiple times by multiple people), it appears that there actually IS a feature flag to deal with this issue. The flag is "profile_sync_user_reactivation" and from what I understand it will automatically re-enable the Okta account when the conversion is complete (when the person has been hired as an FTE in Workday). 

It's a darn shame that I had to go to Oktane to find out about it...since again, I am sure this is affecting a LOT of people. 

I have a case open to have it turned on in our Preview environment and will update this thread with my testing results. 

--Eric
This was selected as the best answer
Van HuynhVan Huynh

Hi Eric,

Our company just signed up with Workday and OKTA about the same time and currently have Workday profiled as a master as well.  We're experiencing EXACTLY what you noted.  I was wondering if anything has changed on this since you first brought it up?  You mentioned that there is a flag, but I'm assuming it's on OKTA's side?  If so, how did you apply that flag?

Thank you!

-Van

Eric TiptonEric Tipton

AFAIK - nothing has changed. The "profile_sync_user_reactivation"is a flag that only Okta support can turn on. It does not work for us since it requires that you have Okta set to auto reactivate deactivated accounts if Workday still shows the account as active. There are times that we need to override that -- so the fix does not work for us. Also, since a Contingent->Employee conversion in Workday always requires deactivating the old account & reactivating the new account, it seems to me like the deactivation would cause all of the assigned apps to get deprovisioned in Okta anyhow & that's what causes the majority of our problems (since some apps don't play nice with reactivating accounts). 

It's possible that there is a better solution but I am not aware of it. It might be worthwhile for you to reach out to Okta to find out. If you do, let me know what you find out.

--Eric