Best practices and FAQ

Best practices

Set up and configure all three types of imports

  • Full import: Run weekly to reconcile all users. It can be run more frequently depending on the number of users and preference.
  • Incremental import: Run as frequently as hourly. This depends on the number of updates that are made that Real-Time Sync (RTS) can't trigger, such as pre-hires. See Incremental imports.
  • Real-Time Sync (RTS): Configure for all user updates and terminations. See Workday Real-Time Sync.

Configure field overrides

If you are on the newest connector, configure field overrides instead of a custom report for the best performance. Otherwise, use a paginated custom report. See Workday custom attributes

Number of users

If you have over 50,000 users, contact Okta Support to enable batch imports for more robust performance.

Rename a group

  • If you have to rename a group in Workday, consider creating another group instead.
  • As described in Manage Workday Provisioning Groups, Workday Group name changes can result in unwanted behavior downstream in Okta. To work around this issue, create a different group with the desired name in Workday and assign all the users to it. Wait for an import or RTS job to create this group in Okta.
  • After the new group is brought into Okta, configure it the same as the group that you wanted to rename. Ensure that all user memberships, group rules, and application assignments are the same between the new group with the desired name and the old group. After you verify that the groups are identical, you can remove the original group from Workday. Update Okta by running a full import to remove the old group from Okta.
  • Since all users, rules, and application assignments have been duplicated to the new group, no one should lose access to any applications or assignments.

Configure import settings

When configuring your import settings, review App-level import safeguards and ensure that your safeguards are set to an acceptable percentage level for your organization’s purposes.

FAQ

SAML SOAP request:

POST xx/Human_Resources/v29.0 HTTP/1.1 Host: Workday host Content-Type: application/xml cache-control: no-cache Postman-Token: token <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Header> <wsse:Security xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken> <wsse:Username>username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken> </wsse:Security> </S:Header> <S:Body> <ns1:Get_Workers_Request xmlns:ns1="urn:com.workday/bsvc" ns1:version="v29.0"> <ns1:Request_Criteria> <ns1:Exclude_Inactive_Workers>true</ns1:Exclude_Inactive_Workers> </ns1:Request_Criteria> <ns1:Response_Filter> <ns1:As_Of_Effective_Date>2019-03-14T22:25:24.480Z</ns1:As_Of_Effective_Date> <ns1:As_Of_Entry_DateTime>2019-03-14T22:25:24.480Z</ns1:As_Of_Entry_DateTime> <ns1:Page>1</ns1:Page> <ns1:Count>100</ns1:Count> </ns1:Response_Filter> <ns1:Response_Group> <ns1:Include_Reference>true</ns1:Include_Reference> <ns1:Include_Personal_Information>true</ns1:Include_Personal_Information> <ns1:Include_Employment_Information>true</ns1:Include_Employment_Information> <ns1:Include_Organizations>true</ns1:Include_Organizations> <ns1:Exclude_Organization_Support_Role_Data>true</ns1:Exclude_Organization_Support_Role_Data> <ns1:Include_Employee_Contract_Data>true</ns1:Include_Employee_Contract_Data><ns1:Include_Management_Chain_Data>true</ns1:Include_Management_Chain_Data> </ns1:Response_Group> </ns1:Get_Workers_Request> </S:Body> </S:Envelope>

What versions of the Workday API are currently supported?

Okta supports versions 15, 29, and 37 of the Workday API.

Are constrained security groups supported?

Yes, constrained security groups are supported. These enable you to specify which Workday users to import to Okta.

Are custom attributes supported?

Yes, all imports pull custom attributes. If you aren't seeing a custom attribute, check the custom report in Workday with the JSON endpoint and validate that the data is there.

What is the performance load that can be supported in a Workday as a Source implementation? How many users can be imported in a full import or incremental import?

Currently, scale testing passed 250,000 and is moving towards 300,000.

Are there technical limitations to integrating Okta with Workday?

For incremental imports, Okta can’t determine changes on custom attributes if they don’t have a transaction log tied to them. If there are base attribute changes, Okta pulls in the custom attributes too.

Are there limitations when provisioning or deprovisioning users that use custom attributes?

No, the user works the same with or without the custom attributes.

Are there limitations with a real-time sync versus an import?

RTS requires a business process to be set up in Workday for each event you want to trigger.