Best Practices and FAQs
- Setup and configure all three types of imports:
- Full import: Run weekly to reconcile all users, can be run more frequently depending on number of users and preference
- Incremental import: Run as frequently as hourly depending on the number of updates made that cannot be triggered via RTS, such as pre-hires (see Incremental Imports)
- RTS: Configure for all user updates and terminations (see Workday Real Time Sync)
- If you are on the newest connector, configure field overrides instead of a custom report for the best performance. Otherwise, use a paginated custom report. See Workday Custom Attributes)
- If you have over 50k users, contact Okta Support to enable batch imports for more robust performance.
If/When the need arises to rename a group in Workday, we recommend that you instead create a new group.
As described in Manage Workday Provisioning Groups, currently Workday Group name changes can result in unwanted behavior downstream in Okta. To work around this issue the best course of action is to create a new group with the desired name in Workday, and assign all of the users to it. Wait for an import and/or RTS job to create the new group in Okta. Once the newly created group is brought into Okta, set it up exactly the same as the group you wished to rename. Once any and all user memberships, group rules, and/or application assignments are the same between the new group with the desired name and the old group, you can then remove the original group from Workday and update Okta via full import to remove the old group from Okta. Since all users, rules, and application assignments have been duplicated to the new group, no one should lose access to any applications or assignments.
When configuring your import settings, review About import safeguards (App level roadblock settings) and ensure it is configured to an acceptable percentage level for your organizations purposes.
POST xx/Human_Resources/v29.0 HTTP/1.1
Host: Workday host
<wsse:Security xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<ns1:Get_Workers_Request xmlns:ns1="urn:com.workday/bsvc" ns1:version="v29.0">
What versions of the Workday API are currently supported?
Okta supports v15 and v29 of the Workday API.
Are constrained groups supported?
Constrained groups are not supported at this time.
Are custom attributes supported?
Yes, we pull custom attributes in all of the imports. If you are not seeing a custom attribute, check the custom report in Workday with JSON endpoint and validate that the data is there.
What are the performance load that can be supported in a Workday as a Master implementation? How many users can be imported in a full import/incremental import?
Currently we passed 250k users in our scale testing. We continue to move forward towards 300k.
Are there technical limitations to integrating Okta with Workday?
We cannot determine changes on custom attributes for incremental imports if they do not have a transaction log tied to them, but if there are base attribute changes, we will pull in the custom attributes too.
Are there limitations when provisioning/de-provisioning users using custom attributes?
No, the user works the same with or without the custom attributes.
Are there limitations with a real time sync versus an import?
RTS requires a business process to be setup in Workday for each event you want to trigger.