Workday Real-Time Sync

Workday Real-Time Sync (RTS) allows Okta to receive user creation, update, and termination events from Workday on a real-time basis. User changes in Workday are reflected immediately in Okta and its downstream apps.

RTS is used to trigger an update from Workday to Okta in real-time. It should be used for changes where timeliness is critical such as immediate termination of a worker. A business process must be configured in Workday to send the trigger to Okta to start this process. Included in the RTS import are base attributes, non-future, and future effective dated custom attributes.

Okta strongly recommends that you use RTS with scheduled imports that are run on a 1–2 day interval. This is because some less-frequently used actions in Workday don't trigger RTS, so scheduled imports are required to reconcile these actions.

Prerequisites

Workday is set up as the Profile Source. For instructions, see Workday.

Features

Workday actions not supported by RTS:

  • Updates to the Second Email attribute don't trigger RTS.
  • Updates to the Manager Username attribute don't trigger RTS.

Some of the worker attributes, like the Manager Username, can't be populated in Okta as part of RTS. As a workaround, add the attribute to Workday field overrides.

The table displays what does and doesn't require an update in base attributes to trigger RTS:

Features

Requires base attribute update to trigger RTS (SAMPLE base attributes- firstName, lastName, email)

Create New user No
Update User Base Attribute No
Terminate User No
Update Users Custom Attribute Yes
Create New Group Yes
Update Group Name & Description Yes (Not recommended. See Manage Workday Provisioning Groups)
Update Any Group Settings Yes
Add New User To Group No
Update User Base Attribute in Group Yes
Remove User From Group Yes

These are all of the of base attributes:

Display Name

Variable Name

Type

User Name userName String
First Name firstName String
Last Name lastName String
Email email String
Second Email secondEmail String
Mobile Phone mobilePhone String
Employee ID employeeID String
Worker Type accountType String
Title businessTitle String
Manager ID managerId String
Manager Username managerUserName String
Street Address streetAddress String
City city String
State state String
Postal Code postalCode String
Country (ISO-3166) countryCode String
Supervisory Organization supervisoryOrd String
Business Unit businessUnit String
Work Phone workPhone

String

Location location String

RTS Deactivation

Configure RTS in Workday

Create an Integration System

  1. Sign in to Workday as an administrator.
  2. Type Create Integration System in the search box on the top-left corner of the page.
  3. Enter the following information:
    • System Name: Name desired for the integration system
    • Template: Select New using Template, then select Okta-Worker from the list.
    • Click OK.
  4. Select Enable All Services and make sure that all checkboxes under the Enabled column are selected.
  5. You may see the following error. You can ignore it because you finish the configuration in the next section.

  6. After confirming the values, the Integration System page opens.

Add Integration Attributes to the Integration System

  1. Click Actions next to the Integration System, and then go to Integration SystemConfigure Integration Attributes:
  2. Click the plus (+) sign for the Okta API Endpoint and OktaAPI Token to add an entry for each attribute.

OktaAPI Endpoint

In the URL: https://<ENVIRONMENT>/api/v1/app/<Identity Provider ID>/activities/, use these elements:

  • Environment: For example, acme.okta.com, mycompany.okta.com
  • Identity Provider ID: From the View Setup Instructions link under the Sign On tab for the Workday app. Use the value generated for Issuer in the setup Instructions.

To obtain the Okta API Token, follow these steps:

You must use an account with super admin privileges to generate tokens.

  1. Create an Okta service account.
  2. Make the service account an Application Administrator of the Workday application.
  3. Sign in to Okta as this user.
  4. From the Admin Dashboard page, go to SecurityAPI.
  5. Click Create Token and then enter a relevant name for it.
  6. Copy the token and use it in the form.

Add Subscriptions to the Integration System

  1. Click the ellipsis (three dots) next to the Integration System, then go to Integration SystemEdit Subscriptions.
  2. Under Subscribe to specific Transaction Types, select items according to the types of events that are required. (See Table 3 for specifications on the types of transactions.)

  3. Click the minus (–) sign below External Endpoints to remove the configuration for External Endpoint.

  4. Click Add Launch Integration, and then add the values shown in Table 1:

  5. You may see the following alert. You can ignore it as it will be fixed in the next section.

Table 1:

Field

Value Types

Value

Workers Determine Value at Runtime Transaction Targets
As of Entry Moment Determine Value at Runtime Transaction Entry Moment
Effective Data Determine Value at Runtime Transaction Entry Moment

If you receive an error, try inputting Transaction Targets as Workers instead of Transaction Targets.

Associate the Integration User to the Integration System

This Integration System User should be created as described in Create an Integration System User in Workday.

  1. Click the ellipsis (three dots) next to the Integration System, then edit the Workday account.

  2. Select the Integration System User under Workday Account and add it. This associates the Integration User to the System and completes the setup of the Integration System.

Edit Business Process for adding the Integration System

  1. We use Hire in this example. For the appropriate business process type, see Table 3 .
  2. Enter bp: hire in the Workday search field.
  3. Select Hire for tenant. For example: Hire for Acme Inc. Don't select the default business process.
  4. Go to Edit Definition.
  5. Add a new step, which will be invoked after the hire process is complete. Find the letter in the Order column matching the Yes in the Complete column. (In this example it's set to a).

  6. Click the plus sign (+) to add a step.

  7. Set the Order value to b. You need the Business Process to invoke real time sync after the completion step, which is set to a.

  8. Select the type as Integration, then click OK to save. You return to the Business Process landing page.

  9. You may see the following error. You can ignore it because it will be fixed in the next section.

  10. The Configure Integration System button appears. Click this to start the configuration process.

  11. Select the Integration System that was previously created, then click OK.

  12. Add the values as shown in Table 1:

Table 2

Field

Value Types

Value

Workers Determine Value at Runtime Worker
As of Entry Moment Determine Value at Runtime Date and Time Completed
Effective Date Determine Value at Runtime Effective Date

This completes the steps for adding the Integration System event to the Business Process. For the sync between Workday and Okta, see Table 3 for the optimal combination of Business Process and Transaction Type.

Table 3

No.

Type

Name

Event

1 Business Process Hire New hire
2 Business Process Termination Termination
3 Business Process Job Change Job, Supervisory org. Manager
4 Business Process Title Job Title Change
5 Transaction Type Account Provisioning - Event Lite Type Workday ID change
6 Transaction Type Contact Change - Contact Information Phone number, email change
7 Transaction Type Edit Workday Account - Edit Workday Account Username, Employee ID change
8 Transaction Type Legal Name Change - Legal Name Change Event Name change
9 Transaction Type Person Address Change - Event Lite Type Address change (Work Address)

Maintain termination categories in Workday

There are two ways to edit or view the categories for termination:

  • Search for maintain termination categories in the search box and select termination for results.
  • Termination IDs through the integration IDs report: search for integration IDs and then select the appropriate values.

Pre-hire interval set?

Immediate deactivation reason matches?

Use last day of work?

Outcome

No

No

No

Worker is deactivated after their termination date

No

No

Yes

Worker is deactivated after their last day of work

No

Yes

No

Worker is deactivated 1 day before their termination date

No

Yes

Yes

Worker is deactivated 1 day before their termination date

Yes

No

No

Worker is deactivated after their termination date

Yes

No

Yes

Worker is deactivated after their last day of work

Yes

Yes

No

Worker is deactivated after their termination date

Yes

Yes

Yes

Worker is deactivated after their last day of work