Workday integration

Integrating your Workday instance with Okta Identity Security Posture Management (ISPM) provides you with continuous and unified visibility about the identities and associated risks across your Workday instance. It helps you easily identify who has access to critical domains and verify least-privilege compliance. ISPM can also detect issues like weak MFA, stale accounts, unrotated passwords, and other vulnerabilities that impact your Workday environment.

Before you begin

Ensure that you're signed in to your Workday instance using an administrator account.

Start this task

Create an integration system user

Using the search bar, search for Create integration system user.
On the Create integration system user dialog box, complete the following steps:
1. Enter the username.
2. Set a password.
3. In the Session Timeout Minutes field, enter 0.
4. Select the Do not allow UI sessions checkbox.
5. Note the username and password for later use.
6. Click OK.

Create a security group

Using the search bar, search for Create security group.
On the Create security group dialog box, complete the following steps:
1. From the Type of Tenanted Security Group dropdown menu, select Integration system security group (Unconstrained).
2. Enter a name.
3. Note the security group name. You'll need it later.
4. Click OK.
On the Edit integration system security group (Unconstrained) dialog box, complete the following steps:
1. Check that the security group name that you entered earlier appears in the Name field.
2. Optional. Add comments.
3. In the Integration System Users field, add the username of the user that you created earlier.
4. Click OK.
5. Click Done.

Assign the security group to the user

Using the search bar, search for Integration system user security configuration.
On the Integration system user security configuration page, search for the user that you created earlier using filters.
1. From the Filter condition dropdown menu, select is.
2. In the Value field, enter the username of the user that you created earlier.
In the Workday Account column, open the options menu associated with the user.
From the options menu, select Security Profile and then select Assign Integration System Security Groups.
On the Assign integration system security groups for integration system user dialog box, select the security group that you created earlier from the Integration System Security Group to Assign dropdown menu.
Click OK and then click Done.

Configure the group with a list of domains

Using the search bar, search for Maintain permission for security group.
On the Maintain permission for security group dialog box, complete the following steps:
1. Select Maintain as the Operation.
2. Select the security group that you created earlier from the Source security group dropdown menu.
3. Click OK.
From the Maintain permission for security group page, go to the Domain security policy permissions tab.
Click + and add the following permissions:
- View Only
  - Reports: Organization
  - System Auditing
  - Worker Data: Public Worker Reports
  - Person Data: Public Work Email Address Integration
  - Manage: Supervisory Organization
  - Security Configuration
  - User-Based Security Group Administration
  - Security Administration
  - Workday Accounts
  - Integration Security
  - Workday Query Language
- Get Only
  - Workday Accounts
  - Worker Data: Workers
  - Workday Account Monitoring
  - Worker Data: Public Worker Reports
  - Security Administration
  - Reports: Organization
  - Security Configuration
  - User-Based Security Group Administration
  - Integration Security
  - Workday Query Language
Click OK and then click Done.
Using the search bar, search for Maintain permission for security group.
Check that the permissions that you added appear correctly. Click OK.

Activate pending security policy changes

Using the search bar, search for Activate pending security policy changes.
On the Activate pending policy changes page, add a description in the Comment field and click OK.
Review the changes and select the Confirm checkbox.
Click OK.

Using the search bar, search for Register API client for integrations.
On the Register API client for integrations dialog box, enter a value in the Client Name field.
Select the Non-Expiring Refresh Tokens checkbox.
From the Scope (Functional area) dropdown menu, add all values. You can select all values using the Ctrl+A keys and then press the spacebar key.
Select the Include Workday Owned Scope checkbox.
Click OK.
The Client ID and Client secret values appear on the confirmation dialog box. Store these values securely. You'll need them later.
Click Done.

Generate a refresh token

Using the search bar, search for View API clients.
On the View API Clients page, go to API Clients for Integrations tab.
Search for the API client using filters.
1. From the Filter condition dropdown menu, select is.
2. In the Value field, enter the API client name that you copied earlier.
In the API Clients column, open the options menu associated with the required API client.
From the options menu, select API client and then select Manage refresh token for integration.
On the Manage refresh token for integration dialog box, in the Workday account user field, select the user name of the user you created earlier.
Click OK.
On the Delete or regenerate refresh token page, select the Generate new refresh token checkbox and click OK.
From the Successfully regenerated refresh token page, copy the Refresh token value and store it securely. You'll need it later.
Note the Workday REST API endpoint and Authorization endpoint details from the View API Clients page as well. You'll need it later.
Click Done.

Share the parameters with ISPM

In the ISPM console, go to Settings > Sources gallery.
Select Workday .
Enter the following parameters:
- Tenant name
- Workday REST API endpoint
- Authorization endpoint
- Client ID
- Client secret
- Refresh token
Click Submit.