Best practices and FAQ
Set up and configure all three types of imports
- Full import: Run weekly to reconcile all users. It can be run more frequently depending on the number of users and preference.
- Incremental import: Run as frequently as hourly depending on the number of updates made that cannot be triggered by RTS, such as pre-hires. See Incremental imports.
- RTS: Configure for all user updates and terminations. See Workday Real Time Sync.
Configure field overrides
If you are on the newest connector, configure field overrides instead of a custom report for the best performance. Otherwise, use a paginated custom report. See Workday custom attributes
Number of users
If you have over 50,000 users, contact Okta Support to enable batch imports for more robust performance.
Rename a group
- If you have to rename a group in Workday, consider creating a new group instead.
- As described in Manage Workday Provisioning Groups, Workday Group name changes can result in unwanted behavior downstream in Okta. To work around this issue, create a new group with the desired name in Workday and assign all the users to it. Wait for an import or RTS job to create the new group in Okta.
- After the newly created group is brought into Okta, set it up exactly the same as the group you wished to rename. When all user memberships, group rules, and application assignments are the same between the new group with the desired name and the old group, you can remove the original group from Workday. Update Okta by running a full import to remove the old group from Okta.
- Since all users, rules, and application assignments have been duplicated to the new group, no one should lose access to any applications or assignments.
Configure import settings
When configuring your import settings, review Import safeguards (App level roadblock settings) and ensure it is configured to an acceptable percentage level for your organization’s purposes.
SAML SOAP request:POST xx/Human_Resources/v29.0 HTTP/1.1 Host: Workday host Content-Type: application/xml cache-control: no-cache Postman-Token: token <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"> <S:Header> <wsse:Security xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken> <wsse:Username>username</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken> </wsse:Security> </S:Header> <S:Body> <ns1:Get_Workers_Request xmlns:ns1="urn:com.workday/bsvc" ns1:version="v29.0"> <ns1:Request_Criteria> <ns1:Exclude_Inactive_Workers>true</ns1:Exclude_Inactive_Workers> </ns1:Request_Criteria> <ns1:Response_Filter> <ns1:As_Of_Effective_Date>2019-03-14T22:25:24.480Z</ns1:As_Of_Effective_Date> <ns1:As_Of_Entry_DateTime>2019-03-14T22:25:24.480Z</ns1:As_Of_Entry_DateTime> <ns1:Page>1</ns1:Page> <ns1:Count>100</ns1:Count> </ns1:Response_Filter> <ns1:Response_Group> <ns1:Include_Reference>true</ns1:Include_Reference> <ns1:Include_Personal_Information>true</ns1:Include_Personal_Information> <ns1:Include_Employment_Information>true</ns1:Include_Employment_Information> <ns1:Include_Organizations>true</ns1:Include_Organizations> <ns1:Exclude_Organization_Support_Role_Data>true</ns1:Exclude_Organization_Support_Role_Data> <ns1:Include_Employee_Contract_Data>true</ns1:Include_Employee_Contract_Data><ns1:Include_Management_Chain_Data>true</ns1:Include_Management_Chain_Data> </ns1:Response_Group> </ns1:Get_Workers_Request> </S:Body> </S:Envelope>
What versions of the Workday API are currently supported?
Okta supports version 15 and 29 of the Workday API.
Are constrained groups supported?
Constrained groups are not supported.
Are custom attributes supported?
Yes, all imports pull custom attributes. If you are not seeing a custom attribute, check the custom report in Workday with JSON endpoint and validate that the data is there.
What is the performance load that can be supported in a Workday as a Source implementation? How many users can be imported in a full import or incremental import?
Currently, scale testing passed 250 thousand, moving towards 300 thousand users.
Are there technical limitations to integrating Okta with Workday?
For incremental imports, Okta can’t determine changes on custom attributes if they don’t have a transaction log tied to them. If there are base attribute changes, Okta pulls in the custom attributes too.
Are there limitations when provisioning or deprovisioning users using custom attributes?
No, the user works the same with or without the custom attributes.
Are there limitations with a real time sync versus an import?
RTS requires a business process to be set up in Workday for each event you want to trigger.