Workday Real Time Sync

Workday Real Time Sync (RTS) allows Okta to receive user creation, update, and termination events from Workday on a real-time basis. User changes in Workday are reflected immediately in Okta and its downstream applications.

RTS is used to trigger an update from Workday to Okta in real time. It should be used for changes where timeliness is critical such as immediate termination of a worker. A business process must be configured in Workday to send the trigger to Okta to start this process. Included in the RTS import are base attributes, non-future, and future effective dated custom attributes.

It is highly recommended that RTS be used in combination with scheduled imports that are run on a 1-2 day interval. This is because some less frequent actions in Workday will not trigger RTS, so scheduled imports are required to reconcile these actions.

Prerequisites

Workday is set up as the Profile Source. For instructions, see Configuring Provisioning for Workday.

Features

Workday actions not supported by Real Time Sync:

  • Updates to the Second Email attribute do not trigger RTS.
  • Updates to the Manager Username attribute do not trigger RTS.
  • RTS does not add pre-start hires into Okta.

The table displays what does and does not require an update in base attributes to trigger RTS:

Features

Requires base attribute update to trigger RTS (SAMPLE base attributes- firstName, lastName, email)

Create New userNo
Update User Base AttributeNo
Terminate UserNo
Update Users Custom AttributeYes
Create New GroupYes
Update Group Name & DescriptionYes (Not recommended. See Manage Workday Provisioning Groups)
Update Any Group SettingsYes
Add New User To GroupNo
Update User Base Attribute in GroupYes
Remove User From GroupYes

 

List of Base Attributes

Display Name

Variable Name

Type

User Name userName String
First Name firstName String
Last Name lastName String
Email email String
Second Email secondEmail String
Mobile Phone mobilePhone String
Employee ID employeeID String
Worker Type accountType String
Title businessTitle String
Manager ID managerId String
Manager Username managerUserName String
Street Address streetAddress String
City city String
State state String
Postal Code postalCode String
Country (ISO-3166) countryCode String
Supervisory Organization supervisoryOrd String
Business Unit businessUnit String
Work Phone workPhone

String

Location location String

RTS Deactivation

  • RTS follows the same deactivation rules when querying the user in real time. Information about deactivation can be found here.
  • Users can be deactivated immediately upon sync if the immediate deactivation reasoning has been set up. See Workday.
  • Group name change is not recommended in conjunction with RTS. See Manage Workday Provisioning Groups.

Procedures

Workday configuration

Step 1: Create an Integration System

  1. Sign in to Workday as an administrator.
  2. Type Create Integration System in the search box on the top left corner of the screen.
  3. Enter the following information:
    • System Name: Name desired for the integration system
    • Template: Select New using Template, then select  Okta-Worker from the list.
    • Click OK:
  4. Select Enable All Services and make sure that all checkboxes under the Enabled column are selected:

  5. You may see the following error. You can ignore it because you finish the configuration in the next section.

  6. After confirming the values, the Integration System page opens.

Step 2: Add Integration Attributes to the Integration System

  1. Click Actions adjacent to the Integration System, then go to Integration System > Configure Integration Attributes:

  2. Click the plus (+) sign for the Okta API Endpoint and Okta API Token to add a new entry for each attribute.

Okta API Endpoint

In the URL: https://<ENVIRONMENT>/api/v1/app/<Identity Provider ID>/activities, use these elements:

  • Environment: Example: acme.okta.com, mycompany.okta.com
  • Identity Provider ID: From the View Setup Instructions link under the Sign On tab for the Workday app. Use the value generated for Issuer in the Setup Instructions.

SAML Setup Instructions:

To obtain the Okta API Token, follow these steps:

  1. Create an Okta service account.
  2. Make the service account an Application Administrator of the Workday application.
  3. Sign in to Okta as this user.
  4. From the Okta Dashboard page, go to Security > API.
  5. Click  Create Token, then enter a relevant name for it.
  6. Copy the token and use it in the form detailed above.

Step 3: Add Subscriptions to the Integration System

  1. Click the ellipsis (three dots) adjacent to the Integration System, then go to Integration System > Edit Subscriptions:

  2. Under Subscribe to specific Transaction Types, select items as per the types of events that are required. (Refer to Table 3 for specifications on the types of transactions).

  3. Click the minus (–) sign below External Endpoints to remove the configuration for External Endpoint.

  4. Click Add Launch Integration, then add the values shown in Table 1:

  5. You may see the following alert. You can ignore it as it will be fixed in the next section.

Table 1:

Field

Value Types

Value

WorkersDetermine Value at RuntimeTransaction Targets
As of Entry MomentDetermine Value at RuntimeTransaction Entry Moment
Effective DataDetermine Value at RuntimeTransaction Entry Moment

Note: If you receive an error, try inputting Transaction Targets as Workers instead of Transaction Targets.

Step 4: Associate the Integration User to the Integration System

This Integration System User should be created as described in Create an Integration System User in Workday.

  1. Click the ellipsis (three dots) adjacent to the Integration System, then edit the Workday account:

  2. Select the Integration System User under Workday Account and add it. This associates the Integration User to the System and completes the setup of the Integration System.

Step 5: Edit Business Process for adding the Integration System

  1. We use Hire in this example. For the appropriate business process type, see Table 3.
  2. Type in bp: hire in the Workday search box.
  3. Select Hire for <tenant>. For example: Hire for Acme Inc. Do not select the default business process.
  4. Go to Edit Definition:

  5. We need to add a new step, which will be invoked after the hire process is complete. Find the letter in the Order column matching the Yes in the Complete column. (In this example it's set to a).

  6. Click the plus sign (+) to add a new step.

  7. Set the Order value to b since we need the Business Process to invoke real time sync after the completion step, which is set to a.

  8. Select the type as Integration, then click OK to save. You return to the Business process landing page.

  9. You may see the following error. You can ignore it because it will be fixed in the next section.

  10. There is now a new Configure Integration System button. Click this to start the configuration process.

  11. Select the Integration system that was previously created, then click OK.

  12. Add the values as shown in Table 1:

Table 2

Field

Value Types

Value

WorkersDetermine Value at RuntimeWorker
As of Entry MomentDetermine Value at RuntimeDate and Time Completed
Effective DateDetermine Value at RuntimeEffective Date

This completes the steps for adding the Integration System event to the Business Process. For the sync between Workday and Okta, see  Table 3 for the optimal combination of Business Process and Transaction Type.

Table 3

No.

Type

Name

Event

1Business ProcessHireNew hire
2Business ProcessTerminationTermination
3Business ProcessJob ChangeJob, Supervisory org. Manager
4Business ProcessTitleJob Title Change
5Transaction TypeAccount Provisioning - Event Lite TypeWorkday ID change
6Transaction TypeContact Change - Contact InformationPhone number, email change
7Transaction TypeEdit Workday Account - Edit Workday AccountUsername, Employee ID change
8Transaction TypeLegal Name Change - Legal Name Change EventName change
9Transaction TypePerson Address Change - Event Lite TypeAddress change (Work Address)

Maintain Termination Categories in Workday

There are two ways to edit or view the categories for termination:

  • Search for maintain termination categories in the search box and select termination for results.
  • Termination IDs via the integration IDs report: search for integration IDs and then select the appropriate values, as shown in the two images.


Pre-hire interval set?

Immediate deactivation reason matches?

Use last day of work?

Outcome

No

No

No

Worker will become deactivated after their termination date has come to pass 

No

No

Yes

Worker will become deactivated after their last day of work has come to pass

No

Yes

No

Worker will become deactivated 1 day prior to their termination date coming to pass

No

Yes

Yes

Worker will become deactivated 1 day prior to their termination date coming to pass

Yes

No

No

Worker will become deactivated after their termination date has come to pass

Yes

No

Yes

Worker will become deactivated after their last day of work has come to pass

Yes

Yes

No

Worker will become deactivated after their termination date has come to pass

Yes

Yes

Yes

Worker will become deactivated after their last day of work has come to pass