Authorization
When you add a Workday card to a flow for the first time, Okta Workflows prompts you to configure the connection. This connection links to your Workday account and saves your account information, so you can reuse the connection for future Workday flows.
You can create multiple unique connections and manage them from the Connections page in the Okta Workflows Console.
Before you begin
You need the following elements to create a connection to a Workday account:
-
Administrator authority on Okta Workflows.
In addition to the initial authorization of the connector, reauthenticating this connection requires an account with super admin privileges.
-
A Workday account that has permission to create an Integration System User, create and edit security groups, and edit security policies for business processes.
Alternatively, access to a Workday account with security permissions to view worker data and change worker contact information.
Procedure
To establish a connection, you can use an existing Workday account or an Integration System User account.
Okta recommends using an Integration System User because it can be a company account that isn't tied to a particular individual.
Create an Integration System User in Workday
-
In the Workday console, type Create Integration System User in the search box.
-
From the search results, click Create Integration System User.
-
Follow the directions to create a username and password and record those credentials for future use.
-
Leave the Do Not Allow UI Sessions option cleared, because you need a UI session to perform the authentication.
Grant permissions to the Integration System User
To use the Workday connector, follow these procedures to grant the necessary permissions to the Integration System User.
Create a security group
-
In the Workday console, type Create security group in the search box.
-
From the search results, click Create Security Group.
-
From the Type of Tenanted Security Group dropdown menu, select Integration System Security Group (Constrained) or Integration System Security Group (Unconstrained).
You can specify which organizations to include in a constrained group. However an unconstrained group includes all organizations.
-
Enter a name for the group, and click OK. This group name is needed in future steps.
-
Add your Integration System User to the list under Integration System Users.
-
If you chose a constrained security group, add the orgs that you want to include. Then choose whether to apply access rights to only the current org, or to the current org and all its subordinate orgs.
-
Click OK to finish creating the security group, and then click Done.
Add domain security permissions to the security group
-
In the Workday console, type View security group in the search box.
-
From the search results, click View Security Group.
-
Select your security group from the listed results, and click OK.
-
From the Actions menu, choose .
-
Under Report/Task Permissions, grant the following domain security policy permissions to your security group:
Domain Security Policies permitting Modify access
Person Data: Work Contact Information
Domain Security Policies permitting View access
Worker Data: Current Staffing Information
Worker Data: Public Worker Reports
Reports: Organization
You may need to add other domain security policy permissions to support viewing custom objects.
-
Optional. To find the security domain of a custom object, complete the following steps:
-
In the Workday console, type View custom object in the search box.
-
From the search results, click View Custom Object.
-
Enter the name of your custom object.
-
Record the Security Domains value. This is the security domain required for this custom object.
-
Using the process in the previous step, grant this domain security policy to your security group.
-
-
Click OK to finish updating the domain permissions for your security group, and then click Done.
Add permissions to change Workday information
To use the Workday action cards that change worker information through Okta Workflows, you need to grant the security group the necessary permissions.
-
In the Workday console, type Edit business process security policy in the search box.
-
From the search results, click Edit Business Process Security Policy.
-
For the Business Process Type field, type Work Contact Change and click OK.
-
Under Change Work Contact Information (REST Service), add your security group.
-
In the Edit Business Process Security Policy dialog, add your security segment to the field for .
-
Click OK to finish updating your business process security policies, and then click Done.
Manually add a security segment
If your security group isn't included in the search results of the previous step, you need to manually add it.
-
Click
. -
Choose a name for this new security segment.
-
Under
, add your security group. -
In the Access to Segments area, click .
-
Add a name for the security group and for the Business Process Type field, type Work Contact Change.
-
Click OK to create the security segment for this business process type.
-
Workday should return you to the dialog for security segment creation. Click OK.
After you create the security segment, it should appear in the Change Work Contact Information (REST Service) list.
Activate the security policy changes
If you don't activate the security policy changes, then Workday doesn't grant the necessary permissions to the Integration System User account.
-
In the Workday console, type Activate pending security policy changes in the search box.
-
From the search results, click Activate Pending Security Policy Changes.
-
Enter a comment that these changes are required for Okta Workflows, and then click OK.
-
Verify and confirm the activation changes.
Create an API Client
The Workday connector in Okta connects to your Workday instance using an API client.
-
In the Workday console, type Register API client in the search box.
-
From the search results, click Register API Client.
-
Enter a name for your client.
-
For the Client Grant Type, select Authorization Code Grant.
-
Optional. Select Enforce 60 Minute Access Token Expiry.
-
For the Redirection URI:
-
If your Okta org is on an Okta Workflows preview cell: https://oauth.workflows.oktapreview.com/oauth/workday/cb
-
If your Okta org is on an Okta Workflows production cell: https://oauth.workflows.okta.com/oauth/workday/cb/
-
If your Okta org is on an Okta for Government High cell: https://oauth.workflows.okta-gov.com/oauth/workday/cb
-
-
Select the Non-Expiring Refresh Tokens option to prevent refresh tokens from expiring. Otherwise the connection for your Workday connector may break.
-
Grant the following scopes:
-
Contact Information
-
Organizations and Roles
-
Staffing
-
Tenant Non-Configurable
You may need to add other scopes to support viewing custom objects.
-
-
Optional. This step identifies and grants any scopes required for custom objects.
-
In the Workday console, type View custom object in the search box.
-
From the search results, click View Custom Object.
-
Enter the name of your custom object.
-
Click the values associated with the Security Domains and record the Functional Areas values. These are the scopes required for this custom object.
-
Using the process in the previous step, grant the scopes for custom objects to your API client.
-
-
Click OK to confirm the changes.
-
After you create the API client, copy the Client Secret value. This value isn't retrievable in the future, so ensure that it's recorded in a secure location.
Also record the Client ID value, the Workday REST API Endpoint value, and the Authorization Endpoint value. Click Done.
Create a connection in Okta Workflows
-
Sign in to Workday using your Integration System User account. Leave this connection open in your browser.
This active session is necessary to authorize the connection in Okta Workflows.
-
In the Okta Workflows Console, go to Connections.
-
Click New Connection to see a list of all available connectors.
-
Select the Workday connector.
-
In the New Connection window, enter a Connection Nickname. Use a unique name, in case you need to create multiple Workday accounts.
-
Enter the Client ID and Client Secret of the API client that you created in Workday.
-
Your Workday authorization endpoint URL has the format https://{authorization_subdomain}.workday.com/{tenant}/authorize.
Enter your Workday {authorization_subdomain} endpoint into the Authorization Subdomain field.
Enter the {tenant} value into the Tenant field.
-
Your Workday REST API Endpoint URL has the format https://{subdomain}.workday.com/ccx/api/v1/{tenant}.
Enter the {subdomain} value into the Token and Endpoint Subdomain field.
-
Click Create. Workday launches an authentication window.
If you aren't currently signed in to Workday, you may receive a Page Not Found error. To resolve this, sign in to Workday before you establish a new connection.
-
In the Workday authentication window, click Allow to grant permissions to the Workday connector. Workday saves your connection information and returns you to your flow.
The new Workday connection appears in your Connections list.
Maintenance periods
Workday frequently runs scheduled maintenance between 8 PM (Pacific Time) on Friday and 11 AM on Saturday. During these maintenance periods, their API is unavailable and Workday cards return a 503 Service Unavailable error message.
No data loss occurs during these maintenance periods. After the maintenance period ends, your flows containing Workday cards will execute as expected.
After these maintenance periods, it's also possible that your Workday connections may fail and return an OAuth Refresh Error message. If this connection issue occurs, reauthorize your Workday connections.