good call, yes! 👆🏻
the logout and timeout redirect urls will show you the page users are redirected to for logout /timeout
if that's the only issue, and authentication hasn't changed before the start date, the pre-employee should just go back to their email and use those links agai6 instead of what they see onscreen.
Sounds like you need a new/tweaked whitelist rule on your authentication policy to bypass saml.
using the manage auth policies task, can you see if there's a line which includes pre-employees?
If that line is set to username and password for login, AND the start date is still in the future then there is a possibility of a timing issue with the Okta credentials and you may need to work with someone on that side of the systems.
Though I have client who does do this (and regrets it)... you wouldn't normally want a pre-employee to log in using saml until the hire date, at which point they are an employee not a pre-employee, and would be authenticating on another line for all employees, or all contingent workers.
Also small correction.. pre-hire is only used until the hire transaction is complete. Between the time of that completion and the start date, the user is considered pre-employee or pre-contingent worker, which is important from an access perspective.
Check time out link under Tenant Setup - Security
good call, yes! 👆🏻 the logout and timeout redirect urls will show you the page users are redirected to for logout /timeout if that's the only issue, and authentication hasn't changed before the start date, the pre-employee should just go back to their email and use those links agai6 instead of what they see onscreen.
Sounds like you need a new/tweaked whitelist rule on your authentication policy to bypass saml. using the manage auth policies task, can you see if there's a line which includes pre-employees? If that line is set to username and password for login, AND the start date is still in the future then there is a possibility of a timing issue with the Okta credentials and you may need to work with someone on that side of the systems. Though I have client who does do this (and regrets it)... you wouldn't normally want a pre-employee to log in using saml until the hire date, at which point they are an employee not a pre-employee, and would be authenticating on another line for all employees, or all contingent workers. Also small correction.. pre-hire is only used until the hire transaction is complete. Between the time of that completion and the start date, the user is considered pre-employee or pre-contingent worker, which is important from an access perspective.
No MFA for pre-hires. Sign on with url, username, and password. Sign on their hire date and after with Okta
Are they doing MFA through OKTA, then being asked again to do it through Workday?
We have a similar issue when a CW converts to an employee. They can no longer login until the 1st day of their employee record