Okta
Grant membership to an Okta user group for a limited time. For example, a group that gives auditors access to applications, but revokes access after 30 days. Another example might be a temporary development project that developers need to access.
Okta
Audit Okta admin roles and last sign in to the Admin Console.
Periodically auditing admin access to your Okta org can help to ensure that users have the correct admin roles. Auditing also helps to identify users who may no longer need admin access based on activity. This template identifies all admin users (users assigned to the Admin Console) and writes their information to a table, including admin role assigned and last Admin Console access.
Auth0
Abandoned accounts are less likely to have strong passwords and multifactor authentication. This template illustrates how Okta Workflows can be used to enhance your application's overall security by removing these abandoned accounts. Use this template to automatically alert inactive users about account expiration and then remove any users from Auth0 if the accounts remain inactive.
Okta
Google Drive
There are scenarios where you need to use multiple events for a singular purpose. Instead of creating and maintaining separate copies of each flow, you can use helper flows and tables to limit repetition in your flows. This template demonstrates a simple pattern for creating a daily report of user attributes from three Okta events: User Created, User Okta Profile Updated, and User Deactivated. The template then uploads a daily report to Google Drive through a scheduled flow that runs every midnight.
Okta
Multifactor authentication (MFA) fatigue is a technique used by attackers to flood a user's authentication app with push notifications. If they accept a push notification, the attacker gains entry to an account or device. These templates provide a means to detect and respond to active attacks against your Okta org.
Okta
This template uses an event hook that triggers the flow when Okta Verify sends a push notification.
This flow checks the geolocation (city, state, and country) of both the sign-in request (source) and the successful Okta Verify push (destination). If the city is different, the flow continues to gather information for a security team investigation.
You can easily modify this flow to notify other downstream applications based on business needs.
Okta
This template encourages Okta end users to enroll a stronger factor with their account by monitoring the enrollment and use of SMS as a factor.
Okta
Enable a grace period for Identity Governance Access Certification
During an access certification, some organizations might allow for revoke decisions. Some campaigns implement a grace period where end users retain access to the resource for a period before their access is revoked. This template enables this configuration for a campaign, applying the revoke decision at a future date. The date is determined according to the number of days granted as a grace period.
Okta
Google Forms
Microsoft Forms
Postman
Various cloud platform services allow IT administrators and developers to configure forms that send a POST operation to a URL endpoint. Okta can use the data sent by the operation to the Workflows API Endpoint to onboard or offboard employees, add or remove users from Okta groups, or use any configured Workflows connector. This template demonstrates how to complete these tasks using Postman, Google Forms, or Microsoft Forms.
Okta
IT administrators need to have a unique Okta username to add a new hire within an organization. This template uses inline hooks and Workflows to check to see if the imported user exists within the Okta Universal Directory. If the user exists, the template increments the username to make it unique. For example, jessiedoe1@example.com.
Okta
Hardening customer identity authentication is critical to improving security and avoiding fraud. It should be baked into the customer journey both online and offline, whether it's shopping online or picking up takeout food from your favorite restaurant. Hardening customer identity authentication creates two interesting challenges. First validating the identity of the customer beyond traditional static password-based authentication to include a reliable Time-based one-time password (TOTP). Second, continuing to provide a frictionless experience without compromising security.
Okta
You can determine whether your Okta tenant has stale accounts that a manual deprovisioning process missed by using specific criteria to identify inactive users. This task can then allow expensive application licenses, for example, to become available to other users. This template searches for all users in an Okta tenant whose last sign-in date was before a certain date, and writes information about those users to a table in Workflows. The data in the table can be exported to a CSV file as a download, or as an attachment to an email for periodic reporting. An extra enhancement to this template can also be the suspension of inactive users.
Okta
Slack
Identifying inactive users of SaaS applications managed within Okta is a great way to maintain a principle of least privilege. By searching for inactive users (based on previous sign-in data), you can perform any remediation actions required by your company policies. This information also shows what expensive application licenses aren't in use and can be canceled or reassigned.
This template searches for users of a given application who haven't signed in during a specified time window and adds those users to an Okta group.
Okta
This template focuses on implementing log streaming and Okta Workflows to capture specific event types from the Okta System Log. Log streaming enables the export of System Log events in near real-time to platforms like Amazon EventBridge or Splunk Cloud. You can use this functionality for monitoring suspicious activity, automating responses to specific events, or troubleshooting.
Okta
Okta Workflows is a powerful tool to implement custom business logic. Instead of creating an object directly in Okta (for example, a user, application, or group) using REST APIs, you can send the object request along with its JSON payload to Workflows. Then you can implement custom business logic to check for existing objects in Okta or to reach out to a third party to verify data. Based on the results of the dynamic logic, Workflows decides on actions and provides flexible processing options.
Okta
Sometimes a connector doesn't meet your needs because of a missing action. With the Custom API Action method, you can get around this limitation by making a generic HTTP request to any of the connectors that Workflows has available. This flow uses a custom Role attribute as part of an Okta user profile. If the user is created with a Support role attribute, the user is added to the HELP_DESK_ADMIN role in Okta.
Okta
Slack
A great deal of data exists in list format, such as user or application objects. Okta Workflows allows you to process lists in a comprehensive manner using helper flows to operate on each member of the list. There are various ways to process a list. Performing a discrete action on each item without returning anything to the parent flow is common. You can also keep a cumulative output of each item iteration that can be returned to the parent flow. There are many other List operations. See Parent flows and other flow types.
Helper flows are simply subroutines that exist as a separate flow but can only be called from a main or parent flow. Helper flows are useful not only for processing lists, but also for reusing code, evaluating team contributions, and cleaning up code.
Auth0
This template illustrates how Okta Workflows can streamline customer identity management by automatically linking duplicate customer accounts in Auth0. This template checks the email address for every new user that signs in to your website against your existing user base. If a duplicate is found, the template automatically links the user's two Auth0 accounts.
Okta
Many organizations that integrate with web services need to use a secured HTTPS endpoint to invoke a SaaS application or an on-premises API secured through an API gateway. This flow illustrates the use of the Okta Workflows HTTP Raw Request card for GET and POST operations with some sample content. It also illustrates how to process JSON using various Workflows cards.
Okta
In many organizations, a set of Okta group memberships are determined based on job codes or more generally, by user profile attributes to implement role-based access control (RBAC). This flow illustrates group assignment based on user profile attributes.
Okta
Slack
This template uses an event hook that triggers the flow when a phishing attempt is unsuccessful. The flow sends the IP address of the phishing site and the affected user to a Slack channel for further investigation.
Okta
In Customer Identity and Access Management (CIAM) use cases, many business units, locales, and brands may require distinct user management operations. This template demonstrates how to implement custom processing of the registration context.
Okta
Slack
A user profile may be updated for many reasons, including a scheduled change by HR, a change to personal information, or some other automated change. However, can you always be sure that the data in the user profile is accurate and updated legitimately by the user or an authorized admin? This flow allows you to send a message (for example, through email or Slack) to notify the user of a profile update. Then they can review and confirm those changes.
Okta
Gmail
Pre-enroll users in SMS multifactor authentication before activation
User activations typically allow users to choose and enroll in an MFA factor when they sign in for the first time. Improve your security posture by validating the user's identity during sign-in. Users can be enrolled in the SMS factor using the profile phone number from Active Directory or the HR system. This flow automates this process and verifies that the user is authorized to receive an activation notice and can access their company's resources.
Okta
Acting on compromised accounts helps increase the security posture of any organization. External systems like Splunk constantly analyze data, searching for specific patterns that could indicate a compromised account. If an account is identified, organizations could quarantine the account and prevent further access to critical applications.
When exposed as a webhook, external systems can invoke this flow to help incident response efforts, by adding the user to a quarantine group. This quarantine group is associated with individual application sign-on policies to deny access. At the end of the flow, Okta clears the user session, forcing the user to reauthenticate. The user is now limited to only the applications that aren't associated with the quarantined event.
This flow could be extended to notify the end user, managers, or administrators through emails, text messages, or collaboration tools such as Slack or Microsoft Teams.
Okta
MuleSoft
This template is an example of referring to an LDAP repository to perform a generic search within Okta Workflows. It can be modified and applied to any sort of repository such as an SQL database. This example uses the MuleSoft Anypoint platform to host the API Endpoint consumed by Okta Workflows.
Okta
Many CIAM customers have multiple user stores that need to be maintained until legacy systems are decommissioned. When the identity information sourced in Okta changes, these attributes need to be synchronized downstream. This template provides an easy-to-implement, fully customizable method to update a remote system with CRUD (create, update, and delete) operations.
Okta
Slack
This template provides an end user with the option to report unrecognized activity from an email notification about account activity. When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report.
Okta
Google Workspace
Office 365 Admin
Zoom
Reset user Sessions in Okta, Google Workspace, Office 365, and Zoom
Revoking a user's IdP and application sessions in a timely manner is a crucial part of responding to security-related events. This template provides an example of how to revoke user sessions in Okta, Google Workspace, Office 365, and Zoom. The template uses a single flow that is triggered as a helper flow. This helper flow is useful with events such as:
-
An Okta user being suspended
-
An Okta user reporting suspicious activity
-
An Okta admin performing a password reset on a user
-
An Okta admin triggering a delegated flow
Okta
In many organizations, users retain their access for longer than necessary. You may be working with a contractor who needs access to a single app or your offboarding policies aren't adequate for an ex-employee. For example, when a user hasn't logged in for months, you would like to suspend them until you're notified that they do actually need access. You want to implement such a policy as part of a strong security posture. This flow reads all active users in your environment, and if they haven't logged in within the past six months (180 days), suspends them.
Video: Suspend Inactive Users
Okta
Employees often lose and replace their mobile phones. In order to give a user temporary access to reset a secondary authenticator, a user can be scoped to a less strict authentication policy until they have a device that complies with high assurance sign-on policies. This template exempts an Okta user from MFA policies for a predefined period.
Okta
Slack
Tracking and alerting for possible account takeover attempts in Okta
Account takeover is a significant target for fraud, achieved when bad actors manage to reset passwords or change access levels for privileged accounts. Dynamically monitoring and responding to these two vectors with automated flows greatly reduces the risk of these costly attacks. This template illustrates how Okta Workflows can automate responses to combat account takeover (ATO) attempts, and mitigate risk with self-service and helpdesk-based account recovery. The template watches for user password and MFA factor reset and activation events to determine if the user's account is under threat of an ATO.
Okta
Slack
Trigger automatic notifications when all MFA factors are reset
Various vectors can cause a reset of all MFA factors: a bad actor, human error, or an IT administrator helping a customer. Timely notifications that enable internal teams to identify next steps is critical for improving security and reducing risk. This template demonstrates how internal teams can be automatically notified when all MFA factors for a user are reset.
Okta
When generating technical fields from a user's name, such as samAccountName or an email address, the data often contains invalid characters in the specified data field. For example, a space character inside an email address. This template identifies some of the most common special characters and provides substitutions. The validated or repaired name is then placed in a user profile attribute in Okta. This preserves the original name for display purposes, and allows you to use the updated name for technical purposes.
Okta
Okta inline hooks allow you to trigger custom processes at specific points within Okta process flows.
The flow in this template is called by an inline hook during the user self-registration process. It uses a Workflows table to enforce email domain validation. If the user's email domain isn't included in the Workflows table allowlist, the registration is denied with an informative error for the user.
Okta
The Workflows tutorials template is a comprehensive guide designed to enhance your experience with Okta Workflows. This resource demonstrates the powerful automation capabilities of flows to both beginners and advanced users. Integrating this template into your Okta preview organization gives you access to sample users and a suite of flows showing the versatility and efficiency of Okta Workflows.
