The Dogfooding Chronicles: Make Workflows do the Work

o8MnYEFN5GcawGbQtoB08UVWgjw3kTOodduiMEWp prA gzH44kZylungmDqHZUibDDNUdwVXR5Sb7 xf34xcTRuh0xZGO Q c4BvGlTnDCibRs6V6Jhp6PPKad5S0VKBfKB DwK

If you’ve checked out Dogfooding Chronicles past, you’ll know we’re all about efficiency. We've explained how to use automation to manage app access through tools like Workday (as a source), and Okta features like Group Rules and Group Push. In this post, I’d like to focus on one of Okta’s newest products we’ve been dogfooding, that boosts efficiency more than ever—Okta Workflows!

How does Okta use Workflows?

So let’s start with the basics. Okta Workflows allows you to automate identity-specific tasks across apps without requiring any code.

rt7VB3WKkgzcXSDu7cKqx 718V16sNMlWA vOiEbRV7PIPe6pp4kEDMgrKgXuhhxRGpW63GPW5rT8zKOmC yxGGkTGeBRep EJ8cMyzhKtM BNtprCywtWFuHlxDiE6kymk0eEsc

Okta Workflows are event driven. Events are occurrences that trigger flows to run, and those events can be triggered from a number of things: 

  1. An event that occurs from within one of your applications. In order to leverage application events, you would need to configure an Okta Workflows Connector.
  2. Scheduled flows allow you to configure a flow to run at specific intervals. If you are familiar with cron jobs, this should be right up your alley.
  3. You can also configure your flow as an API endpoint. This can serve as an alternative to using an Okta Workflow Connector to handle your events if the app or application event is not available. This can be helpful if you would like to use webhook services in another application.
  4. Child flow events are used for flows that run when called by another flow.

Next, I’d like to share some unique flows built by our own Okta internal IT team. These are custom built flows that have helped us overcome an array of problems. Most importantly, they’ve helped reduce the number of IT tickets the team would be handling in the absence of these Workflows.

Offboarding Flows

With the transition to being mostly or entirely remote as a company, many organizations are putting more of an emphasis on the onboarding process. They need to make sure new employees are brought into the company quickly and securely. Making that first impression is important in establishing credibility and confidence within your company. But in many ways, how a person is offboarded from a company is even more important. Ensuring revoked access, asset retrieval, and protection of existing data are all crucial activities. And in mentioning this, I invoke the words of Michael Corleone: “it’s not personal…. it’s strictly business.” And that’s exactly how you should think about your offboarding process and securing key data.

Now if you’re familiar with our OIN, you’re probably aware of apps that have SCIM integration capabilities. Not familiar with SCIM? Read up on it here. SCIM integrations are great because they allow us to automate lifecycle management for Okta apps. However, even with all the automation Okta provides, our IT team still had additional, manual offboarding tasks. These tasks must be completed for terminated employees, meaning we need to place the user in a suspended state before completely deactivating their Okta account.

Of course, once a user is placed in a suspended state, they lose all access to Okta. However, until that session token is revoked, any existing, active sessions can still be used. This is where Okta Workflows comes in. By way of example, let’s talk about terminating session tokens on two different platforms.

The availability of a session token via API, and the methods used to terminate those tokens, will vary from app to app. For example, Office 365’s Graph API provides a clear way to terminate a session using their ID or userPrincipalName, but Google Workplace does not. After doing some discovery and testing, we determined that you can terminate a Google Workplace session by suspending that user’s account.

cOFITZQ3lJc4V5usGkaY1ix3ips89O858MZkCGUu4KSXnTPbd3MJ8FLXk3g bFGu42W5rErSDRmMXhhPVE5egVn4toHWobnue zSEadSS nlILp4eHFNfzLPngJ3HKt5wco0Vwsa

Above you’ll see the flow that is triggered once an Okta user is suspended. We use the Okta Alternate ID, which is the user’s Okta username, and pass that into our child flows to terminate session tokens in Office 365 and Google Workplace.

Office 365 offboarding Flow

nm fugyxsLcMtw8Xf1K9sOQ7iLNuK0VhcO qfBeymUNK7lh7luHmdRiAYdXAuH6lPqi eqhYVE3MuXdiFo9R715vNj1qrsmwFEaVd3DydGQ3eslBhZ0vLb oQQoQTY24zDs5NQ7h

As you can see here, the event trigger on the left, mentioned previously, passes the Okta Username into our child flow. The Compose card allows an admin to transform text from previous cards to be used in additional downstream Workflow cards. In this example, we are composing the Office 365 API endpoint using the Okta Username that has been passed to this flow from the parent flow. Once the URL has been composed, we use the Custom API Action card to revoke any active sessions that user has within Office 365.

38YzBL2Uq6DXO1xC1Yhi3ZMDRqdz N DHwcrHYJ a65yKdqIOvoZWaOyO9DxWPFcJSwAnPuontG 42VeUL3gZsDaCI4LvlNcP9kP0RilbTk0 KhnPc0C4SfaGjwzj3FyDcSaRF7Q

In the first Workflow Compose card, we are constructing the API endpoint URL that we will use to disable the Office 365 user’s account

The second Compose card is used to construct the HTTP Request Body to be used with the Custom API Action card. Once the Custom API Action card is run, the Office 365 account will no longer be active. Once the Flow completes, the Office 365 account will have no active sessions and the account will be disabled.

Google Workplace offboarding flow

The offboarding flow for Google Workplace looks similar to the Flows I showed you for Office 365.

8Lm7ynFvkNrH1 Cmwpdh0U095Md9Hn 6zJSLvPT93HY vp3l1aaxSO6 xiXZD8LU XZsDiPXs7zX9sezq60 M8aT9HRT01xTvzGz6qxnyyVqWstgcCIbS3PMGZNOKPuf2ykKzKlY

In the first Compose card, we are constructing the API endpoint URL using the Okta username that was passed from the parent flow. 

In the second Compose card, we are constructing the HTTP Request Body to be used by the Custom API Action card to update the Google Workplace account.

Just like our Office 365 offboarding flow, once this Flow runs, the Google Workplace account will no longer have active sessions and their account will be placed into a suspended state.

How will you use it?

Every company handles the offboarding of their employees differently, but one concept should ring true across the board: protect your corporate data by implementing a secure offboarding process. Okta Workflows provides a robust and flexible way to automate it. This translates to saving your company time and money, allowing your IT team to work on higher value add initiatives, and promoting the professional growth of the members on your IT team.

Let me be clear—the examples we’ve shown here demonstrate only a fraction of what Okta Workflows can do. Stay tuned for future issues of The Dogfooding Chronicles as we continue to take you through our journey of IT automation.

Already an Okta customer, but don’t have access to Okta Workflows yet? No problem—contact Okta Customer Support.