The Dogfooding Chronicles: Make Workflows do the Work

NgaVDvti11HRnPx3f50T2pQJANljb jIVDP4zjZXT fFusgXDJa5nQcQ w6KqignbE3qTnjZVNTu Peji b3gppttwfTfyFRhSG9VXg Zqv4a88KHZ8Bz wOHpUJutjfXhighket

If you’ve checked out Dogfooding Chronicles past, you’ll know we’re all about efficiency. We've explained how to use automation to manage app access through tools like Workday (as a source), and Okta features like Group Rules and Group Push. In this post, I’d like to focus on one of Okta’s newest products we’ve been dogfooding, that boosts efficiency more than ever—Okta Workflows!

How does Okta use Workflows?

So let’s start with the basics. Okta Workflows allows you to automate identity-specific tasks across apps without requiring any code.
 twv5zeJ8dLiG7w497t2 RUGiHJEqfh7frt6dtukRHgIzAIQ 6sYQWa7 boHQGQDwh7VhQ5UbNYOL35WD8MnzTtja1NL7b2A0uolyc165n5VWcybrvUwFXaB fp2V bqilDD2g A

Okta Workflows are event driven. Events are occurrences that trigger flows to run, and those events can be triggered from a number of things: 

  1. An event that occurs from within one of your applications. In order to leverage application events, you would need to configure an Okta Workflows Connector.
  2. Scheduled flows allow you to configure a flow to run at specific intervals. If you are familiar with cron jobs, this should be right up your alley.
  3. You can also configure your flow as an API endpoint. This can serve as an alternative to using an Okta Workflow Connector to handle your events if the app or application event is not available. This can be helpful if you would like to use webhook services in another application.
  4. Child flow events are used for flows that run when called by another flow.

Next, I’d like to share some unique flows built by our own Okta internal IT team. These are custom built flows that have helped us overcome an array of problems. Most importantly, they’ve helped reduce the number of IT tickets the team would be handling in the absence of these Workflows.

Offboarding Flows

With the transition to being mostly or entirely remote as a company, many organizations are putting more of an emphasis on the onboarding process. They need to make sure new employees are brought into the company quickly and securely. Making that first impression is important in establishing credibility and confidence within your company. But in many ways, how a person is offboarded from a company is even more important. Ensuring revoked access, asset retrieval, and protection of existing data are all crucial activities. And in mentioning this, I invoke the words of Michael Corleone: “it’s not personal…. it’s strictly business.” And that’s exactly how you should think about your offboarding process and securing key data.

Now if you’re familiar with our OIN, you’re probably aware of apps that have SCIM integration capabilities. Not familiar with SCIM? Read up on it here. SCIM integrations are great because they allow us to automate lifecycle management for Okta apps. However, even with all the automation Okta provides, our IT team still had additional, manual offboarding tasks. These tasks must be completed for terminated employees, meaning we need to place the user in a suspended state before completely deactivating their Okta account.

Of course, once a user is placed in a suspended state, they lose all access to Okta. However, until that session token is revoked, any existing, active sessions can still be used. This is where Okta Workflows comes in. By way of example, let’s talk about terminating session tokens on two different platforms.

The availability of a session token via API, and the methods used to terminate those tokens, will vary from app to app. For example, Office 365’s Graph API provides a clear way to terminate a session using their ID or userPrincipalName, but Google Workplace does not. After doing some discovery and testing, we determined that you can terminate a Google Workplace session by suspending that user’s account.

bbKjp00cLTDVe88mu9q8HFfZ9GbsNF4GVPZ1fyAm6E7buqlyV k1nPgATMDN2nbC95YpE80264wX crl1xrrTf4uuPhr97y DJnIuMBf91jjnkdd7J3hxXqiG303cVVTr2YanUoM

Above you’ll see the flow that is triggered once an Okta user is suspended. We use the Okta Alternate ID, which is the user’s Okta username, and pass that into our child flows to terminate session tokens in Office 365 and Google Workplace.

Office 365 offboarding Flow

aV8DOL0JCU aSEIwyohgZV 3iVEg3cGQ3UK2  ALc5AL8iADuxZq4rvHFPej9PDs CAKXAxrX jz6rFKg0sOOYGtzTUozl7D jh4jiisHn7IfTUrohJh Xc5EUYrIEaCFsTda6es

As you can see here, the event trigger on the left, mentioned previously, passes the Okta Username into our child flow. The Compose card allows an admin to transform text from previous cards to be used in additional downstream Workflow cards. In this example, we are composing the Office 365 API endpoint using the Okta Username that has been passed to this flow from the parent flow. Once the URL has been composed, we use the Custom API Action card to revoke any active sessions that user has within Office 365.

32IosugPaQGDGjG1XoPaGA3QHu6SRwhc9YX0UOKDcwsviRYmM0520r6nqDsdqf8ZSs9XL X5MtonSwjn9CZk6aoYSqczHiRFWDDEmt Lpldw60FBylSqErKG7nW 8ZXqFUvq8xOu

In the first Workflow Compose card, we are constructing the API endpoint URL that we will use to disable the Office 365 user’s account

The second Compose card is used to construct the HTTP Request Body to be used with the Custom API Action card. Once the Custom API Action card is run, the Office 365 account will no longer be active. Once the Flow completes, the Office 365 account will have no active sessions and the account will be disabled.

Google Workplace offboarding flow

The offboarding flow for Google Workplace looks similar to the Flows I showed you for Office 365.

pTL88eBdNh65iNBBwATK7z Z1fcM45i7HZ03iRf9tEHxkOhoMU5Ei636CGCX9DyHaoU2W3lGjPHLEkTBypkzKGNmbpIwJvjWrB9qjjph1VmN ildKKp2RrfJR4XbDc8D2XRDl0x7

In the first Compose card, we are constructing the API endpoint URL using the Okta username that was passed from the parent flow. 

In the second Compose card, we are constructing the HTTP Request Body to be used by the Custom API Action card to update the Google Workplace account.

Just like our Office 365 offboarding flow, once this Flow runs, the Google Workplace account will no longer have active sessions and their account will be placed into a suspended state.

How will you use it?

Every company handles the offboarding of their employees differently, but one concept should ring true across the board: protect your corporate data by implementing a secure offboarding process. Okta Workflows provides a robust and flexible way to automate it. This translates to saving your company time and money, allowing your IT team to work on higher value add initiatives, and promoting the professional growth of the members on your IT team.

Let me be clear—the examples we’ve shown here demonstrate only a fraction of what Okta Workflows can do. Stay tuned for future issues of The Dogfooding Chronicles as we continue to take you through our journey of IT automation.

Already an Okta customer, but don’t have access to Okta Workflows yet? No problem—contact Okta Customer Support.