Okta Workflows Tutorial: Notify When a User Is Suspended

Okta Workflows is a no-code platform for automating identity processes. 

Introduction

This step-by-step tutorial will show you how to build a no-code workflow that sends a notification when a user is suspended in Okta. 

You will learn the following: 

• How to build your first flow
• How to trigger a flow when a user is suspended
• How to send an email when a user is suspended
• How to test individual cards and the flow

The flow you will build looks like this: 

Send email notification when a user is suspended 

Before you begin

To complete this tutorial, you need to have access to Workflows. Check if you can access Workflows by going to Okta organization > Admin > Workflows > Workflows console. 

Workflows console

If you don’t have Workflows in your organization, please reach out to your Customer Support Manager to enable the Workflows Starter plan (I know, this sucks). Or, reach out to me, and I will help you 🙌. 

What is Okta Workflows? 

Okta Workflows is a no-code platform that allows you to build automations to help with identity processes. For example, you can build the following workflows without asking IT or developers for help: 

• Reset password, and end user sessions when suspicious activity is detected
• Give or remove user access to applications
• Send notifications (Slack, email, and others) when a user is activated or suspended (this tutorial)
• Create basic reports

This is a short list of what is possible. 

Creating a new flow

To start, you are going to create a new flow: 

1. In the Workflows console, click Flows
2. Click + New Flow to create a new flow
3. Click Unnamed (upper left corner)
4. For name, enter User Suspended Notification
5. It is also a good idea to enter a description This flow will send a notification when a user is suspended
6. Also check the Save all data that passes through the Flow? checkbox. You will be using this capability at the end of this tutorial
7. Click Save to save flow name and description

You created your first flow!

New flow

In the next section, you will learn how to invoke a flow when a user is suspended. 

Using the User Suspended event to trigger the flow

You want to run the flow when a user is suspended. Look at the image above, in the first box it says When this happens. The this — is when a user is suspended. 

To add a trigger event for this flow: 

1. Click Add event
2. Select Okta from the apps list
3. In the Okta events menu, look for and select User Suspended
4. If this is your first flow then you also need to create a connection to Okta. Click +New Connection
   • If you already have a connection, you can use it
5. Set the Connection Nickname field name to Okta
6. For the Domain field enter your domain name without the http://
7. Open the Admin Console in a new browser tab and go to Applications > Applications
8. Select Okta Workflows OAuth
9. Click on Sign On tab
10. Copy the Client ID, return to Workflows console and paste it into the Client ID field in the New Connection window
11.  Copy the Client secret and paste it into the Client Secret field in the New Connection window
12. Click Create to authenticate and add a connection

Your flow will look like this: 

Flow with the User Suspended event

Workflows will monitor for this event (user suspended), and when a user is suspended in an organization, this flow will be invoked. 

The output fields that you see in the User Suspended card, that’s the information that the card makes available (when the event is fired). You can use any of the fields in other flow steps. 

In the next section, you will create a message to be shared via email. 

Creating a message

To create a message, you are going to use the Compose card. 

In the previous section, you learned about how an event can invoke a flow. Other flow components are app actions and functions. 

• App action - a step that controls services such as Gmail, Slack, Jira, and others
• Function - a step to interact with, change, or control the data in a flow

To add the Compose card:

1. Click Add function
2. From the Most Popular category choose Compose
3. In the Compose card type the following:

   Hello,

   User with the following username was suspended: 
    

4. Drag and drop Okta User > Alternate ID from User Suspended card and place it after the suspended word

Connecting and passing data from card to card

5. Click Save to save the flow

Your flow will look like this: 

Connecting cards

Testing the Compose card

One neat feature in Workflows is the ability to test a card individually. 

Using the Compose card, click the play ▶️ button at the bottom of the card. You will need to enter sample data for the second field and then click Test to see the card output. 

Testing a card

It’s good practice to test each card individually as you build a flow. 

In the next section, you will add a card to send an email notification. 

Sending email notification

In this step, you will add the Gmail card to send an email. 

Using the Gmail card

Steps to add the Gmail card: 

1. Click Add app action
2. Find the Gmail app
3. Find and click on Send Email action
4. If this is your first time using the Gmail card, click + New Connection and follow the steps to authenticate your Gmail account. You need access to a Google Workspace account to use this card (not a personal Gmail). The card looks like this when added:
   
5. Next, you need to set fields on the Send Email card. For the Email field, enter your email (or any other email that you can check)
6. For the Subject field, enter User suspended
7. For the Body field, drag and drop the output field from Compose card to Body field in Send Email card
   • All other fields are optional
8. Click Save to save the flow

Connecting from Compose to Send Email card looks like this:

Send Email card

Testing the Send Email card

To test the Send Email card:

1. Click the play ▶️ button
2. The To and Body will be pre-filled with data from the card. Enter sample Body field and click Test
3. Check the email you entered in the To field

Testing the Send Email card

You can use another email provider if you don’t have access to Google Workspace. 

Using the Office 365 Mail card

This section is optional. If you don’t have access to Google Workspace Gmail you can use Office 365 Mail card. 

1. Click Add app action
2. Find and click on Office 365 Mail app
3. Find and click on Send Email action
4. If this is your first time using the Office 365 card, click + New Connection and follow the steps to authenticate your Office 365 account
5. Fill out card fields as shown in the screenshot below

Using the Office 365 Mail card

In the next section, you will learn how to test the entire flow. 

Testing the flow

You are ready to test the flow. 

1. Click Save to save any changes
2. The flow needs to be on to run. Slide the on/off slider to turn the flow on

To see a flow execution, go to Flow History tab. It is empty now, but this is where you will see the flow running once a user is suspended:

Flow History tab

Note: if you see Execution history is not enabled for this Flow message on Flow History tab, switch back to Flow tab, and click the flow name. Check Save all data that passes through the Flow? to enable flow history. 

To test the flow, you need a user in your organization whom you can suspend. 

1. In another browser tab, go to Okta organization > Admin > Directory > People
2. Click Add person to add a new person. You can also use an existing person. Fill out the required fields and click Save. Here is an example of the People page:
3. To suspend a user click their name
4. Choose More Actions > Suspend to suspend the selected user

Switch to Workflows browser tab, open the Flow History tab. You will see one flow execution: 

First flow execution

If you select another user to suspend, another flow execution will be added (you can see each execution on the right hand side)

Second flow execution

Looking closer at the Flow History tab, you see how data is passed from card to card. When you build more advanced flows, use the Flow History tab to monitor execution and see what data is passed between cards. 

Flow execution with data mappings

This is how the email looks:

User suspended email

One last thing. To see the flow at a high level, go to the Flow Chart tab: 

Flow chart

What you learned

In this tutorial, you built a no-code workflow invoked when a user is suspended and sends an email. You learned: 

• How to build your a flow
• How to trigger a flow based on event (user suspended)
• How to send an email when a user is suspended
• How to test an individual card and the flow

More resources to help you learn

• 🍫 Get help from Workflows specialists during weekly community office hours.
• 📺 Learn from short Workflows videos.
• 🙋🏻‍♀️ Join the #okta-workflows channel on MacAdmins Slack to learn and get help from the community.