A common question about Okta Workflows I hear is:
Can I do this with Okta Workflows?
Many developers and IT admins ask this question; they want to automate identity tasks — such as sending a Slack alert when a new hire joins or automatically deactivating users when they leave.
To start, Okta Workflows is a no-code identity automation platform. Workflows allows you to customize and automate Okta. For example, you can automate onboarding and offboarding, send security alerts for multiple failed logins, and automatically grant access to applications.
To start, the first thing you must consider is how to kick off an Okta Workflows flow. Let’s start there.
These are the ways you can trigger an Okta Workflows automation:
- On event
- On schedule
- API endpoint
- Manually
Let’s now review each way to trigger a flow.
On event
You can trigger a flow when an event is fired within Okta. For instance, when a group is created in Okta, you can run a flow on the Group Created event.
The on event trigger method has three options:
- Use connector cards
- Use Webhook
- Search the Okta System Log
Let’s look at each trigger in detail.
Use connector events
Since Okta Workflows is a no-code platform, most Okta events have a dedicated event card.
For example, this is an event card to trigger a flow when a new Okta group is created:
And these are some other events which you can use to trigger a flow:
So, if Okta Workflows provides a dedicated card for an Okta event, you can trigger a flow using that event.
But you are not limited to Okta events. Using the Okta Workflows connector catalog, you can also trigger a flow using events fired in external applications.
For example, you can use these Slack events to trigger a flow:
How does Okta Workflows connect to these applications?
Okta Workflows has over 80+ pre-built connectors to various services, including Slack, ServiceNow, Google, and Okta. But before you can use any of them (even the one for Okta!), you must first create a connection.
A connection securely stores authentication details. It is an API key or OAuth token. This credential lets you invoke a service’s APIs. You can create multiple connections for a connector. You can create connections to a testing environment and a production environment.
So, back to events. When you use a connector’s event to trigger a flow, technically, Okta Workflows registers a Webhook behind the scenes. For most other connectors, Okta Workflows will use a polling method (periodically checking for new events).
Examining the Group Created event card, we see that the event originates from the Okta connector. It uses a connection named Okta.
The event card field, such as Date and Time, Message, Event ID, and others, is data that the event makes available to use in the flow.
Use Webhook
You may find an event in Okta or another application for which the connector doesn’t have an event card. You can register a Webhook (also known as an event hook in Okta) for this event. The URL is registered with an application (such as Okta or an external system) to be called automatically when a specific event occurs.
This image shows registering an event hook for the Create Okta group event.
The Endpoint URL references the API endpoint of this flow:
Clicking the </> on the API Endpoint card will reveal the endpoint URL:
You can register a Webhook with another application and trigger a flow when an event is fired in that application. Here is an example triggering a flow when a Typeform form is submitted:
Search the Okta System Log
If the Okta connector doesn’t have an event card or the event is not event hook-eligible, another option is searching the Okta System Log for a particular event.
This image shows searching the System Log on a schedule for failed logins:
If searching the System Log finds the event, you can continue running the flow.
The following resources will help you learn more about events in Okta Workflows:
API endpoint
You can trigger a flow via an API endpoint. This is similar to when using a Webhook. When the flow’s first card is the API Endpoint card, the flow has an endpoint URL. Calling this API endpoint URL will trigger a flow. You can invoke the API endpoint from any external system.
API endpoint settings:
Here is a summary to distinguish between a Webhook and API endpoint options:
- Webhook (On Event): The other app calls an Okta Workflows API endpoint when something happens (an event).
- API Endpoint (On Demand): Workflows is waiting for someone to explicitly call it to start the flow.
Manually
Another option for running a flow is manually, by clicking the Run button.
Here is a summary of running a flow options:
| Trigger Method | When to Use | Card |
|---|---|---|
| On event | When something happens in Okta or an external app (e.g., a group is created) | Connector Event Card or Webhook (Event Hook) |
| On schedule | For recurring tasks (e.g., every morning) | On Schedule Card |
| API endpoint | When an external system needs to explicitly start the flow. | API Endpoint Card |
| Manually | For testing or one-off executions | Run button |
Once a flow is successfully initiated using one of these methods, the automation logic is executed by building out the flow logic using Action and Function cards.
Build flow logic
There are two types of cards available:
- Action cards
- Function cards
Action cards
Okta Workflows has over 80 connectors to various applications and services.
Every connector has actions. Behind the scenes, actions are API calls to the underlying application. As you build your identity automation, actions allow you to call other applications. For example, when a new group is created in Okta, you also want to send an email using the Office 365 connector and send a message to Slack using the Slack connector.
If you find an API for which there is no pre-built connector, you can use the API Connector function card to connect to any API of your choice.
Function cards
As you interact with Okta and other connectors, they will return data such as a user list or a group list. You use Function cards to edit or create new data. For example, when you send a message to Slack, you can use the Text-Compose card to create a message.
This flow demonstrates everything this article has covered:
1. The Okta-Group Created event in Okta triggers the flow. The event is from the Okta connector.
2. The Text-Compose card creates a message. Compose is a function card from the Text category.
3. The Office 365 Mail-Send Email action card sends an email with the message. The action is from the Office 365 Mail connector.
4. The Slack-Send Message to Channel action card sends a message to a Slack channel. The action is from the Slack connector.
So, can I do this with Okta Workflows?
Here is a quick summary of what this blog post covered:
| Term | What it is | Example | Why it’s important |
|---|---|---|---|
| Connector | A pre-built integration between Okta Workflows and another service or app | Slack, Okta, Office 365 Mail, Google Workspace | Lets you use ready-made Action and Event cards instead of building API calls manually |
| Connection | The authenticated link (using an API key or Oauth token) between Okta Workflows and your specific instance of a service | Your company’s Slack workspace, Okta tenant | Stores credentials securely so Workflows can all the app’s API |
| Event | Something that happens in a connected system that can start (trigger) a flow | New group created in Okta, new user activated in Okta | Defines when the flow begins - the trigger that kicks off your automation |
| Schedule | A built-in trigger that starts a flow on schedule | Every week at 9 AM, once a week on Friday | Kicks off a flow on schedule |
| Action card | Performs an action in a connector or a service. Behind the scenes, it makes an API call | Slack-Send Message, Office 365 Mail-Send Email, Okta-Ad User to Group | Executes automation logic - sending messages, updating users, creating records |
| Function card | Manipulates or formats data | Text-Compose, List-Filter, Date-Format | Helps transform and format data |
First, determine how to trigger a flow. You have several options: on event, on schedule, and an API endpoint. Then, once you have initiated a flow, use actions (from connectors) to call other services, and functions to edit and create data.
