Croix Rouge Française is using Okta Workflows to respond dynamically to its internal resourcing needs
With Okta Workflows, we can create a temporary account with access to key tools within 5 minutes or less. Previously, that could take anything from a couple of days to a couple of weeks, whereas now, as soon as an employee is redeployed, they are ready to collaborate.
Olivier Geremy, Infrastructure Architect, Croix Rouge Française
Situation: Rapidly redeploying employees to provide aid where it's needed
Croix Rouge Française's core mission of alleviating human suffering in all its forms hasn't changed, but the organisation is increasingly performing a broader and more complex range of services. As well as providing humanitarian support in emergency situations, along with first aid and other training, it increasingly provides social care and support for many people in precarious circumstances, from the elderly to the homeless.
To deliver these varied services, the organisation works with a core team of 21,000 salaried employees, helped by 61,000 volunteers. In 2018, Croix Rouge Française implemented Okta for 47,000 users, as part of an IT restructure that enabled different categories of users to work together in better ways, with simple and secure access to collaborative cloud applications. The implementation also enabled the organisation to centralise account management and to start automating its Identity Access Management (IAM) processes, including the creation of temporary accounts for redeployed employees.
"We need to be reactive, as our employees or contractors are often required to move around within the organisation, sometimes with only 24 hours' notice," explains Olivier Geremy, Infrastructure Architect at the French Red Cross.
Prior to the implementation of Okta, there was no standardized process for creating temporary accounts when a worker was redeployed to a different department or location. Account management was handled locally, with accounts created manually via Microsoft Active Directory, or using an internally-developed application.
"Previously, it was down to each regional IT manager within specific geographical regions to take care of account creation processes," explains Olivier. "Accounts were not always deleted promptly, and we occasionally discovered dormant accounts that had remained open for years." These dormant accounts could have posed security risks e.g. former volunteers, who had volunteer login information, could potentially access sensitive information.
Solution: Custom Okta Workflows to automate temporary account management
In order to enable rapid temporary access to essential IT tools for its redeployed workers, Croix Rouge Française now leverages Okta Workflows. Its key goals? To create temporary accounts in a standardised way, with greater centralised visibility over user account processes, and greater security by ensuring accounts are deleted once they're no longer required.
Temporary Account Request
Once a manager fills out an online form to request a temporary account, a Flow creates an Active Directory account, including a unique SAM account name. While processing the form, this Flow is invoked as an endpoint API, and parameters are passed to the flow from the form. The sAMAccountName is generated in a helper flow. Then AD provisioning is made via Okta2Okta provisioning, via another tenant that is allowed to write in AD. Based on this information, accounts are then generated for Okta and Google Workspace. Okta Workflows also uses the information from the online form to trigger relevant subsidiary Flows that automatically assign access to appropriate shared inboxes and shared calendars using Gmail, Google Calendar and Google Sheets connectors.
Once the account has been created, a Flow logs all the actions that have been taken in Google Sheets, and sends a notification email to both the manager who requested the creation of the account, and to the redeployed employee. The emails are customised by Okta Workflows with the relevant information, including the employee's name, their new email address and their login details.
"The whole process only takes a couple of minutes, so a manager can create a new account during an employee interview, then print out their new address, login details, and hand it to them at the end of the meeting," says Olivier. "That person is immediately ready to get to work."
Extending Temporary Accounts
The accounts have a validity of either 24 or 48 hours, after which they can be extended for a maximum period of five days. The user data is recorded in the table and this information is regularly read to prolongate or to disable and delete this user. These accounts are specifically meant to get delegation rights on generic team accounts that may have access to sensitive information, so it’s important that they are quickly closed after the user has stopped using the account.
Okta Workflows enable administrators to expose their Okta Workflows business logic as API endpoints. This enables quick and easy integration between Okta and any third-party app/front-end that would benefit from preconfigured business logic. Another benefit of this is that IT teams can quickly modify their business logic at Okta Workflows and, as long as the JSON payload stays the same, no changes would be required at the third-party application.
In this example, the front-end is a custom Google App that invokes the exposed flow as an endpoint. Once invoked, the flow will execute the preconfigured steps. For this particular case, the request will update the time-based access and extend its expiration date.
Deactivating Temporary Accounts
When it's time for the temporary account to be deleted, that's also handled by Okta Workflows, and a log is automatically generated in a Google Sheet. It is based on the creation date, which is recorded in the workflow table. The user once again automatically receives an email letting them know that their account has been closed.
Another feature of Okta Workflows is scheduling flows at predetermined intervals. This functionality gives the IT team the ability to preconfigure flows that will be automatically executed.
In this example, the IT team is using this functionality to automatically execute the business logic to remove the time-based access request when the expiration date is due. This triggers a set of Okta actions, removing the user account and automatically triggering downstream deprovisioning operations using Okta's LCM capabilities.
Results: Getting employees up and running in minutes, not days
According to Olivier, the biggest advantage of using Okta Workflows for this particular use case is how quickly it enables employees to become operational. "With Okta Workflows, we can create a temporary account with access to key tools within 5 minutes or less," says Olivier. "Previously, that could take anything from a couple of days to a couple of weeks, whereas now, as soon as an employee is redeployed, they are ready to collaborate."
Croix Rouge Française has a number of other use cases for Okta Workflows including to facilitate access to key applications, such as adding users to a particular work group according to their usage of Docusign, for example. It's now planning to expand its use of Okta Workflows as its cloud architecture grows.
"Okta Workflows is simple to implement, and simple to maintain," Olivier says. "Temporary account management was our first significant use case, and it has opened our eyes to what we can do in the future. We have plans to integrate another 70 applications in the coming year, so we will be developing more Flows to automate processes for those new applications."
As Okta Workflows is intuitive to use, Olivier need not worry about requiring specialist skills within the IT team to manage account access in the future. "The no-code aspect of Okta Workflows is a big bonus," he says. "It's visual, so it's easy to follow and understand a Flow even if it's been written by another member of the team. And if you want to adjust a Flow once it's been created, that's easy too."