Oktane19: Lifecycle Management 101
Wendy: This session is about lifecycle management and I got a couple of guest speakers up here with me. Safe Harbor Statement, read this, five, four, three, two, one, go!
Wendy: Hey I'm Wendy Busath. I am a sales engineer for Okta. I've been at Okta about a year and a half now. I'm a remote employee which means I work from my home and I live in beautiful Utah, see a few familiar faces from Utah out there, thanks for coming everybody.
Wendy: I'd like to introduce my customer guest speakers, go ahead and introduce yourselves.
Robert: I'm Robert Taylor, I'm the vice president of technology for Hendrick Automotive Group. We're based in Charlotte North Carolina where it's snowing in April, not entirely sure how that happens but really excited to be here.
Amy: I'm Amy Frost, I'm the director of IT engineering for Hendrick Automotive Group.
Wendy: Awesome, thanks guys. As I said we're talking about lifecycle management today. For those of you who are new to this, life cycle management is the process of maintaining the life cycle of a user account as it goes from onboarding through role changes and then of course through termination. That is across all sorts of different systems and applications like directories, etc.
Wendy: Today we'll be going through a use case that Hendrick Automotive Group has implemented within their company and I'll talk to you a little bit about the functionality around lifecycle management.
Wendy: Why is life cycle management a difficult thing to solve? Can talk about a few use cases, the first of which is a lot of companies started 10-15 years ago when Active Directory or other LDAP directories were kind of the basis for rudimentary identity management system. But those types of directories were not ones that were built for today's environment where we are constantly picking up new applications in the cloud, where single sign-on is an absolute must because now instead of having four to five main applications, users have hundreds of different applications that they're interfacing with each day. Active directory has really hung on. Most companies have Active Directory behind their systems and because it really was not built to interface with cloud applications there is kind of a difficulty of moving.
Wendy: Second thing that's really difficult about life cycles is that integrating HR with IT is often difficult. There's a lot of reasons for that, one of the main reasons is that HR people and IT people often have different goals, they often have different problems that they're trying to solve, and of course they've got different systems, different software that they're trying to integrate and there's often kind of a political battle between those two teams and I'm sure you guys probably experienced that when you started to roll out Oct.
Wendy: M&A, so mergers and acquisitions and divestitures, things like that really cause an upheaval among your identity management system as it exists today. So 3 main problems here could be if you acquired a new company, how do you handle the identities from your existing company and the new company? And often we will do things like migrate the acquired AD into our existing AD. That can be a very troublesome problem. The other thing that we could do would be to create a Greenfield eighty four, to migrate both user populations up into the new AD that's Greenfield. And there are a lot of trade offs between how we do this, so some companies will take the third option which is to establish a trust between those two 84s which can be really messy process, no matter which one of the three that you have chosen to do.
Wendy: Another thing that causes lifecycle management to be difficult is handling distributed offices. Especially in the case in which you have had mergers and acquisitions. You've got offices around the United States, you might have offices around the world. You've got different IT people in those offices, you've got different HR processes in those different offices, you've got firewalls to traverse, you've got latency, you've got distance between the people who are trying to work together.
Wendy: You have connectivity issues, like I said you have to traverse the firewall, you've got latency, sometimes you're traveling thousands of miles between offices. You've got multiple sources of truth, so you have maybe end user portals that have a user store for your end users, you've got an identity management systems, you've got an Active Directory or an aldent directory storing users, you've got HR tools that might be the source of your users, so these multiple sources of truth, how do you rationalize all of those things, how do you bring them into single pane of glass where you can manage those users, you can manage the onboarding the off boarding the roll changes et cera. And then of course you've got varied business processes. You have HR wanting to run the business in a certain way, you've got IT wanting to run the business in a different way, you've got the business side saying "Hey we can't spend this much money on IT but we need you to solve the problems that we have with manual provisioning and things like that.
Wendy: So the solutions that we have are not really ideal. You can either hire a whole bunch of people to do these things like account creations and account moves and account deletions manually, sitting behind a keyboard right? But that takes a lot of full time employees and that's very costly. You can also do provisioning via the legacy IDM systems but the legacy IDM systems are extremely hard to set up, they require a lot of on-prem infrastructure. They're extremely difficult to upgrade and it's also really hard to get those integrations configured so that you're actually taking some ROI out of the purchase of those really monolithic old IDM products.
Wendy: A lot of companies over the years have taken a large effort to write down these complex workflows and they put a group of people in a room for a week or two or three and they come up with these extremely complex workflows to implement. Then they buy a large monolithic IDM platforms and try to get all of this and put it into that tool. And throughout my career, which has been a long time working at several different identity management companies, I've had customers that have taken up to two years just to get their workflow implemented within the IDM tool.
Wendy: If you quantify that pian and of course everybody brings that down to a dollar sign, if you look at it this way. So lets say you're paying an application admin about fifty dollars an hour and you have the average time per manual user management activity, so creating a user, deleting a user takes about fifteen minutes. That brings our cost for provisioning events to twelve dollars and fifty cents. And lets say you have eight hundred of those provisioning events. That means the total cost of provisioning per enterprise app per year can be ten thousand dollars. This is for a small company and for larger companies that have eleven thousand users, this is a lot larger number.
Wendy: Then if you look at it from the legacy IDM solutions standpoint, the costs even grow more. You've got professional services, that is almost absolutely necessary for you to bring in a team of people to implement those legacy solutions. That can cost fifty thousand dollars just on a one time. Then you have the integrations need to be updated so not only are your applications changing to new versions and you're acquiring new applications, but the identity management platform, that's changing as well, so you'd have to make sure that you keep on updating that and reintegrating for your new apps. The annualized cost of services there could be sixteen thousand dollars or more. And then you have to have that maintenance that's ongoing for each connector to the different applications that you're integrating with. The total cost there could be seventeen thousand and again it's going to be much larger cost if you've got a very complex system, if you have a lot of applications, if you have a lot more users.
Wendy: So when you boil down what does it have to take to have a successful life cycle management tool in place? It really comes down to this flow. You have to onboard the user somehow, so that's step one. That's sourcing the user from somewhere, and that somewhere could be an HR system, it could be a directory, could be a database, you could have end users entering their own information and doing a self service registration. You could have a manager inputting that information manually or you could have even a social logging where new employees login with their Facebook account and that information is consumed into the system. Those are all things that Okta can support as a source for that identity onboarding.
Wendy: Secondly, you will need to assign resources. Assigning resources can be birthright access process so every user will get these three applications for instance, a email or something like that. And then on top of that you can allow end users to do self service access requests, so you can publish a list of applications that your users can say "Yeah I'm going to need that one" and it'll go through an approval process to allow that person to have the app.
Wendy: Then you're going to have these processes repeating. So steps three, four and five, you might need to suspend the users. That could be due to a perceived security event, that could be because someone maybe goes on personal leave or maternity leave. Then you might need to renew that access once the security event is over or that persons comes back from leave. Then role changes, if somebody changes from sales to marketing or is promoted from a lower level position to a vice president position. All of these three steps are going to happen more than once and possibly if that person is at the company for twenty or thirty years like a lot of the people at Hendrick Automotive Group are, when those people move from different roles, they're accumulating rights and access the entire time that they're at that company. Robert and Amy who have been there for seventeen years might have the keys to the kingdom at that point if their access isn't being revoked appropriately as they change roles within the company.
Wendy: So finally, step number six is that off boarding process. The off boarding process is probably the most important process here, because if you off board people and you don't appropriately limit their access and remove that access, then you've got a problem right? So you've heard many headlines in the newspapers these days talking about people who have been fired or have left the company but have still retained access to those important systems and that's why it is so important to make sure that that process is automated and it's not a human error type of thing where somebody could accidentally forget to remove access to a certain account.
Wendy: So walking through the employee lifecycle with Okta. So Okta supports what we call our advanced mastery which means that we can take a source of information, like Workday, like Namely, SAP, Bamboo HR, any of these HR tools where the user account really originates when somebody is hired, this is where their first name, last name, address, phone number is inputted. Rather than duplicating that manual data entry and having someone type that into Active Directory, Okta can automate the entire process. So as a user is inputted into those tools they will be basically sucked into Okta and from there, once they're in Okta, Okta will handle the provisioning of all of those applications and rights and even creating an Active Directory account in Active Directory for that user. Once that process is done, we can even write back to the original HR tool, so we could create the account in Active Directory and then an email address is then formed in Active Directory and we can write that information back, all the way to the master, so to Workday in this case.
Wendy: Then we have the user profile updates, it's really the same system. So when that change is made within the HR tool, automatically imported into Okta and automatically updates the permissions within the downstream applications that were integrated with. And for user termination, which like I said is the most important one, of course, same thing happens. The user is deactivated within the HR system, automatically in real time, deactivated within Okta and then also within the downstream systems. During the demonstration provided by Hendrick Automotive Group, we'll see how fast that can actually happen, so if you have a termination event where you're actually firing somebody, their access can be cut off automatically within a number of seconds.
Wendy: So nobody can attest to the fact that Okta just does what it says it's going to do better than a customer that has actually rolled out this functionality and Hendrick Automotive Group is one of those. They're one of our oldest customers for life cycle management and I've invited them here today to give a demonstration on how they do it at their company and we'll have a period of time at the end for questions so if they're any of you that are going through the same type of a rollout or thinking about it, these guys are a great resource to bounce ideas off.
Wendy: So I'll turn it over to Robert and Amy. Thank you.
Robert: Thanks Wendy.
Robert: First, thank you for letting us come and speak and show off what we've done over at Hendrick Automotive Group.To provide a little bit of background information for those of you who may not be aware of who we are, we are the largest privately held automotive retailer in the United States. We operate in fourteen different states in the continental United States and we have 52 members of the IT department that support over eleven thousand employees in the organization.
Robert: For scale, just so you can understand what we deal with on a daily basis, our company will sell roughly three hundred thousand vehicles this year and more importantly will service a little over three million vehicles that come through our shop, so it's an incredibly busy process and industry that we have to try and manage all from Charlotte.
Amy: Yup, and our journey with Okta really began about six years ago, almost as a surprise. We decided at that point tot ake our, I believe over one hundred, independent HR systems and consolidate them all into Workday. What we wanted to do is actually be able to make slides like this and answer the question of how many employees do we have without running a report a hundred times. Workday has been awesome for that.
Amy: But when Workday came in, the first demo they showed our company, a sales engineer comes in, he opens his laptop, he puts it on the screen, he starts to login and he logs into this tool called okta.We see the screen immediately where all his apps are provisioned and waiting for him and we say "Whoa, let's stop talking about Workday and look at what this can do for us at the same time."
Amy: One of our concerns when we consolidated the payroll system is that we're adding a new place for all of our employees to clock in and out, how do we integrate their sign on so that they are familiar with the same way to login to their computer, that they login to Workday, that's it's as easy and low barrier entry as possible. Okta was the answer to that, but on the IT side selfishly, it was the answer to getting us out of those manual processes you were talking about. We were firmly in the manual do it ourselves, have an employee churn through every single new account creations and provisioning of all of our accounts. It took a lot of time and more concerning for us was we didn't feel like we were always getting the right information fast enough, we weren't being accurate. So that was what, that's where we saw the vision of Okta and what we thought it could do for us. So we jumped all in on provisioning day one.
Amy: We started with the very easy apps, with Workday integration we had some box accounts, we started with that. We expanded it though. We also had some of our automotive specific vendors write integrations into Okta for us so that we can really offer our employees access to everything through Okta, even our internally developed apps, things that we host ourselves, these are all written in Ruby, things like that. Those all integrate into Okta as well and most of them for provisioning and de provisioning. It's really made our lives very easy. We churn through about a hundred and fifty provisioning, de provisioning events a week. It's quite a bit, it's not something we could keep up with the way we were doing it before.
Robert: Needless to say, our Workday rep was not thrilled when he came in to pitch his product and all we wanted to talk about was Okta for an hour.
Amy: We're like, yeah yeah yeah, we get why we're sold on common pay roll, that makes sense.
Robert: Help us figure this other problem out.
Robert: So what we're going to do today is take you through an entire hiring, provisioning and de provisioning process. So to set the stage a little bit here, for those of you who are familiar with Workday, you'll recognize obviously the homepage for Workday. Christina Darby is one of our Workday administrators in HR professionals at Hendrick and she's gonna go through and hire an employee. We have an approved job requisition at this point and we have a candidate that's in the pre hire state.
Robert: In this particular case, Christina is going to go through and start to hire Dave Matthews who's going to come and be a sales person at Hendrick. For transparency sake, we're going to take you through the entire Workday HR hiring process so you'll see all the steps and see that we're not making this up as we go along. I'll also mention all the videos we're about to show you, this is, we shot it one time so you'll see some random mouse movements, there's really no editing in any of it. We tried to be as honest and truthful in the process as we can here.
Robert: So Christina's gonna get started. She's gonna got through and find
Amy: So this is maybe a little slow, could we get a faster speed?
Movie Voice: Loaded for speed, go!
Movie Voice: What have I done? My brains are going into my feet!
Amy: Only HR could run that fast everyday.
Robert: What a relief, I was hoping Space Balls would get an applause, so thank you for doing that for us. Nothing typically happens that fast, but when you go to Plaid it's amazing what you can do.
Amy: And again, all that work was done by HR. IT has not logged in to do anything unless they're the ones hiring somebody.
Robert: So now we have a hired worker in Workday and it's made a call out to Okta to begin the provisioning process for all those downstream apps. So here one of our help desk associates, Vicky Rich, she's going to login to Okta here and take care of another couple of housekeeping items.
Amy: And she's using Okta because we also have it in the greater Zendesk, it's our ticketing system we use for help desk but also facilities and other requests. The way we have this structured, we still have some QA we do on accounts, it's not totally necessary for everybody, it's something we've chosen to do, but we have Okta going ahead and creating a ticket in Zendesk for us every time an account is created. It also puts the user in AD automatically, they're in the right OU already. Vicky just opens up the account and I think she adds some legacy groups that we have don't have structured enough to really automate where they go. But the ticket she has, that Okta has created, already has all the HR reps copied on the ticket, the hiring manager. Once she does her QA, closes that ticket, we're done in IT. We've distributed all the information we've communicated to all the necessary people and that employee is ready to start work.
Robert: The neat thing about it is, when we were putting this video together we were talking with our IT operations team about the workflow and the processes and they made a pretty profound statement, they said in five years they have not create a single Active Directory account on their own, which I think is pretty amazing, considering where we were the day before we turned it on we were doing everything manually and now we really don't do anything in Active Directory anymore and it's more accurate and more timely than we were ever doing it in the past.
Robert: So now from an IT perspective, were done. The tickets been closed and the hiring managers received the login information for Dave Matthews and he's ready to go. So now Dave is going to show up for work and he's gonna login at his orientation with his password that was automatically set up, he's going to create a new password and then another key piece here which has really been a boon for us is that he enrolls in password self service and password reset processes, so again it's eliminating a call to the help desk whenever they lock out their account, they can go in and manage it themselves.
Wendy: Were you also able to provision him prior to him arriving first day? Did you set a two week time interval?
Robert: Yeah we did. 14 days.
Robert: So here he's logged into Workplace because he was a member of the IT group, he's automatically put into the Information Technology workplace group and he can go in and see all the information that has already been posted in there and be brought up to speed on what's been happening in our department right from here.
Amy: You guys wouldn't notice it but this is our real information, we have an employee that's already on this screen when we made this video two weeks ago that just started for work today. He's already in the right organization, he's already provisioned and ready to go when he sits down for work the first day.
Robert: Now we'll jump over to Box. Again it's provisioned an account and because of his access in the IT department he already has access to the department listing and folders that are shared common across the department. And then the big one for us obviously Amy is Office365.
Amy: Yeah we require all of our, well HR requires all of our employees to have an email address so we are tasked with making sure that those get provisioned when somebody starts work and we also have the added complexity of assigning two different forms of licensing in Microsoft, we have a mix of E3's and E1's so we can keep our costs down. We've got all of that process built in as well to use the information on Job Profile that we pull out of Workday to decide who needs a real full version of Office and who just needs an email address to get down to their job.
Robert: For us and what you just saw on that demo is what we do every single day. The power of the connection between Workday and Okta, we have one source of truth about employees in our workplace and it's Workday. We have one tool that provisions access for all of those applications and that's Okta. It creates a seamless user experience and as we've gone down this journey for the last six years, our executive team and as new departments are coming up with new ideas and new applications, they're going and saying to their partners "does it integrate with Okta?" We have them conditioned now, that's one of the first questions, and then they say "if it doesn't then it needs to because we're not going to be able to deploy it unless it does" and so we've really seen a very wide-spread option with it.
Wendy: That's awesome, thank you guys.
Robert: Unfortunately, you can clap now if you want to, that's fine.
Amy: Termination is sad, we won't clap for termination.
Robert: We gotta clap for terminating an employee.
Robert: So unfortunately Dave is probably not cut out for sales.
Amy: Better at music.
Robert: Now Christina Darby, she's gonna log back in and go through the termination process.
Amy: She's our HR rep so she can fire people in Workday. Also the manager that's closest to the firing event has, terminating event, HR way of saying it, they have the right to do this as well.
Robert: We should probably make it more steps to terminate somebody so that
Amy: No no, it's super easy
Amy: And the type of termination we're putting in here, we have, obviously there's voluntary termination, somebody's resigning, you can put those in immediately and then Okta will take that and schedule it, so you can put it in the day they turn in their notice. Two weeks later, their account will be de provisioned right when you need it to be. In this case we have an involuntary termination and we have a workflow set up in Workday so that if it sees the flag for involuntary and it sees that the person is, we have a checkbox that says not eligible for rehire which usually means somebody walking out of the building, that will automatically trigger a real time sync event that will go in and immediately disable everything in Okta. The other ones just happen at midnight on the day that you plan to terminate the person.
Robert: That's right. So now Dave has been fired, he has been terminated in Workday, and as you can see from the log, Workday sent a real time sync request to Okta at 11:07:34 on March 26th to terminate Dave Matthews, sadly.
Robert: So now what we'll do is we'll log back into Okta and we'll see it here.
Amy: And this is where you could pull this to show an audit log or pull whatever you want to do to verify that the termination has happened the way you planned.
Robert: I'm just happy I typed my password correctly on the first try.
Amy: It is the hard part.
Robert: Now we'll go into their directory. Obviously everybody here should be familiar with this screen in Okta. We're going to look for Dave Matthews and we see that his account has already been deactivated because of that real time sync that came over from Workday.
Amy: This demo is pretty real time in the flow of how fast it comes in from Workday.
Robert: All of his apps have been de provisioned within there. You can go through and see some of the profile information that comes through on his account from Workday as well. There's obviously additional attributes that can come in from all the different sources of truth that you were talking about earlier Wendy.
Robert: Now the most important part here, when we look at the log file, and I think this is a really telling element.You look at the log file and you can see that he's been de provisioned from all of those business apps that he was originally set up for. He was de provisioned from Workplace, from Office 365, from Workday itself, Box and even our internal applications.
Amy: And just to overlay that log information with the termination process event that we had at Workday, it was eight seconds that it took from the time the real time sync fired to all of his account access has been removed. And again, that was with no interaction from IT, we never got a call, we have a courtesy summary report that HR sends us every week to give us an idea of how many terminations have happened, but we never interact with them anymore.
Robert: Well we still talk to them.
Amy: Depends. We just need tickets.
Robert: Right, but it's a pretty powerful statement. We never could have done this within 8 seconds doing it manually. And it gives us a tremendous amount of time back to go and focus on other things versus these sort of tasks of provisioning applications and de provisioning applications.
Amy: And the security too. We do probably have over 100 general managers, we have almost that many HR managers, they may not have all notified us as evenly as we would have liked
Robert: That never happens
Amy: To tell us that people are terminated.
Robert: Again, it was an incredible journey to go on, I was cringing a little bit thinking about everything that we were doing as you were going through the presentation earlier, because we were in that exact same spot, we had all those disconnected systems, we had all those challenges of trying to do things manually and provision things and de provision them. Now we focus on other things.
Robert: Great, thank you.
Wendy: So no better testimonial than that right? To summarize I wanted to go through a few of the functionalities that Okta offers, some that might be newer for existing customers.
Wendy: The real basis behind Okta is allowing you to connect to everything and how we do that is by a system of agents, so we have an Active Directory agent, we have an LDEP agent, we have Skim agents, we have all of these standard spaced things that will allow us to basically consume identities from all of these different sources. We can even pull identities through a regular CSB file.
Wendy: Once we have the identities within Okta, and that can be from multiple different sources right, so you could have four or five different Active Directory domains that you want to integrate into a single pane of glass. We pull all of those into Okta and from there we can use our catalog of out of the box integrations, so Okta has two hundred or more that support provisioning out of the box. We have six thousand that support single sign-on out of the box. When I say out of the box, that means there is 0 coding. There is almost no configuration, you literally check a few check boxes, click a couple next buttons and you are integrated with the application.
Wendy: We provide this really easy provisioning, you can see an example here on the left where all you have to do is select enable to turn on things like create a user within the integrated system, update the user when a profile attribute changes, delete or disable that user when they are disabled in the master source which could be Workday, which could be Active Directory, which could be an LDAP directory, which could be any application really that supports provisioning into Okta. Then you can also create a profile master as these guys did with Workday, where they are saying the information is being imported into Okta, you can't change it within Okta because it's mastered within this external profile master.
Wendy: Then on the right hand side you can see we also have granular options for what can you do with that user once it is pulled into Okta. So when a user is deactivated in the app, like Workday, what do you do in Okta? Do you do nothing, do you deactivate the user, do you suspend the user? We have really fine grained access controls on both sides, both pulling in and pushing out of Okta.
Wendy: As we mentioned we can do profile mastering. So in this list here is an example of profiles that are being pulled into Okta from this disparate sources. We've got an Active Directory, we've got an LDAP directory and we've got a Workday which is alti-pro, so an HR tool. And you can order those in the order of preference and not only can you do that, you can do attribute level mastery so you can say I'd like to pull users first name and last name and phone number out of Workday or Active Directory but I would like to pull their email address out of a different source, maybe that's Active Directory or Office365 for instance.
Wendy: A newer technology that we are announcing this year at Oktane is import hooks. So import hooks allow you to take a stop in the process of pulling that user into Okta and reach out to other things to do more processing before you complete the process of putting that user into Okta's universal directory. That can help you do things like the following. You can enrich a user profile. So let's say you've got a database out there somewhere that is storing things about the user, maybe entitlement information or a user identification number or something like that. You can reach out to that database and enrich that user profile with the information from the database before you write it to Okta. You can also do things like resolve naming conflicts. So if you have two John . Smith's, what do you do with them? At that point you can call out to an external process, perform the calculation and maybe give a John Smith two so you don't have those naming conflicts.
Wendy: Additionally you ca clean up data. Lets say, in Workday, you are storing a users phone number with parentheses and dashes but you have some downstream applications that do not like parentheses and dashes in the phone number. You can use this import hook to call out, do a script evaluation of that phone number, remove the parentheses and dashes and then put it into Okta.
Wendy: We also provide work flows to assign and change access. Since Okta is a rules bases access controls product where we use groups for most of that logic, what you can do is you can create roles like the following, so you can say, maybe the user's title if it contains sales, I'm going to automatically put that person into a group called sales. And that will enable that sales group to be the provisioning policy to give the user access to sales types of applications, and to give sales people maybe additional layers of security around multifactor and things like that.
Wendy: We also have automated actions based upon conditions now. For instance, I've created a rule here that will disable users after thirty days of inactivity. So you can see on the left, there is going to be a check that is provided and it's going to check only the group contractors to see when they logged in last and if that specific user hasn't logged in for thirty days, you can see on the right we are going to change their Okta status to deactivated. That will keep the user within the Okta directory so you've not lost them, but it does actually turn off their access to any of the applications that they had access to before.
Wendy: We also offer the ability to do access requests, so we can publish a nice catalog of the applications that your company sanctions and then allow your users to peruse that catalog and if there's an application that they feel they need, they can add it to their own dashboard themselves or if you've turned on the request approval flow, it will force them to click the request button, there will be an automatic email that's sent to the approver for that application. Once the approver says "yes I do believe that user needs this" by clicking the approve button, then this workflow will automatically flow through where that user will be provisioned the application and they will be able to single sign in to that application.
Wendy: Then on the right you can see all of that is audited in our system logs, so as you guys were saying, if you have an auditor coming on site and you need to prove who has access to what, who decided to give them access to that application, all of that can be found by doing very granular searches within the system log and we also have canned reports that you can just say "what does Bill have access to" and it will print you out a list of all the different applications.
Wendy: So the takeaways from this session, I hope that all of your have learnt that Okta is a lot more than single sign on. Okta was originally founded because our founders realized that as we're moving to the cloud there are a lot of barriers to getting from Active Directory or an LDAP directory into those applications in the cloud. It started out as single sign on and provisioning life cycle management in mind. And over the years we have gotten a lot more sophisticated with both our single sign on methods as well as our provisioning methods, and we have extremely strong partnerships with other companies like Workday, where we can have them writing software that integrates into Okta, so for the real time sync that was performed with you guys, that's actually code in the workday software itself, it's calling out to Okta. Because Okta is best of breed, we have lot of traction in getting best of breed software companies to integrate natively with our product and that is why Okta's integrations are really much stronger than those of our competition.
Wendy: So we provide these out of the box workflows which are extremely easy to configure and they just work because we have these best of breed companies that continue to keep our partnerships very alive, we're constantly being notified by them "hey we made a code change, you guys might need to make a code change on your side" so we are very very in touch with what's happening with all the applications that we integrate with. Of course, the greatest thing is, there's no need to code so all of it is just point, click, turn that feature on and you're ready to go.
Wendy: So we did leave a few minutes for questions, so there is somebody with a microphone running around back there, if you could wait and raise your hand, they'll run up to you. There's one up at the front here.
Question 1: Hi, thank you. Regarding Workday as a master, there are certain events in Workday that I have some familiarity with implementing for Okta and there are some events in Workday that we found on our side traditionally very hard to manage. Preferably, most notably, anything regarding the rescind function. In Workday you can rescind pretty much every single event that you do. You can rescind a new hire, a rehire, you can backdate a hire. How does, is there anything on Okta's roadmap for handling those problems as it can result in contractor conversions, those types of events where it can result in termination of access if somebody on the HR side of things isn't aware of what they input and how it's going to impact on stream IT systems.
Wendy: I think a lot of that probably goes down to training right, to making sure the Workday admins know what they're doing, but yes, we are evaluating constantly. Any type of change that happens on the Workday side, Okta is working very closely with Workday to keep those integrations up to date.
Wendy: As far as rescind goes, I'm sure that there are things in the works now. We are definitely working on improving the functionality for rescind within Workday, so that will be coming out down the line at some point.
Wendy: Do you guys have any issues with rescinding? I'm not sure how you guys might have handled
Amy: We have more issues I'd say with the contractor conversion, that's a big issue we encounter. I don't have the technical information on it but there was actually somebody, a rep mentioned to us, there was something coming that would help us with that, so that's definitely something we should follow up on.
Robert: It's definitely a challenge, there's no question. Going from a contingent worker to a full time employee, we have that challenge. We also, to Wendy's point, some of it is education, where we have people that are transferring from one dealership to another and somebody just goes in and they don't understand the transfer process so they terminate. They go "oh this person's going over here so I'm gonna terminate them" and it's like no please don't do that.
Wendy: I know outta the box, and this is fairly new to Okta, maybe within the last year, we do support converting from a part time or a contractor to a full time employee, so that might be something that you haven't rolled out yet within your deployment. But there's a lot of information on the documentation side about that, cause it is a new feature.
Amy: Yeah it is pretty new cause it's something we're excited about but haven't yet rolled out either.
Wendy: Any other, couple back there
Question 2: I wanted to see if you could elaborate a little bit into the challenges you have from contract conversion. We kinda are dealing with that, we don't have the module of Okta yet, ours is more of an internal process oracle. But I wanted to see what you have to say about that.
Wendy: So is the question whether we integrate with Oracle.
Question 2: No, no, your specific challenges into the contract conversion from an employee, a contractor to employee or even vice versa.
Amy: Yeah so I think what was happening when a contractor, the way our HR was putting it in in Workday when our contractors would convert, they would essentially, the contractor would essentially in Okta terminate and then get recreated and obviously if they're doing their job and have their email and everything you would like them to keep everything the same way. So there was a change in our HR process so that they're alerting us and it's not terminating anymore but that is the challenge we were dealing with that so I assume it's probably the same.
Robert: It was definitely on the business side, the business logic and the tool and what was triggering those pushes into Okta, it was almost as if it were triggering it as a termination and hire event instead of a profile change or something to that effect.
Amy: I think in our legacy HR system was before Workday was what they had to do.
Question 2: So that is exactly the same issue we're having is when somebody would get, instead of doing a conversion it would do a termination, the person would lose all their access then we would have to re provision their access so, similar thing.
Amy: The other issue I think in Workday specifically, your employee number changes when you revert from a contractor to an employee so that's another, mapping those together is also
Robert: I think it is also a link of the HR teams of changing workflow processes without necessarily letting the downstream application people know that those processes were changing so to always sort of came as a surprise and that forced us to be more in line with our change control process.
Question 3: Regarding de provisioning with Office365, can Okta reclaim the license from that user and also legal hold possibly?
Wendy: Yes, Okta can delete the license and put it back in the pool automatically.
Amy: And we have that set in ours where leaving the license assigned to the deactivated user for seven days in case we have that request that always comes for access to that employees email a couple days later. Then we have an automation that's taking it out after seven days, so we know we're floating a few extra licenses for that.
Robert: The really exciting part though, from a licensing perspective is, in the past we would overbuy on specific licenses because we didn't know what the person was really going to do. Now through our integration we're able to say this person with this type of job profile gets an E1 license and this type of person with this type of profile gets an E3 license and so we're really able to right size our license management within Office365.
Wendy: There's great auditing through the Okta tool saying you have seventy three licenses but only forty two people have logged in this month so it does help you to keep track of those licenses and maybe not have to buy quite as many and get your money back.
Question 4: We use Greenhouse Onboarding and Greenhouse Recruiting as our onborading and recruiting system that, sorry not integrate with Okta yet but, do you have anything on your roadmap to integrate those two systems with Okta as their source of truth?
Wendy: I didn't quite catch that.
Question 4: So instead of Workday we use both Greenhouse recruit and Onboarding to onboard, the onboard implies. Is there anything on your roadmap to create a workflow or a pipeline where these two systems can be integrated with Okta for automation, provisioning and de provisioning?
Question 4: So imagine Workday, replace Workday with GHU and GHR.
Wendy: That I'm not sure, let's, come up to me afterwards and I'll give you my card and I'll take an action item to look into that for you.
Wendy: There's a question up here, third row. This will have to be the last question, it looks like we're about out of time.
Question 5: Hey, let me pull this up real quick. Mine is kind of two fold but it's basically, understandable with apps that do provisioning, obviously they're gonna, things will be deactivated. Let me back up, if you're doing SSO only which some of our apps are, things will be deactivated but you still have an account in existence on the other end
Question 5: And then, the other half of that is like say for example, we use G-Suite so tokens that are on all the personal devices, etc cera etc cera. What do you guys do as far as cleaning up those accounts after the fact, is that a manual process, is it something you audit? Maybe once a month
Wendy: As far as the long live tokens, so what we really, because we are kind of the front door and we do grant access to get into that to authenticate the first time, but a lot of applications like G-Suite of even Office365 or Microsoft products will create an no-opp token that's sitting there that's valid for a month or more. We encourage our customers to set the time to live on those tokens to be very short, like maybe day and that way if somebody is terminated we'll at least get them within that one day. But if you turn on the automated provisioning and if you have applications that do support that with Okta, that does help in that because you can actually delete the account and we won't have that same problem.
Amy: We have some of the issues with applications that will not integrate with provisioning at all and what we've done for those, and some of those don't even do single sign on, but we still want to account for getting people out of those applications, so we, our kind of hack on that is to do the same kind of event we showed, the Zendesk ticket that gets created. We have, even though we don't take action at termination on the integrated systems, we have it create a ticket and it sends directly to the application support team that's responsible for that application. It puts in the employee number which correlates with the user ID in that system and they get an event, an alert to tell them to take the person out of that legacy application. It's manual but it's, at least consistent.
Wendy: Those reminders are actually bubbled up to the Okta dashboard so the Okta administrator will see this user has been de provisioned from an application that doesn't support automatic de provisioning but it will give you a notice in the dashboard so that you can assign those to make sure somebody follows up.
Robert: To add onto what Amy was saying, on our roadmap to explore is a triggering event on termination that will, in the case of mobile devices, call out to our MDM that will them either remove the apps or lock the phone depending on what the particular situation is.
Wendy: Well I think that's all the time that we have, could you guys please fill our your surveys, we really appreciate you coming today and we hope you enjoy the rest of Oktane.
Robert: Thank you.
Are you new to managing identity lifecycles? Do you rely on scripts, manual processes and tickets? In this session we cover the basics of lifecycle management and discuss pertinent features in the Okta Lifecycle Management product. Specifically, we address how to integrate authoritative sources and automate onboarding/offboarding. Hear how Hendrick Automotive benefits from automation and see a demo.