Available Workflows Templates

Assign group memberships temporarily based on time

Within Okta, grant membership to a user group, but only for a limited time. For example, a group that gives auditors access to applications, but revoked after 30 days. Another example may be a temporary development project to which you want to assign developers access.

Create Contractor Expiry Notifications

Many organizations utilize contractors in addition to full time employees. A contractor typically has a contract expiry date. This is the date when their current contract is due to expire. Certain people within the organization, such as the contractor's manager, need to be notified ahead of the expiry date so they can potentially renew the employee's contract.

Create a report with Google Sheets

Many organizations have custom, org-specific needs to report on particular lifecycle events, and share that data with others in the organization. Okta's System Log is powerful but limited to Okta admins, and also doesn't allow for scheduled reports. This Flow demonstrates building a custom report in an online spreadsheet (using a \"user suspended\" event, and then sharing that report with stakeholders when the event occurs.

Create a report on multiple Okta events

There are use cases where you need to utilize multiple events for a singular purpose. Instead of creating copies of each Flow that then need to be maintained separately, child Flows and tables can be leveraged to limit the repetition in your Flows. This template demonstrates a simple pattern for creating a daily report of user attributes from three Okta events: User Created, User Okta Profile Updated, and User Deactivated. It then uploads a daily report to Google Drive using a scheduled Flow that runs every midnight.

Send email notifications with Office 365

This Flow sends an email notification with Office 365 when a user is suspended in Okta. It allows administrators to easily track user suspensions. This is a generic notifications template. You can easily swap out both the event or the email provider (to Gmail) based on your notifications use case.

Generate unique emails

To onboard users in an organization, IT needs to generate unique email addresses for their end users in downstream applications like Office365 and G Suite. This Flow generates the unique email addresses for all the users that are onboarded into Okta.

Generate unique Okta usernames

To onboard users in an organization, IT often needs to generate a unique Okta username for each user in order to avoid conflicts. These usernames, such as SamAccountName and UPN, are then used in downstream applications like Active Directory.

Reassign files while deprovisioning with Google Drive

In many organizations that use Google Drive, there's a requirement to transfer the contents of a user's Google Drive to another user. That can be the case when you have users who need to be deactivated. Using this Flow, you can transfer the files from the user's Google Drive to the manager and delete the user.

Import users from Google Sheets

When there are disconnected user populations like contractors or certain offices that need to be imported into Okta, a CSV or flat file is the easiest way to create those users in Okta. This Flow guides you through how to bring in users from Google Sheets and how to use For Each loops. This Flow reads all users in a specified Google Sheet and creates them in Okta at a regular weekly cadence of Mondays at 6am PT.

Initiate a Flow with API endpoint

Okta Workflows is a powerful tool to implement custom business logic. Instead of creating an object directly in Okta (for example, a user, application, or group) with Okta REST APIs, you can send the object request along with its JSON payload to Workflows. Then you can implement custom business logic to check for existing objects in Okta or to reach out to a third party to verify data. Based on the results of the dynamic logic, Workflows can make decisions and provide flexible processing options.

Introduction to custom API actions

Sometimes a connector doesn’t meet your needs because of a missing action. With the Custom API Action method, you can get around this limitation by making a generic HTTP request to any of the connectors that Workflows has available. This Flow uses a custom Role attribute as part of Okta user profile. If the user is created with a Support role attribute, the user is added to the HELP_DESK_ADMIN role in Okta.

Introduction to lists and child Flows

Much of the data we are working with is presented as a list, such as a list of user objects or a list of applications objects. Workflows allows you to process lists in a comprehensive manner leveraging child Flows to operate on each member of the list. There are a number of ways to process a list. Performing a discrete action on each item without returning anything to the parent Flow is very common. You can also keep a cumulative output of each item iteration that can be returned to the parent Flow. There are many other List operations. See About scheduled and child Flows.

Child Flows are simply subroutines that exist as a separate Flow but can only be called from a main or parent Flow. Child Flows are very useful not only for the above mentioned List processing, but for code reusability, team contributions and code cleanup.

Make API requests with the HTTP Request card

In many organizations that integrate with web services, there is a requirement to be able to invoke a SaaS application (or on-premise API secured via an API gateway) secured HTTP(S) endpoint. This Flow illustrates the use of the Okta Workflows HTTP Raw Request card for GET and POST operations with sample Content-Type of json and x-www-form-urlencoded. It also illustrates how to process JSON using a variety of Workflows cards.

Manage Okta group membership based on profile attributes

In many organizations, a set of Okta group memberships are determined based on Job Codes or more generally, by user profile attributes to implement Role-based access control (RBAC). This Flow illustrates group assignment based on user profile attributes.

Onboard and offboard with Office 365 Admin

This Flow allows you to disable a user in Office 365 Admin and then after a specified delay remove their assigned Office 365 licenses. Another part of the Flow will reactivate the user in Office 365 Admin and reassign the previously removed Office 365 Admin licenses.

Create users in Salesforce

User Provisioning, or creating users in a third-party system, is one of the most foundational use cases for Okta’s Lifecycle Management product. In order to provide access to a system such as Salesforce, a newly created user needs to have an account in that system with the correct profile attributes and entitlements. This Flow helps you create a user in Salesforce and assign them a Profile based on their department.

Send Active Directory credentials to a manager

Many organizations use Microsoft Active Directory to manage user credentials, also known as AD DelAuth. While Okta’s Active Directory integration allows for user provisioning, organizations need a solution to communicate the account credentials to the user. When onboarding new hires, companies may need to set up these accounts ahead of time. However, the user may not have system or email access until the day of joining. In these scenarios, companies can email the account credentials to the user’s manager with a one-time password. This Flow demonstrates how to identify users who are added to Active Directory using Okta’s User Assigned to Application event, fetch their manager’s email address, and send an email notification.

Send SMS via Twilio

This Flow allows you to send SMS messages via Twilio.

ServiceNow approvals

In many organizations that use ServiceNow, a subset of access may require approvals. You may have users that are provisioned with birthright access when created, but a specific group access needs to be approved before being provisioned. This Flow helps you get approvals for such use cases using ServiceNow.

Suspend inactive users

In many organizations, access tends to proliferate for far longer than certain users require it. You may be working with a contractor who needs access to a single app. Or your offboarding policies are not adequate for an ex-employee. For example, when a user hasn’t logged in for months, you would like to suspend them until you’re notified that they do actually need access. You want to implement such a policy as part of a strong security posture. This Flow reads all active users in your environment, and if they haven’t logged in within the past six months (180 days), suspends them.

Notify a user when their profile is updated

A user profile may be updated for many reasons, including a scheduled change by HR, a change to personal information performed by the user themselves, or some type of automated change. But how can you always be sure that the data in the user profile is accurate and was updated legitimately by the user or an authorized admin? This Flow allows you to send a message (for example, through email or Slack) to notify the user that their profile was updated, and they can be prompted to review and confirm those changes.

Create Office 365 guest user accounts

More companies are using multiple Office 365 tenants. This is especially evident in M&A activities. As a result, users need access across multiple tenants. Many are solving the licensing aspect of this issue through a Microsoft Guest account. But automating the creation and management of these users is cumbersome. This Flow will get you started with creating guest accounts with no code nor special infrastructure to host code.

Manage AWS SSO entitlements

The AWS SSO connector allows entitlements (accounts and permission sets) to be added and removed for Okta and AWS users and groups. The connector works in conjunction with the AWS SSO SCIM provisioning app that’s available in the OIN catalog. The flows in this template are triggered when an Okta user is added to or removed from an Okta group. The Okta group holds the entitlements, and the user is updated accordingly in AWS. There are two examples of how to add and remove entitlements using child flows and a table.

Create an Onfido applicant

For identity verification, this flow creates an Onfido applicant using a User Created event card for the Okta connector and saves the applicant ID in the user’s Okta profile.

New User Registration

In customer identity and access management use cases, many business units, locales, and brands may require distinct user management operations. This template demonstrates how to implement custom processing of the registration context.