Available Workflows templates

Grant membership to an Okta user group for a limited time. For example, a group that gives auditors access to applications, but revokes access after 30 days. Another example might be a temporary development project that developers need to access.

Periodically auditing admin access to your Okta org can help to ensure that users have the correct admin roles. Auditing also helps to identify users who may no longer need admin access based on activity. This template identifies all admin users (users assigned to the Admin Console) and writes their information to a table, including admin role assigned and last Admin Console access.

Abandoned accounts are less likely to have strong passwords and multifactor authentication. This template illustrates how Okta Workflows can be used to enhance your application's overall security by removing these abandoned accounts. Use this template to automatically alert inactive users about account expiration and then remove any users from Auth0 if the accounts remain inactive.

There are scenarios where you need to use multiple events for a singular purpose. Instead of creating and maintaining separate copies of each flow, you can use helper flows and tables to limit repetition in your flows. This template demonstrates a simple pattern for creating a daily report of user attributes from three Okta events: User Created, User Okta Profile Updated, and User Deactivated. The template then uploads a daily report to Google Drive through a scheduled flow that runs every midnight.

Multifactor authentication (MFA) fatigue is a technique used by attackers to flood a user's authentication app with push notifications. If they accept a push notification, the attacker gains entry to an account or device. These templates provide a means to detect and respond to active attacks against your Okta org.

This template uses an event hook that triggers the flow when Okta Verify sends a push notification.

This flow checks the geolocation (city, state, and country) of both the sign-in request (source) and the successful Okta Verify push (destination). If the city is different, the flow continues to gather information for a security team investigation.

You can easily modify this flow to notify other downstream applications based on business needs.

This template encourages Okta end users to enroll a stronger factor with their account by monitoring the enrollment and use of SMS as a factor.

During an access certification, some organizations might allow for revoke decisions. Some campaigns implement a grace period where end users retain access to the resource for a period before their access is revoked. This template enables this configuration for a campaign, applying the revoke decision at a future date. The date is determined according to the number of days granted as a grace period.

Various cloud platform services allow IT administrators and developers to configure forms that send a POST operation to a URL endpoint. Okta can use the data sent by the operation to the Workflows API Endpoint to onboard or offboard employees, add or remove users from Okta groups, or use any configured Workflows connector. This template demonstrates how to complete these tasks using Postman, Google Forms, or Microsoft Forms.

IT administrators need to have a unique Okta username to add a new hire within an organization. This template uses inline hooks and Workflows to check to see if the imported user exists within the Okta Universal Directory. If the user exists, the template increments the username to make it unique. For example, jessiedoe1@example.com.

Hardening customer identity authentication is critical to improving security and avoiding fraud. It should be baked into the customer journey both online and offline, whether it's shopping online or picking up takeout food from your favorite restaurant. Hardening customer identity authentication creates two interesting challenges. First validating the identity of the customer beyond traditional static password-based authentication to include a reliable Time-based one-time password (TOTP). Second, continuing to provide a frictionless experience without compromising security.

You can determine whether your Okta tenant has stale accounts that a manual deprovisioning process missed by using specific criteria to identify inactive users. This task can then allow expensive application licenses, for example, to become available to other users. This template searches for all users in an Okta tenant whose last sign-in date was before a certain date, and writes information about those users to a table in Workflows. The data in the table can be exported to a CSV file as a download, or as an attachment to an email for periodic reporting. An extra enhancement to this template can also be the suspension of inactive users.

Identifying inactive users of SaaS applications managed within Okta is a great way to maintain a principle of least privilege. By searching for inactive users (based on previous sign-in data), you can perform any remediation actions required by your company policies. This information also shows what expensive application licenses aren't in use and can be canceled or reassigned.

This template searches for users of a given application who haven't signed in during a specified time window and adds those users to an Okta group.

This template focuses on implementing log streaming and Okta Workflows to capture specific event types from the Okta System Log. Log streaming enables the export of System Log events in near real-time to platforms like Amazon EventBridge or Splunk Cloud. You can use this functionality for monitoring suspicious activity, automating responses to specific events, or troubleshooting.

Okta Workflows is a powerful tool to implement custom business logic. Instead of creating an object directly in Okta (for example, a user, application, or group) using REST APIs, you can send the object request along with its JSON payload to Workflows. Then you can implement custom business logic to check for existing objects in Okta or to reach out to a third party to verify data. Based on the results of the dynamic logic, Workflows decides on actions and provides flexible processing options.

Sometimes a connector doesn't meet your needs because of a missing action. With the Custom API Action method, you can get around this limitation by making a generic HTTP request to any of the connectors that Workflows has available. This flow uses a custom Role attribute as part of an Okta user profile. If the user is created with a Support role attribute, the user is added to the HELP_DESK_ADMIN role in Okta.

A great deal of data exists in list format, such as user or application objects. Okta Workflows allows you to process lists in a comprehensive manner using helper flows to operate on each member of the list. There are various ways to process a list. Performing a discrete action on each item without returning anything to the parent flow is common. You can also keep a cumulative output of each item iteration that can be returned to the parent flow. There are many other List operations. See Parent flows and other flow types.

Helper flows are simply subroutines that exist as a separate flow but can only be called from a main or parent flow. Helper flows are useful not only for processing lists, but also for reusing code, evaluating team contributions, and cleaning up code.

This template illustrates how Okta Workflows can streamline customer identity management by automatically linking duplicate customer accounts in Auth0. This template checks the email address for every new user that signs in to your website against your existing user base. If a duplicate is found, the template automatically links the user's two Auth0 accounts.

Many organizations that integrate with web services need to use a secured HTTPS endpoint to invoke a SaaS application or an on-premises API secured through an API gateway. This flow illustrates the use of the Okta Workflows HTTP Raw Request card for GET and POST operations with some sample content. It also illustrates how to process JSON using various Workflows cards.

In many organizations, a set of Okta group memberships are determined based on job codes or more generally, by user profile attributes to implement role-based access control (RBAC). This flow illustrates group assignment based on user profile attributes.

This template uses an event hook that triggers the flow when a phishing attempt is unsuccessful. The flow sends the IP address of the phishing site and the affected user to a Slack channel for further investigation.

In Customer Identity and Access Management (CIAM) use cases, many business units, locales, and brands may require distinct user management operations. This template demonstrates how to implement custom processing of the registration context.

A user profile may be updated for many reasons, including a scheduled change by HR, a change to personal information, or some other automated change. However, can you always be sure that the data in the user profile is accurate and updated legitimately by the user or an authorized admin? This flow allows you to send a message (for example, through email or Slack) to notify the user of a profile update. Then they can review and confirm those changes.

User activations typically allow users to choose and enroll in an MFA factor when they sign in for the first time. Improve your security posture by validating the user's identity during sign-in. Users can be enrolled in the SMS factor using the profile phone number from Active Directory or the HR system. This flow automates this process and verifies that the user is authorized to receive an activation notice and can access their company's resources.

Acting on compromised accounts helps increase the security posture of any organization. External systems like Splunk constantly analyze data, searching for specific patterns that could indicate a compromised account. If an account is identified, organizations could quarantine the account and prevent further access to critical applications.

When exposed as a webhook, external systems can invoke this flow to help incident response efforts, by adding the user to a quarantine group. This quarantine group is associated with individual application sign-on policies to deny access. At the end of the flow, Okta clears the user session, forcing the user to reauthenticate. The user is now limited to only the applications that aren't associated with the quarantined event.

This flow could be extended to notify the end user, managers, or administrators through emails, text messages, or collaboration tools such as Slack or Microsoft Teams.

This template is an example of referring to an LDAP repository to perform a generic search within Okta Workflows. It can be modified and applied to any sort of repository such as an SQL database. This example uses the MuleSoft Anypoint platform to host the API Endpoint consumed by Okta Workflows.

Many CIAM customers have multiple user stores that need to be maintained until legacy systems are decommissioned. When the identity information sourced in Okta changes, these attributes need to be synchronized downstream. This template provides an easy-to-implement, fully customizable method to update a remote system with CRUD (create, update, and delete) operations.

This template provides an end user with the option to report unrecognized activity from an email notification about account activity. When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report.

Revoking a user's IdP and application sessions in a timely manner is a crucial part of responding to security-related events. This template provides an example of how to revoke user sessions in Okta, Google Workspace, Office 365, and Zoom. The template uses a single flow that is triggered as a helper flow. This helper flow is useful with events such as:

• An Okta user being suspended

• An Okta user reporting suspicious activity

• An Okta admin performing a password reset on a user

• An Okta admin triggering a delegated flow

In many organizations, users retain their access for longer than necessary. You may be working with a contractor who needs access to a single app or your offboarding policies aren't adequate for an ex-employee. For example, when a user hasn't logged in for months, you would like to suspend them until you're notified that they do actually need access. You want to implement such a policy as part of a strong security posture. This flow reads all active users in your environment, and if they haven't logged in within the past six months (180 days), suspends them.

Video: Suspend Inactive Users

Employees often lose and replace their mobile phones. In order to give a user temporary access to reset a secondary authenticator, a user can be scoped to a less strict authentication policy until they have a device that complies with high assurance sign-on policies. This template exempts an Okta user from MFA policies for a predefined period.

Video: Temporarily exempt users from MFA

Account takeover is a significant target for fraud, achieved when bad actors manage to reset passwords or change access levels for privileged accounts. Dynamically monitoring and responding to these two vectors with automated flows greatly reduces the risk of these costly attacks. This template illustrates how Okta Workflows can automate responses to combat account takeover (ATO) attempts, and mitigate risk with self-service and helpdesk-based account recovery. The template watches for user password and MFA factor reset and activation events to determine if the user's account is under threat of an ATO.

Various vectors can cause a reset of all MFA factors: a bad actor, human error, or an IT administrator helping a customer. Timely notifications that enable internal teams to identify next steps is critical for improving security and reducing risk. This template demonstrates how internal teams can be automatically notified when all MFA factors for a user are reset.

When generating technical fields from a user's name, such as samAccountName or an email address, the data often contains invalid characters in the specified data field. For example, a space character inside an email address. This template identifies some of the most common special characters and provides substitutions. The validated or repaired name is then placed in a user profile attribute in Okta. This preserves the original name for display purposes, and allows you to use the updated name for technical purposes.

Okta inline hooks allow you to trigger custom processes at specific points within Okta process flows.

The flow in this template is called by an inline hook during the user self-registration process. It uses a Workflows table to enforce email domain validation. If the user's email domain isn't included in the Workflows table allowlist, the registration is denied with an informative error for the user.

A welcome email is the first impression that an organization makes on a new customer or employee. Welcome emails can deliver a special promotion code, provide information to enhance the user experience, or send a friendly hello. This template demonstrates how a welcome email can be sent automatically to a new user.

This template demonstrates sending an email using Gmail with an attachment from Google Drive.

Many organizations that use Google Drive, require a mechanism to transfer the contents of a user's Google Drive to another user, for example when the original user leaves the company. This flow shows how you can transfer the files from the user's Google Drive to the manager and then delete the user.

Many organizations have custom, org-specific needs to report on particular lifecycle events, and share that data with others in the organization. The Okta System Log is powerful but is restricted to Okta admins, and also doesn't allow for scheduled reports. This flow demonstrates building a custom report in an online spreadsheet (using a \"user suspended\" event, and then sharing that report with stakeholders when the event occurs.

When you need to import disconnected user populations, like contractors or specific office locations, a CSV or flat file is the easiest way to create those users in Okta. This flow guides you through how to bring in users from Google Sheets and how to use For Each loops. The flow reads all users in from a specific Google Sheets file and creates them in Okta regularly on Mondays at 06:00 PT.

To onboard users in an organization, IT needs to generate unique email addresses for their end users in downstream applications like Office 365 and Google Workspace. This flow generates the unique email addresses for all the users onboarded into Okta.

Our current Google Workspace connector doesn't provide access to all endpoints within the Google Workspace API. The Custom API Action card is also restricted to the directory and licensing API Endpoints. You can use this template to create a raw HTTP request to obtain the scopes you need.

This template allows you to disable a user in Google Workspace and then after a specified delay remove their assigned Google Workspace licenses. Another part of the flow reactivates the user and reassigns the previously removed Google Workspace licenses.

This template shows you how to perform several tasks in Google Workspace when offboarding a target user.

• Mailbox delegation
• Mailbox forward emails
• Mailbox auto-reply
• Clear Okta user sessions
• Remove Google Workspace licenses
• Remove all user Google Workspace ASPs
• Remove all user devices in Google Workspace
• Remove all user access tokens in Google Workspace
• Deactivate Google Workspace directory user
• Create Google Drive transfer request
• Create Google Calendar transfer request

With Okta, you can execute PowerShell on-premises with a combination of Okta Workflows with Azure Automation. Azure Automation delivers a cloud-based automation service that supports automation across Azure, on-premises non-Azure, and hybrid environments.

This guide gives IT administrators what they need to incorporate PowerShell execution into the user's lifecycle from Okta.

You can use a Microsoft alert subscription to manage your security surface across API endpoints, email, collaboration spaces, cloud apps, and user identities.

This template demonstrates how Okta Workflows can automatically activate and deactivate an Okta user account based on a start or end date stored in the Okta user's profile. The template then sends out notifications using Microsoft Teams.

More companies are using multiple Office 365 tenants. This is especially evident in M&A activities. As a result, users need access across multiple tenants. Many are solving the licensing aspect of this issue through a Microsoft Guest account. But automating the creation and management of these users is cumbersome. This flow gets you started creating guest accounts without requiring any code or special infrastructure to host code.

To onboard users in an organization, IT needs to generate unique email addresses for their end users in downstream applications like Office 365 and Google Workspace. This flow generates the unique email addresses for all the users onboarded into Okta.

This flow allows you to disable a user in Office 365 Admin and then after a specified delay remove their assigned Office 365 licenses. Another part of the flow reactivates the user in Office 365 Admin and reassigns the previously removed Office 365 Admin licenses.

This template syncs your Okta group membership with your Office 365 Unified Group using custom profile attributes and Okta Workflows. If you don't have an Office 365 Unified Group, you can create one with the included flow and then use Okta groups to manage the group membership.

Many organizations use contractors in addition to full-time employees. A contractor typically has a date when their current contract is due to expire. This template shows how to proactively notify people within the organization before this date. For example, the contractor's manager, who can potentially renew the employee's contract.

Many organizations use Active Directory to manage user credentials, also known as Active Directory Delegated Authentication. While the Okta integration with Active Directory allows for user provisioning, organizations need a solution to communicate the account credentials to the user. When onboarding new hires, companies may need to set up these accounts ahead of time. However, the user may not have system or email access until the day of joining. In these scenarios, companies can email the account credentials to the user's manager with a one-time password. This flow demonstrates how to identify users who are added to Active Directory using the User Assigned to Application event. The flow then fetches their manager's email address and sends a notification.

Many organizations use Adobe Sign to control agreements that dictate which resources users can access. For example, nondisclosure agreements (NDAs), lease contracts, and terms of service (TOS) are common types of resources. This template uses Adobe Sign webhooks to capture when a user signs a document. Okta then takes this information to determine which systems a user can access and their security level.

This flow demonstrates how a user's profile can be enriched with associated values that have been retrieved from an external table. It uses a simple Amazon Web Service (AWS) DynamoDB table and the retrieval of data is handled by an AWS Lambda function. This flow uses the AWS Lambda Connector to call the respective Lambda function. This use case is based on a user-entered zip code to retrieve associated values like city, state, and time zone.

The AWS SSO connector allows entitlements (accounts and permission sets) to be added and removed for Okta and Amazon Web Service (AWS) users and groups. The connector works with the AWS SSO SCIM provisioning app that's available in the OIN catalog. The flows in this template are triggered when an Okta user is added to or removed from an Okta group. The Okta group holds the entitlements, and the user is updated accordingly in AWS. There are two examples of how to add and remove entitlements using helper flows and a table.

This template creates a Box account for a user, creates a folder, and sends a notification email to the user's manager. The flow also transfers a user's Box files and folders to a manager if the user is removed from a specific Okta group.

Many organizations use DocuSign to control agreements that dictate which resources users can access. For example, nondisclosure agreements (NDAs), lease contracts, and terms of service (TOS) are common types of resources. This template uses DocuSign webhooks to capture when a user signs a document. Okta then takes this information to populate an attribute used in managing group and application access.

This template allows a flow builder to back up their flows on an on-demand or automated basis to an external system like GitHub or Google Drive. To enable this, Okta created functions to export either a flow or folder and have enhanced our GitHub connector to allow a builder to make commits and open pull requests. There's also a set of templates that can be easily imported into your environment that walks you through exactly how to version both flows and folders.

Set up a fully customizable conditional access flow for your Okta users based on the compliance status of their Apple devices.

IT administrators managing a remote workforce can face a real challenge when a remote user is deactivated. IT needs to make sure that all company-related devices can't be used. This flow offers an automated way to remotely lock all Apple devices assigned to a given user in Jamf Pro when the user is deactivated in Okta.

Apple mobile devices can be used as shared devices in several scenarios such as meeting room control panels, customer-facing demonstration units, or automated cash machines. These devices need to restart from time to time to install pending updates and Jamf Pro doesn't offer a built-in method to schedule such actions over time.

Onboarding new employees is a complex process that requires information from internal teams and integration with different approval and account creation tools. In addition, businesses may require a new employee to complete an orientation or pass a certification before activating their user account. The complexity of tracking approvals and then activating each user account on a specific date adds overhead for IT admins. Automating this process reduces human error and enhances your security posture. This template provides an example for automating account creation and activation with Okta when triggered by an approved Jira service request.

Many of the actions supported within the Jira connector, such as creating or assigning issues to users, require an Atlassian ID. You can use this helper flow to find a user's Atlassian ID when necessary.

IT administrators want to make sure that all company-related devices can no longer be accessed when an employee is off-boarded. This template offers an automated way to remotely lock all Kandji devices assigned to a given user in Kandji when this user is suspended, deactivated, or reports suspicious activity in their account.

This template illustrates how Okta Workflows can be used with Marketo to re-engage your customers and drive more visits to your website. The template automatically maintains a list of customers who haven't signed in to Marketo recently. You can then use Marketo to set up a campaign to engage these customers.

This template illustrates how B2C companies can use Okta Workflows to sync customers with Marketo. Using this template ensures that every new user that signs in to your website has a profile in Marketo. This enables you to avoid manual and error-prone imports and immediately engage with new users through marketing campaigns to increase engagement and retention.

For identity verification, this flow creates an Onfido applicant using a User Created event card for the Okta connector and saves the applicant ID in the user's Okta profile.

Discover the potential of artificial intelligence with practical example prompts to help guide you through automating tasks, generating creative content, and more. This connector brings OpenAI's advanced capabilities directly into Okta Workflows to unlock new levels of efficiency and creativity in your business processes.

This template helps automate various frequently used tasks in Opsgenie in relation to on-call rotations and scheduling.

Okta enables users to report to their org administrators an activity that they don't recognize. Investigating such a suspicious activity report in a timely manner is critical for preventing fraud. This template provides an example for automatically creating an incident in PagerDuty when suspicious activity is reported.

This flow pushes user profile data from Okta into Pendo Adopt. Pendo recommends this approach for Okta customers, as Okta Workflows can automatically update a user's data in Pendo when information changes in Okta. See Using Okta Workflows for Metadata Sync.

This template demonstrates how to implement an XaaS model to import records from Personio. The flow requests records from Personio, stores the resulting list of records in a temporary Workflows table, and then creates import sessions and processes the bulk import requests.

This template illustrates how B2C companies can use Okta Workflows to automatically sync customers to their CRM solution. When you use this template, every new user that signs in to your website becomes a contact inside your Salesforce account.

User provisioning, or creating users in a third-party system, is a foundational use case for Okta lifecycle management. To access a system such as Salesforce, a newly created user needs to have an account in that system with the correct profile attributes and entitlements. This flow helps you create a user in Salesforce and assign them a profile based on their department.

This flow grants access to a GitHub repository if the user has passed the required Secure Code Warrior assessment. The flow is triggered when the user is assigned the GitHub application.

Security for end users is a major concern for all CIAM customers. Account takeover can be mitigated by notifying an end user when their password has changed, and alerting them if it was performed without their knowledge. Branding this notification across multiple application brands is important. Workflows can act on a password change event and send a customized notice to the end user. The trigger event that initiates the flows is a User Password Changed event in Okta. This occurs whether the user initiates a self-service password change or if an admin sets the password. A customized HTML email template substitutes user and event context dynamically.

This template illustrates how Okta Workflows can be used to guard against high-risk customer sign-ins. When a high-risk sign-in occurs, the template automatically creates a ServiceNow incident with relevant information, enabling your security team to respond quickly and mitigate any risk to your site.

In many organizations that use ServiceNow, a subset of access may require approvals. You may have users provisioned with birthright access when created, but a specific group access needs to be approved before being provisioned. This flow helps you get approvals for such use cases using ServiceNow.

This flow is designed for security operations teams to invalidate Slack sessions and notify admins when Slack detects anomalies associated with session hijacking.

The flow periodically checks the Slack Risk Audit API for anomalous events, then filters through the results for specific security interest events. The flow invalidates any Slack sessions associated with an anomalous event.

It's also configured to notify the organization's security operations team or Slack administrator of these events. They can investigate if the user was a victim of an account takeover.

This template demonstrates how to implement an XaaS model to import records from SmartHR. The flow requests records from SmartHR, stores the resulting list of records in a temporary Workflows table, and then creates import sessions and processes the bulk import requests.

Consistently maintaining user identity across downstream applications is critical for excellent user experience, compliance, and governance. Automatically provisioning downstream applications based on group membership provides a simple and effective solution. This template provides a blueprint to create, update, and delete Shopify customers based on group membership within Okta.

This flow demonstrates how you can send SMS messages through Twilio.