Configure remediation with Okta Workflows
Limited Early Access release
Use Okta Workflows with Identity Security Posture Management (ISPM) to run custom remediation actions from the ISPM console. Custom remediation actions can target Okta or other ISPM-connected sources that have an Okta Workflows connector. This integration helps streamline your remediation processes and helps you resolve ISPM-detected issues faster.
ISPM can access all delegated flows as part of the Okta environment, but you can only run the flows that you have access to. The delegated flow must be assigned to you as a resource set.
Complete the following steps to configure Okta Workflows for ISPM:
Before you begin
Ensure that you have the following setup.
ISPM console
In the ISPM console, check the following setup:
-
The Okta ISPM - SSO OIDC app is integrated with ISPM for the Okta org. If it isn't, complete the steps in Configure Single Sign-On for Okta. This allows ISPM to connect to Okta Workflows for the org.
-
The same Okta org (that you used for SSO) is a connected source in ISPM. If it isn't, complete the steps in Okta integration.
-
The status for Okta Workflows is Connected on the Outbound integrations page. If it isn't, ensure that steps 1 and 2 above were done correctly.
Okta Admin Console
-
Sign in to the Okta Admin Console as a super admin. Only super admins can create resource sets and assign permissions.
-
Optional. Identify existing resource sets that have View delegated flow and Run delegated flow permissions for the delegated flow that you want to use.
Okta Workflows
-
Optional. Read Build a delegated flow.
-
Optional. Obtain access to your Okta Workflows environment to view the flow's execution history and details.
Build a delegated flow in Okta Workflows
A delegated flow is a workflow that admins can run on demand without having direct access to Okta Workflows. If you're configuring Okta Workflows for ISPM for the first time, use pre-built Workflows templates or build a new delegated flow using the steps in this topic. If you've already built delegated flows using these steps, you can reuse the flows or build a new one.
Add a template
-
Complete the steps in Add a template to your Workflows environment to use any of the following Okta Workflows templates:
- Deactivate Salesforce User — ISPM Remediation Flow
- Disable Entra ID Account — ISPM Remediation Flow
- Entra ID - Add User to a Group — ISPM Remediation Flow
- Identity Security Posture Management - Event Hook
- Identity Security Posture Management - Delegated Flow
- Okta - Add User to a Group — ISPM Remediation Flow
- Okta - Reset User Password Upon Next Login — ISPM Remediation Flow
- Suspend Google Workspace User — ISPM Remediation Flow
- Suspend Okta Account — ISPM Remediation Flow
-
Optional. Add actions to define your remediation logic.
-
Turn on the flow.
-
Save the flow.
-
Click Run and follow prompts in the UI to test the flow in Okta Workflows.
Build a new delegated flow
-
In Okta Workflows, click Create Flow.
-
Select the Delegated Flow event card. This card defines the inputs ISPM will send.
-
Use ISPM JSON schema example to build your own card.
-
Add actions to define your remediation logic. For example, you can define the remediation logic to disable an account, send email, update group membership, or take another action as a response to a flow input.
-
Turn on the flow.
-
Save the flow.
-
Click Run and follow prompts in the UI to test the flow in Okta Workflows.
ISPM JSON schema example
This schema represents the fields ISPM sends to Okta Workflows. Use these values as inputs or conditions within your flow to automate remediation actions.
{
"eventId": "f73a7741-6980-4d44-b0bf-13a2fa7ac556",
"eventTimestamp": "2024-06-09T14:56:58Z",
"eventSource": "Okta ISPM",
"eventType": "issue.onDemand",
"issueId": "Alert_V32uL3CHijlQYHq-uqTkqWOXSJ8~",
"issueCategory": "Least Privilege",
"issueSeverity": "High",
"issueTitle": "Unused Admin Account",
"issueFullDescription": "Admin Accounts not logged in interactively for 91 days.",
"issueShortDescription": "Admin Accounts not logged in interactively for 91 days.",
"issueDetectedAt": "2024-06-18",
"issueSuggestedRemediation": "Assess the essentiality of listed accounts; disable or suspend as necessary.",
"issueRiskAndImpact": "Unused, unmonitored accounts attract threat actors for gaining initial access or elevated permissions.",
"issueLink": "https://{your-ISPM-url}/issues/Alert_V32uL3CHijlQYHq-uqTkqWOXSJ8~",
"entityId": "Account_Q1SMRm3vfzomaZwevHIoL9kVhWU~",
"entityIdInService": "00ktw0utvzPBXxny16x7",
"entityType": "Account",
"entityDisplayName": "john.smith@okta.com",
"entitySourceProductName": "Okta",
"entitySourceProductTenant": "example.okta.com",
"additionalDataTypes": "Admin, Super admin",
"additionalDataLastLogin": "03/28/2024"
}
Create a resource set and assign permissions
A resource set defines which delegated flows ISPM users can view and run. Only delegated flows that are a part of a resource set assigned to users and scoped to View delegated flow and Run delegated flow permissions are available for use in ISPM. Users can view and run flows in ISPM depending on the resource set and permission that's assigned to them.
Complete the following steps to create a resource set and assign the flow to it. If you have View delegated flow and Run delegated flow permissions, you also can assign the flow to an existing resource set.
-
In the Okta Admin Console, go to .
-
Click Add Resource Set.
-
Name the set. For example, ISPM_Remediation_Flows.
-
Assign the delegated flows that you created for ISPM to this resource set.
-
Assign the users who should be allowed to run this flow from ISPM.
-
Assign View delegated flow and Run delegated flow permissions.
-
Save the resource set.