Set up Okta Workflows for YubiKey shipment

Early Access release. See Enable self-service features.

This procedure explains how to connect your Yubico org with your Okta org using Okta Workflows. This workflow is triggered when you order a pre-enrolled YubiKey for a user. It enrolls and activates a YubiKey for the user, creates the shipment order in the Yubico org, and sends a PIN to the user.

If the shipment information is sourced from an HRIS (Human Resource Information System) app such as ServiceNow or Workday, you also need to connect this app in Okta Workflows.

Before you begin

The second part of the journey to Require phishing-resistant authentication with pre-enrolled YubiKey contains tasks that you complete in the Okta Workflows Console. Complete Set up FIDO2 (WebAuthn) authenticator and phishing-resistant policies and then proceed with this step.

Create a connection from the Okta org

  1. Create a connection from your Okta org. See Authorize the Okta connector.
  2. Create a connection for Okta Devices. See Authorize the Okta Devices connector.

Create a connection from the Yubico org

  1. Generate an API token in your Yubico org. Go to your YubiEnterprise Console ProfileGenerate new API token.
  2. Make a copy of the token and store it in a secure location.
  3. In the Okta Workflows Console, go to ConnectionsNew Connection.
  4. Select the Yubico connector.

  5. In the New Connection window, enter the Connection Nickname. This is the display name you want to appear in your list of connections.

  6. In API Secret, paste the API token from Yubico, and then click Create.

Set up the Okta Workflows template for pre-enrolled YubiKey

  1. Add the Pre-enrolled YubiKey template in your Workflows environment. See Available Workflows templates.
  2. Ensure that the template folder has the following flows:
    • Create shipment trigger - MFA initiated
    • Create shipment trigger - Group add
    • Process shipments (cron job)
    • Create shipment
    • Call Enrollment API
    • Map credential JWE
    • Map FactorID to Key ID
    • Process shipment
    • Iterate shipment item
    • Process product data
    • Call Activate API
    • Map credential response to enrollment ID

Activate Okta and Yubico connection in the flows

Connect each flow to your Okta or Yubico org. Perform the following steps for each flow:

  1. Open the flow and find the cards with an Okta or Yubico connection.
  2. Click Choose connection.
  3. Select your Okta org or Yubico org. Click Save. A green check mark appears next to Okta and Yubico, indicating the connection is successfully established.
  4. Repeat for all other cards and the flows in the template.

  5. Back in the folder, turn on each flow by toggling the On/Off switch. Okta recommends turning off the Create shipment trigger - Group add App Event flow. Only one App Event flow should be on at a time. The folder looks like this:

Update Create Shipment flow to integrate HRIS

This step is required only if the shipment information for your users is sourced from an external HRIS app, such as ServiceNow or Workday. If this information is sourced from Okta, skip this step.

The Okta Workflows template is set up to use Okta Universal Directory as the source for the shipment information. If this information is sourced from the HRIS, you need to update the Create shipment flow to import this information into the flow.

The flow looks like this after updating:

Create a connection from HRIS

Create a connection from the HRIS app. See Configure a connection. This connects the HRIS app to Okta Workflows.

Create a Read User card for HRIS

In the Create shipment flow, next to the Okta Read User card, add a Read User card for the HRIS app.

  1. Under the + icon, click the cloud icon.
  2. Search for the HRIS app. Click the app to open the list of available action cards.
  3. Click the Read User card to add to the flow. Some apps may have a different name for this card. For example, in Workday, it's called the Read Worker card.
  4. In the card, ensure that the app is connected. A green bullet appears in front of the app name, indicating that the connection is successfully established.
  5. Click Save. The Inputs and Outputs sections appear.
  6. In the Outputs section, select the following fields that are required for the shipment and sourced from the HRIS app:
    • Secondary email: Required for all Staged users and the Active users who have never signed into their account.
    • Primary phone
    • Street address
    • City
    • State
    • Zip code
    • Country code
    • Organization
  7. Click Save.

Update mapping for error handling

Drag and drop each of these fields to replace the equivalent Okta fields in the flow to update mapping for error handling.

Here's an example:

  1. Drag and drop the City field to replace the Okta City field. The Replace All dialog opens.
  2. Click Replace All. This replaces all instances of the Okta field in the flow with the HRIS field.
  3. Repeat these steps for all other fields.
  4. Click Save Flow.

Add an Update User card for Okta

Next to the last Error Handling card, add the Okta Update User card.

  1. Under the + icon, click the cloud icon.
  2. Search for the Okta app. Click the app to open the list of available action cards.
  3. Click the Update User card to add to the flow.
  4. In the card, ensure that the app is connected. A green bullet appears in front of the app name, indicating that the connection is successfully established.
  5. Click Save. The Inputs and Outputs sections appear.
  6. In the Inputs section, select the Secondary email field. Unselect all other fields in the section.
  7. In the Outputs section, select the ID and Secondary email fields. Unselect all other fields in the section.
  8. Click Save.
  9. Map the user's secondary email address sourced from the HRIS to their secondary email address in Okta. This updates the user's secondary email address in Okta.

The Create shipment flow is now set up to source information from the HRIS app.

Next step

Order pre-enrolled YubiKeys