Okta Workflows release notes (2024)

2024.03.2

Okta Devices connector now available

The Okta Devices is now available in Production orgs with the following cards:

  • Activate Device

  • Deactivate Device

  • Delete Device

  • Read Device

  • Search Device

  • Suspend Device

  • Unsuspend Device

See the Okta Devices connector.

KnowBe4 connector now available

The KnowBe4 connector is available in Okta Workflows with the following cards:

  • Custom API Action

  • List Group Members

  • List Groups

  • List Users

  • Read Group

  • Read User

See the KnowBe4 connector.

SecureFlag connector now available

The SecureFlag connector is available in Okta Workflows with the following card:

  • Remove User License

See the SecureFlag connector.

Authorization URL examples added to several connectors

The authorization connection dialog now includes an example URL for the following connectors:

  • Advanced Server Access
  • Duo Security Admin
  • Freshservice
  • Jira
  • Jira Service Management
  • Marketo
  • OneTrust
  • ServiceNow
  • Shopify
  • Zendesk

These example URLs demonstrate the expected format for connectors that enforce an https:// prefix or a domain suffix (for example: .com, .ca, .customdomain) for the connection URL.

Credential rotation for Zoom connector

OAuth 2.0 credentials have been rotated for the Zoom connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize.

Fixes in Okta Workflows

  • OKTA-225379

    Object subfields couldn't be dragged into a filter condition for the Search Rows card.

  • OKTA-597055

    When an admin created inputs in a For Each card that used dynamic flow inputs, the icon to delete an input field overlapped with the icon used to select a list item from the dropdown menu.

  • OKTA-625849

    If a Search Rows card containing draggable input fields for filter conditions was moved into or out of an If/Error card, it caused the flow to fail.

  • OKTA-705684

    For the Microsoft Teams connector, the flow identifier appeared as the State input on the helper flow when streaming records using the Search Teams and Search Chats cards.

  • OKTA-706352

    For the Okta Devices connector, the Search Devices card didn't stream data to helper flows when using the Stream Matching Records option.

2024.03.1

Credential rotation for Shopify connector

The backend credentials for the Shopify connector were rotated on March 12, 2024 at 12:00 PM PST.

This action has no immediate impact on existing connections. However, admins must reauthorize their existing Shopify connections before March 26, 2024 at 12:00 PM PST to ensure that flows continue working.

Credential rotation for Slack connector

OAuth 2.0 credentials have been rotated for the Slack connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-351074

    On the Flows tab of Connector Builder, admins could click Save when a required field was empty.

  • OKTA-643500

    Tables with filtered results didn't display correctly when the view filter was removed.

  • OKTA-667322

    The Connection usage dialog displayed an incorrect number of flows. This occurred if the connector was used in a flow contained in a subfolder.

  • OKTA-687930

    For tables containing a column with a long name, the options gear icon didn't appear.

2024.03.0

OAuth 2.0 security to invoke an API endpoint (Early Access)

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.

See Invoke a flow with an API endpoint.

Scope search added for OAuth connection configurations

This update adds a search field to the scopes configuration interface for OAuth connections. Users can filter the list of available scopes by entering the name of the scope.

See Configure a connection.

Low-latency mode restrictions for ineligible cards

Okta Workflows now prevents ineligible cards (like those with streaming actions) from entering low-latency mode instead of removing them after they hit a latency restriction or execution limit. This change improves overall flow performance.

See Criteria for low-latency flows.

New logo navigation behavior

Clicking the Workflows logo now returns you to the Flows view of the Workflows Console and shows the most recently selected folder.

New action card added to Miro Administration connector

The Miro Administration connector has added a card:

  • User Session Wipeout

See User Session Wipeout at miro.com.

Upcoming credential rotation for Shopify connector

A credential rotation for the Shopify connector is scheduled for March 12, 2024 at 12:00 PM PST. This action has no immediate impact on existing connections. However, users must reauthorize existing Shopify connections between March 12, 2024 at 12:00 PM PST and March 26, 2024 at 12:00 PM PST to ensure that flows continue to work.

Upcoming credential rotation for Slack connector

A rotation of the OAuth 2.0 credentials for the Slack connector is scheduled for March 10, 2024 on preview cells, and March 17, 2024 for production cells. No action is required for existing connections. However, if you do experience any issues with a connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-646470

    The editable output fields for extensible objects in a helper flow card used a green border instead of dark blue.

  • OKTA-649011

    Sometimes in Connector Builder, if a field was configured but hidden for an OAuth connector, the delivered output fields were empty rather than containing the hidden values.

  • OKTA-659894

    Using an HTTP Raw Request card to call a URL with a trailing slash returned an invalid input error, even though the URL was valid.

  • OKTA-690275

    For the connector, the Instance ARN dropdown menu failed to load for the List AWS Entitlements card. This occurred only if the Options section of the card was opened.

2024.02.2

Credential rotation

Credentials have been rotated for the following connectors:

  • Asana
  • Box
  • DocuSign
  • GitHub
  • Smartsheet

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Update to Jamf Pro Classic API connector authentication flow

The authorization flow for this connector has been updated from Basic Auth to use the OAuth 2.0 Resource Owner Password Credentials flow. This change is transparent for existing flows, but if you experience any issues with this connector, reauthorize your connection to Jamf Pro Classic API.

See Authorization.

Fixes in Okta Workflows

  • OKTA-690784

    The Search Users action card for GitHub only returned 100 results instead of the maximum limit of 1000 results.

2024.02.1

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Credential rotation

Credentials have been rotated for the following connectors:

  • Asana
  • Box
  • DocuSign
  • GitHub
  • Smartsheet

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Workflows templates

The following Okta Workflows template is now available:

See the Available Workflows templates.

Fixes in Okta Workflows

  • OKTA-564782

    If a helper flow contained an HTTP Close card, its parent flow resumed in low-latency mode. This occurred when the parent flow used a synchronous Call Flow card.

  • OKTA-690027

    When filtering using the Search Rows card within an If Error card, admins could only use the output fields from other cards inside the If Error card.

2024.02.0

App integration tile now available for Okta Workflows users

Users who are assigned to the Okta Workflows app now have a dedicated tile on the Okta End-User Dashboard to launch the Workflows Console. See Workflows Console.

OAuth Scopes Customization feature

Today, when Workflows users authenticate to a connector using the OAuth 2.0 protocol, they must grant permissions for all OAuth scopes associated with the connector, regardless of whether those scopes are necessary for a specific use case. Unfortunately, this approach often results in the creation of overly permissive connections.

The OAuth Scope Customization feature empowers users with finer control over OAuth token requests. Now users can selectively remove unnecessary scopes from the token request before initiating the token exchange process. When OAuth Scope Customization is enabled for a connector, users gain the flexibility to create connections tailored to their specific needs. They can limit flows to only essential actions required in a third-party application, minimizing the risk associated with overly permissive connections.

Also, select connectors can provide users the ability to add scopes that aren't initially associated with the connector. This feature becomes valuable when using a Custom API Action card. Users can easily make HTTP requests to a service even for actions that the connector doesn't direct support, greatly expanding the capabilities of Okta Workflows.

See Use OAuth 2.0 Authorization Code and Use OAuth 2.0 Client Credentials.

Client Credentials support added to API connector functions

The API Connector function cards now support authentication using OAuth 2.0 Client Credentials. See Authenticate with API Connector cards.

Duplicate card functionality

Currently, duplicating an existing action or function card in Okta Workflows involves manually adding and recreating the card. This process entails a significant amount of time and effort to configure the new card to match an existing card. There's also the potential for errors when replicating the details of an individual card, leading to wasted time and frustration.

This release introduces the Duplicate Card feature to simplify and accelerate the process of replicating cards within Okta Workflows. Users can now duplicate most function and action cards with a single click. This is invaluable when building use cases that involve complex object or list construction, or when modifying logic within branching functions.

See Duplicate a card.

IP session restrictions for Okta Workflows

Okta super admins can now enable IP session restrictions for Okta Workflows.

This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match for any request, the session is terminated and the Workflows admin must sign in again.

See Manage Early Access and Beta features for instructions on how to enable this feature for your org through the Okta Admin Console.

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Greenhouse connector now available

The Greenhouse connector is now available in Okta Workflows with the following cards:

  • Add User Email Address

  • List Candidates

  • List Users

  • Read Candidate

  • Read User

  • Update Candidate

  • Update User

See the Greenhouse connector.

Darwinbox connector now available

The Darwinbox connector is now available in Okta Workflows with the following cards:

  • Update Email ID

  • Update User Attributes

See the Darwinbox connector.

Adobe User Management connector updated

Adobe User Management is deprecating the Service Account (JWT) credential in favor of the new OAuth Server-to-Server credential. The Adobe User Management connector has been updated to change the default authorization flow from JWT to OAuth.

See the Authorization page for Adobe User Management.

Credential rotation

Credentials have been rotated for the following connectors:

  • Asana
  • Box
  • Dropbox for Business
  • DocuSign
  • GitHub
  • HubSpot CRM
  • Salesforce
  • Shopify
  • Slack
  • Slack Admin
  • SmartRecruiters
  • Smartsheet
  • Zendesk
  • Zoom

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-576957

    When admins opened the Deployment tab in Connector Builder, the loading indicator appeared in the Private deployment pane instead of indicating that the entire page was loading. Also, when a new version was added, the table briefly said that no versions were available.

2024.01.2

Fixes in Okta Workflows

  • OKTA-627817

    When an admin added or edited a row in a Workflow table, the new or updated row was automatically placed at the top of the table rather than where it was in the table originally.

  • OKTA-643523

    When a user attempted to manually test a flow, the flow builder view sometimes indicated that there was no new data and didn't redirect to the new execution in the Execution History view.

  • OKTA-682162

    When an admin created a connection for some Okta Workflows connectors, the process would hang if a connection field contained invalid characters.

2024.01.1

This release includes back-end fixes and improvements, but there are no external changes.

2024.01.0

Groups assignment changes for Okta Workflows application

To enhance the security of the Okta Workflows application, the following changes have been implemented in the Okta Admin Console:

  • On the Applications page:

    • In the Assign Users to App option, the Workflows app is no longer included in the list of available applications.

    • For the Workflows app itself, if you select the Assign to Groups option from the dropdown actions menu, the assignment dialog reports that this is an unsupported operation.

  • If the Self Service feature is enabled for your Okta org, your users can't add the Workflows application to their dashboard.

  • On the Assignments tab inside the Okta Workflows application, the Assign to Groups option is no longer available.

  • In the DirectoryGroups interface, if you try to Assign applications to a specific group, the Okta Workflows app isn't available through the Assign Applications to {group} dialog.

  • Assigning the Okta Workflows application to a group through the Okta public API is also no longer permitted.

Update to flow testing UI

The interface for testing flows inside the flow builder has been updated to provide clarity in message text and button naming.

Improvements to action card dialogs

The selection dialog for action cards now closes immediately when the user selects an action card.

Subfolder icon improvements

The import and export icons shown on the subfolder action menu have been updated to more appropriately reflect the action.

BambooHR connector now available

The BambooHR connector is now available in Okta Workflows with the following cards:

  • Read Employee
  • Update Employee
  • List Employees

See BambooHR connector.

Domain selection added to Jira Service Management connector

Previously, the Jira Service Management connector would fail if the service wasn't on the atlassian.net domain. This update adds a Domain dropdown to the connector authorization dialog so that users can select either atlassian.net or jira.com for the service location. No action is required for existing connections.

See Authorization.

Fixes in Okta Workflows

  • OKTA-591951

    A user could edit the name of an existing flow and replace it with a name that consisted of a null value.

  • OKTA-604699

    For the Microsoft Teams connector, when the Stream Matching Records option was chosen, the results on the List Members and List Channel Members cards didn't match the requested Record Limit.

  • OKTA-617595

    The information provided when importing a folder wasn't clear about the destination of the imported folder.

  • OKTA-660523

    For Google Workspace Admin flows that use the Create User card, sometimes Google hadn't finished the user creation process before it attempted to assign a license, so the assignment failed.

  • OKTA-668196

    For the Google Workspace connector, the function of the Deactivate User action card was to suspend a user, not deactivate one. The card has been renamed Suspend User to more accurately reflect the action. No change is required for existing flows that use this card.