Okta Workflows release notes (2024)

Execution Log Streaming now available in Early Access

Previously, customers could audit user-directed actions in Okta Workflows, but had little insight into the automated work executed by the individual flows.

With the Execution Log Streaming feature, customers can monitor execution history and performance across all of their flows. This is done by sending execution logs to a downstream security information and event management (SIEM) tool.

This feature allows you to configure alerts and dashboards to provide proactive identification and resolution of potential issues. The centralized monitoring capability also provides a holistic view across all Workflows operations for better insights and decision making.

See Execution Log Streaming.

The feature adds the following new System Log event types:

• workflows.user.execution_log_stream_connection.activate

• workflows.user.execution_log_stream_connection.deactivate

• workflows.user.execution_log_stream_connection.update

• workflows.user.flow.execution_log_stream.activate

• workflows.user.flow.execution_log_stream.deactivate

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable the Workflows Execution Log Streaming option.

Execution History Inspector now available in Early Access

Okta Workflows customers frequently reach out to Okta Support for assistance when experiencing unexpected throttles, low latency mode evictions, or other performance changes.

The new Execution History Inspector feature provides various detailed usage metrics directly to you. This diagnostic view helps you to understand flow performance and provides you with the ability to diagnose issues and optimize your flows.

See History Inspector.

The feature adds the following new System Log event types:

• workflows.user.flow.execution_history.activate

• workflows.user.flow.execution_history.deactivate

• workflows.user.flow.execution_history.delete

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable the Workflows Execution History Inspector option.

Changes to save and clear flow execution history

This release improves the ability to clear the execution history for a flow. You can now choose to clear either the saved input and output values for a flow, or clear all execution history, including the flow metadata.

This update includes revised documentation on how to save, view, and clear execution history for flows.

See Flow execution history.

Move folders functionality now available

Improved folder organization in Okta Workflows gives you the flexibility to drag and drop folders into other folders, or to move them up to become a top-level folder.

See Move a folder into another folder and Move a subfolder to a higher level.

When a folder move occurs, this triggers the new workflows.user.folder.move event type in the System Log.

See the Event Types API.

Universal identifiers for flow and folder references

The URL paths for flows (for example, /app/folders/{foldernumber}/flows/{flownumber}/) have been updated to use a Universally Unique Lexicographically Sortable Identifier (ULID) /app/flows/{ULID}/. For example, /app/flows/01HZKPGVPXYA6ZWMKKADVXYJ1H.

This change has also been made for folder identifiers, which now have the form /app/folders/{ULID}.

Users can continue to use any existing saved links for flows and folders, but are automatically redirected to the new external ID URL. Also, any System Log events for flows now use this ULID instead of the previous format.

Improvements to the Execution History interface

Previously, the time value that appeared for older executions included the seconds value, while newer execution times only included the hour and minute values. The older formats now show the hour and minute values.

The exact execution time is still available using the hover action on the execution time.

Event hook limit increased

The limit on active event hooks per org has been increased from 10 to 25.

See Create an event hook and Hooks in Workflows system limits.

Improvements to the Okta connector

The Okta connector has been updated with the following enhancements:

• The Sync User in External Application event card is now User Synced in External Application.

• The Custom API Action card now has a GET(Streaming) option for the Request Type. This option enables streaming data from a web server request.

• The Record Limit input field has been changed from 10,000,000 to 1,000,000 for the following action cards:

  • Get Users Groups

  • List Applications Assigned to Group

  • List Applications Assigned to User

  • List Group Members

  • List Groups Assigned to Application

  • List Users Assigned to Application

  • List Users With Filter

  • List Users With Search

  • Search Applications

  • Search Group Rules

  • Search System Logs

• The Application and Application Instance fields have been clarified for the following event cards:

  • User Assigned to Application

  • User Unassigned from Application

  • User Synced in External Application

  • User App Password Changed

• These four cards also have a new All App Instances option for the App Instances field. This option triggers the event if the user change happens in any application in your org.

New action card for AWS S3 Connector

The AWS S3 connector has added an Upload Object action card. This new card enables users to upload objects (files) to S3 buckets through the AWS S3 connector.

See AWS S3 connector.

Workflows templates

The following Okta Workflows template is now available:

• Send notifications for a breached password event

See Available Workflows templates.

OAuth scope customization enabled for the Okta, Okta Devices, and Okta Realms connectors

You can now specify custom scopes for OAuth connections to the Okta, Okta Devices, and Okta Realms connectors in Okta Workflows.

When you create or reauthorize a connection, you must go to the Permissions tab in the connection window. Select Use Default Scopes if you want to run any of the connector cards with the regularly assigned scopes. To use the customized scopes feature, specify the desired scopes in Customize scopes (advanced). Grant these scopes in the Okta Workflows OAuth app before you create or reauthorize the connection.

For Okta, see Authorization.

For Okta Devices, see Authorization.

For Okta Realms, see Authorization.

Rename the Test action on all cards

The Test this card action has been renamed to Run this card for all cards that support the functionality.

Okta Devices event cards now hidden from the Okta connector

The following event cards are no longer available from the Okta connector. New flows should use the identical event cards from the Okta Devices connector. For existing flows, you can keep using the Okta event cards or update your flows to use the equivalent Okta Devices event cards.

• Authenticator Activated

• Authenticator Deactivated

• Device Activated

• Device Added to User

• Device Deactivated

• Device Deleted

• Device Enrolled

• Device Suspended

• Device Unsuspended

• Phone Verification Call Sent

• Phone Verification SMS Sent

• User MFA Factor Activated

• User MFA Factor Deactivated

• User MFA Factor Reset All

• User MFA Factor Suspended

• User MFA Factor Unsuspended

• User MFA

Enhancements to the Zoom connector

This release provides updates to existing Zoom connector cards:

• The Get User card is now the Read User card.

• Several input and output fields have been added to the Create User, Read User, and Update User action cards.

  These are backward-compatible changes, so there's no need to replace existing cards. However, if you want to take advantage of the new input and output fields, you must use the new versions of these cards.

This release also includes a new action card for the Zoom connector:

• Read Group

See the Zoom connector.

Updates to the Cisco Identity Intelligence connector

This update removes the lastSignInLocation attribute of the End User State output, as it's no longer supported on the Get End User State action card.

This update also corrects the attribute type of the checkId output field on the Identity Intelligence Webhook event card.

Improvements to date formatting

Date formats have been modified to reflect localized user settings.

For users in the United States, there are minimal changes. The main changes are to provide consistent use of day periods and number of digits in dates, for example, 05/30/24 instead of 5/30/24 or 05/30/2024.

For users in other locales, date formats are now localized, for example, in Australia, the date is now DD/MM/YY.

Action cards added to the Google Workspace connector

The Google Workspace connector has four new action cards to support role assignments.

• Create Role Assignment
• Delete Role Assignment
• Search Role Assignments
• List Roles

See Google Workspace Admin connector.

Event cards added to the Okta Devices connector

The Okta Devices connector has been updated with 19 new event cards.

• Authenticator Activated
• Authenticator Deactivated
• Device Activated
• Device Added to User
• Device Deactivated
• Device Deleted
• Device Enrolled
• Device Removed From User
• Device Suspended
• Device Unsuspended
• MFA Preregistration Initiated
• Phone Verification Call Sent
• Phone Verification SMS Sent
• User MFA
• User MFA Factor Activated
• User MFA Factor Deactivated
• User MFA Factor Reset All
• User MFA Factor Suspended
• User MFA Factor Unsuspended

See Okta Devices connector.

To use these new event cards, go to the Connections tab in your Workflows Console and reauthorize the Okta Devices connection.

Improvements to Execution History interface

The card duration indicators for Execution History have been updated for clarity and accuracy.

Updates to address mis-typed date conversions

The True-False Expression function card now converts Date fields to a UNIX timestamp when a Date type output field is used as input for a Number type field. Previously, this conversion returned a value of 0. Update any flows containing a card where a Date output was sent to a Number input and the result was then modified to return a UNIX timestamp.

Custom API Action card now available for the Okta Devices connector

A Custom API Actions card has been added to the Okta Devices connector in Okta Workflows.

See the Custom API Action card.

Organization and repository option limits for the GitHub connector

The following GitHub connector action cards now include a manual selection field when you choose the Organization and Repository options:

• Create File Content

• Create Branch

• Create Issue

• Create Pull Request

• Read Issue

• Read Pull Request

• Search Branches

• Update File Content

• Update Issue

• Update Pull Request

These option fields are now limited to displaying the first 100 options. These changes prevent timeout issues when there are a large number of repositories to choose from.

See GitHub connector

Template page updated

The Modernize your Access Request Management with Okta and Slack template on the Okta templates interface has been replaced with the Create Users in Salesforce template.

Okta Realms connector now available

The Okta Realms connector is now available in Okta Workflows with the following cards:

• Create Realm

• Create Realm User

• List Realm Users

• Read Realm

• Search Realms

• Update Realm

• Update Realm for User

See Okta Realms connector.

New action card for Okta Devices connector

The Okta Devices connector has added a List Device Users card. See List Device Users.

Oracle HCM connector now available

The Oracle HCM connector is now available in Okta Workflows with the following cards:

• Read Worker

• Search Workers

• Update Worker

See the Oracle HCM connector.

Workflows templates

The following Okta Workflows template is now available:

• Automate lifecycle management with Darwinbox

Important updates for Asana connector

Asana is deprecating their external endpoints currently used by the cards:

• Add Users to Project

• Remove Users from Project

Any existing flows that use these cards will continue to work until Asana completes the API deprecation. However, these cards have been removed from the Asana connector. See Upcoming changes to project memberships for details on the change and the deprecation time frame.

If you currently use the cards marked for deprecation, you can update your flows to use the following new cards that replicate the functionality and use the new Asana endpoints:

• Create Membership

• Delete Membership

These cards provide more functionality by supporting both the Goal and Project memberships for Asana.

See Asana connector.

Cisco Identity Intelligence connector now available

The Cisco Identity Intelligence connector is now available in Okta Workflows with the following cards:

• Identity Intelligence Webhook

• Get End User State

• Get End Users By IP

See Cisco Identity Intelligence connector.

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user's session. When Identity Threat Protection discovers a risk, it can immediately end the user's sessions, prompt an MFA challenge, or invoke an Okta Workflow to restore your org's security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen.

See Identity Threat Protection with Okta AI.

New System Log event for Workflows execution history

There are two new System Log events for flow execution history. When a user activates or deactivates the Save all data that passes through the flow option, the System Log records the date, time, and name of the user.

Okta Devices connector now available

The Okta Devices is now available in Production orgs with the following cards:

• Activate Device

• Deactivate Device

• Delete Device

• Read Device

• Search Device

• Suspend Device

• Unsuspend Device

See the Okta Devices connector.

KnowBe4 connector now available

The KnowBe4 connector is available in Okta Workflows with the following cards:

• Custom API Action

• List Group Members

• List Groups

• List Users

• Read Group

• Read User

See the KnowBe4 connector.

SecureFlag connector now available

The SecureFlag connector is available in Okta Workflows with the following card:

• Remove User License

See the SecureFlag connector.

Authorization URL examples added to several connectors

The authorization connection dialog now includes an example URL for the following connectors:

• Advanced Server Access
• Duo Security Admin
• Freshservice
• Jira
• Jira Service Management
• Marketo
• OneTrust
• ServiceNow
• Shopify
• Zendesk

These example URLs demonstrate the expected format for connectors that enforce an https:// prefix or a domain suffix (for example: .com, .ca, .customdomain) for the connection URL.

Credential rotation for Zoom connector

OAuth 2.0 credentials have been rotated for the Zoom connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize.

Credential rotation for Shopify connector

The backend credentials for the Shopify connector were rotated on March 12, 2024 at 12:00 PM PST.

This action has no immediate impact on existing connections. However, admins must reauthorize their existing Shopify connections before March 26, 2024 at 12:00 PM PST to ensure that flows continue working.

Credential rotation for Slack connector

OAuth 2.0 credentials have been rotated for the Slack connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

OAuth 2.0 security to invoke an API endpoint (Early Access)

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.

See Invoke a flow with an API endpoint.

Scope search added for OAuth connection configurations

This update adds a search field to the scopes configuration interface for OAuth connections. Users can filter the list of available scopes by entering the name of the scope.

See Configure a connection.

Low-latency mode restrictions for ineligible cards

Okta Workflows now prevents ineligible cards (like those with streaming actions) from entering low-latency mode instead of removing them after they hit a latency restriction or execution limit. This change improves overall flow performance.

See Criteria for low-latency flows.

New logo navigation behavior

Clicking the Workflows logo now returns you to the Flows view of the Workflows Console and shows the most recently selected folder.

New action card added to Miro Administration connector

The Miro Administration connector has added a card:

• User Session Wipeout

See User Session Wipeout at miro.com.

Upcoming credential rotation for Shopify connector

A credential rotation for the Shopify connector is scheduled for March 12, 2024 at 12:00 PM PST. This action has no immediate impact on existing connections. However, users must reauthorize existing Shopify connections between March 12, 2024 at 12:00 PM PST and March 26, 2024 at 12:00 PM PST to ensure that flows continue to work.

Upcoming credential rotation for Slack connector

A rotation of the OAuth 2.0 credentials for the Slack connector is scheduled for March 10, 2024 on preview cells, and March 17, 2024 for production cells. No action is required for existing connections. However, if you do experience any issues with a connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

Update to Jamf Pro Classic API connector authentication flow

The authorization flow for this connector has been updated from Basic Auth to use the OAuth 2.0 Resource Owner Password Credentials flow. This change is transparent for existing flows, but if you experience any issues with this connector, reauthorize your connection to Jamf Pro Classic API.

See Authorization.

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Credential rotation

Credentials have been rotated for the following connectors:

• Asana
• Box
• DocuSign
• GitHub
• Smartsheet

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Workflows templates

The following Okta Workflows template is now available:

• Examples of OpenAI prompts

See the Available Workflows templates.

App integration tile now available for Okta Workflows users

Users who are assigned to the Okta Workflows app now have a dedicated tile on the Okta End-User Dashboard to launch the Workflows Console. See Workflows Console.

OAuth Scopes Customization feature

Today, when Workflows users authenticate to a connector using the OAuth 2.0 protocol, they must grant permissions for all OAuth scopes associated with the connector, regardless of whether those scopes are necessary for a specific use case. Unfortunately, this approach often results in the creation of overly permissive connections.

The OAuth Scope Customization feature empowers users with finer control over OAuth token requests. Now users can selectively remove unnecessary scopes from the token request before initiating the token exchange process. When OAuth Scope Customization is enabled for a connector, users gain the flexibility to create connections tailored to their specific needs. They can limit flows to only essential actions required in a third-party application, minimizing the risk associated with overly permissive connections.

Also, select connectors can provide users the ability to add scopes that aren't initially associated with the connector. This feature becomes valuable when using a Custom API Action card. Users can easily make HTTP requests to a service even for actions that the connector doesn't direct support, greatly expanding the capabilities of Okta Workflows.

See Use OAuth 2.0 Authorization Code and Use OAuth 2.0 Client Credentials.

Client Credentials support added to API connector functions

The API Connector function cards now support authentication using OAuth 2.0 Client Credentials. See Authenticate with API Connector cards.

Duplicate card functionality

Currently, duplicating an existing action or function card in Okta Workflows involves manually adding and recreating the card. This process entails a significant amount of time and effort to configure the new card to match an existing card. There's also the potential for errors when replicating the details of an individual card, leading to wasted time and frustration.

This release introduces the Duplicate Card feature to simplify and accelerate the process of replicating cards within Okta Workflows. Users can now duplicate most function and action cards with a single click. This is invaluable when building use cases that involve complex object or list construction, or when modifying logic within branching functions.

See Duplicate a card.

IP session restrictions for Okta Workflows

Okta super admins can now enable IP session restrictions for Okta Workflows.

This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match for any request, the session is terminated and the Workflows admin must sign in again.

See Manage Early Access and Beta features for instructions on how to enable this feature for your org through the Okta Admin Console.

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Greenhouse connector now available

The Greenhouse connector is now available in Okta Workflows with the following cards:

• Add User Email Address

• List Candidates

• List Users

• Read Candidate

• Read User

• Update Candidate

• Update User

See the Greenhouse connector.

Darwinbox connector now available

The Darwinbox connector is now available in Okta Workflows with the following cards:

• Update Email ID

• Update User Attributes

See the Darwinbox connector.

Adobe User Management connector updated

Adobe User Management is deprecating the Service Account (JWT) credential in favor of the new OAuth Server-to-Server credential. The Adobe User Management connector has been updated to change the default authorization flow from JWT to OAuth.

See the Authorization page for Adobe User Management.

Workflows templates

The following Okta Workflows templates are now available:

• Enable a grace period for Identity Governance Access Certification

• Get an Atlassian ID

• Identify inactive third-party users

• Implement log streaming with Okta Workflows

• Offboard Google Workspace users

• Workflows tutorials

See the Available Workflows templates.

Credential rotation

Credentials have been rotated for the following connectors:

• Asana
• Box
• Dropbox for Business
• DocuSign
• GitHub
• HubSpot CRM
• Salesforce
• Shopify
• Slack
• Slack Admin
• SmartRecruiters
• Smartsheet
• Zendesk
• Zoom

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Groups assignment changes for Okta Workflows application

To enhance the security of the Okta Workflows application, the following changes have been implemented in the Okta Admin Console:

• On the Applications page:

  • In the Assign Users to App option, the Workflows app is no longer included in the list of available applications.

  • For the Workflows app itself, if you select the Assign to Groups option from the dropdown actions menu, the assignment dialog reports that this is an unsupported operation.

• If the Self Service feature is enabled for your Okta org, your users can't add the Workflows application to their dashboard.

• On the Assignments tab inside the Okta Workflows application, the Assign to Groups option is no longer available.

• In the DirectoryGroups interface, if you try to Assign applications to a specific group, the Okta Workflows app isn't available through the Assign Applications to {group} dialog.

• Assigning the Okta Workflows application to a group through the Okta public API is also no longer permitted.

Update to flow testing UI

The interface for testing flows inside the flow builder has been updated to provide clarity in message text and button naming.

Improvements to action card dialogs

The selection dialog for action cards now closes immediately when the user selects an action card.

Subfolder icon improvements

The import and export icons shown on the subfolder action menu have been updated to more appropriately reflect the action.

BambooHR connector now available

The BambooHR connector is now available in Okta Workflows with the following cards:

• Read Employee
• Update Employee
• List Employees

See BambooHR connector.

Domain selection added to Jira Service Management connector

Previously, the Jira Service Management connector would fail if the service wasn't on the atlassian.net domain. This update adds a Domain dropdown to the connector authorization dialog so that users can select either atlassian.net or jira.com for the service location. No action is required for existing connections.

See Authorization.