Guidance for Okta connector
Read the following information for guidance and best practices when using an Okta connector in your flows.
Authentication
To authorize the connector:
- You must be assigned to the Okta Workflows OAuth app.
- You must have super admin credentials.
In addition to the initial authorization of the connector, reauthenticating this connection requires an account with super admin privileges.
You also need the following information for authorizing your Okta account:
- Domain: The domain of your Okta org. For example, if the URL of your Okta org is https://yourcompany.okta.com, then your domain is yourcompany.okta.com.
- Client ID and Client Secret: The client ID and client secret from your Okta Workflows OAuth app. To find these values, go to
Types of accounts
The account used to create the connection must have super admin credentials.
Often, it's a better practice to create a specific service account with super admin credentials for Okta Workflows and then use that account to authorize the connection. Otherwise the Okta user account used to set up the connection is associated with any actions performed by Okta Workflows.
New features and scopes
When a release of Okta Workflows adds features, or when a feature is enabled for your org, these updates can add scopes to the available scopes in the Okta Workflows OAuth app.
After a feature that provides new scopes is released or enabled, follow the steps in the Supported scopes section.
Supported scopes
To grant scopes to your Okta Workflows OAuth app, perform the following steps in the Workflows Console:
- Go to . A list of available scopes appears.
- Click Grant for each scope that you want to grant.
When adding scopes to an existing connection, you need to reauthorize your connection.
List of available scopes
Scopes designated with an asterisk (*) are automatically granted. You don't need to grant them through the Okta Workflows OAuth app.
- openid*
- profile*
- email*
- phone*
- address*
- groups*
- offline_access*
- okta.apps.manage
- okta.apps.read
- okta.clients.manage
- okta.clients.read
- okta.clients.register
- okta.deviceAssurance.manage
- okta.deviceAssurance.read
- okta.devices.manage
- okta.devices.read
- okta.eventHooks.manage
- okta.eventHooks.read
- okta.events.read
- okta.factors.manage
- okta.factors.read
- okta.governance.accessCertifications.manage
- okta.governance.accessCertifications.read
- okta.governance.accessRequests.manage
- okta.governance.accessRequests.read
- okta.governance.entitlements.manage
- okta.governance.entitlements.read
- okta.groups.manage
- okta.groups.read
- okta.identitySources.manage
- okta.identitySources.read
- okta.idps.manage
- okta.idps.read
- okta.inlineHooks.manage
- okta.inlineHooks.read
- okta.linkedObjects.manage
- okta.linkedObjects.read
- okta.logs.read
- okta.networkZones.manage
- okta.networkZones.read
- okta.policies.manage
- okta.policies.read
- okta.roles.manage
- okta.roles.read
- okta.schemas.manage
- okta.schemas.read
- okta.trustedOrigins.manage
- okta.trustedOrigins.read
- okta.users.manage
- okta.users.read
Limited Early Access release
- okta.workflows.invoke.manage
Best practices
The following information provides more configuration information for Okta cards.
Search System Log options
- In the Keyword field, the query parameter q is used to perform keyword matching against the attribute values for a Log Events object. All input keywords must be matched exactly (keyword matching is case-insensitive). See System Log.
- No values are returned when using a keyword match on an attribute with a null.
- The eq operator is used to concatenate each key and value pair, and combines different keys with an and operator. To use other operators, use the Custom Filter field to build your own expression. Those predefined fields and the Custom Filter field are concatenated using the and operator. See System Log.
Get users or groups
The following examples show configurations for obtaining both the first 200 groups and for streaming records.
First 200 records
This flow captures the first 200 groups that a user joined on a monthly basis.
Stream records
This flow updates one Custom Field value for all the groups that a specific user joined.