Available Workflows templates

Assign group memberships temporarily based on time

Grant membership to an Okta user group for a limited time. For example, a group that gives auditors access to applications, but revokes access after 30 days. Another example use case might be a temporary development project that developers need to access.

Audit Okta admin roles and last login to Admin Console

Periodically auditing admin access to your Okta org can help to ensure that users have the correct admin roles. Auditing also helps to identify users who may no longer need admin access based on activity. This template identifies all admin users (users assigned to the Admin Console) and writes their information to a table, including admin role assigned and last Admin Console access.

Automate account creation from Jira

Onboarding new employees is a complex process that requires information from internal teams and integration with different approval and account creation tools. In addition, businesses may require a new employee to complete an orientation or pass a certification before activating their user account. The complexity of tracking approvals and then activating each user account on a specific date adds overhead for IT admins. Automating this process reduces human error and enhances your security posture. This template provides an example for automating account creation and activation with Okta when triggered by an approved Jira service request.

Automatically sync Shopify customer identity

Consistently maintaining user identity across downstream applications is critical for excellent user experience, compliance, and governance. Automatically provisioning downstream applications based on group membership provides a simple and effective solution. This template provides a blueprint to create, update, and delete Shopify customers based on group membership within Okta.

Capture device security events from VMware Workspace ONE

This template listens to VMware Workspace ONE security events to capture either compromised or out of compliance devices. Okta uses this information to determine user access to systems and their security level.

Capture document signatures in Adobe Sign

Many organizations use Adobe Sign to control agreements that dictate which resources users can access. For example, non-disclosure agreements (NDAs), lease contracts, and terms of service (TOS). This template uses Adobe Sign webhooks to capture when a user signs a document. Okta then takes this information to determine which systems a user can access and their security level.

Capture document signatures in DocuSign

Many organizations use DocuSign to control agreements that dictate which resources users can access. For example, non-disclosure agreements (NDAs), lease contracts, and terms of service (TOS). This template uses DocuSign webhooks to capture when a user signs a document. Okta then takes this information to populate an attribute used in managing group and application access.

Capture phishing events from GoPhish

Create a report on multiple Okta events

There are scenarios where you need to utilize multiple events for a singular purpose. Instead of creating and maintaining separate copies of each flow, you can use helper flows and tables to limit repetition in your flows. This template demonstrates a simple pattern for creating a daily report of user attributes from three Okta events: User Created, User Okta Profile Updated, and User Deactivated. The template then uploads a daily report to Google Drive through a scheduled flow that runs every midnight.

Create a report with Google Sheets

Many organizations have custom, org-specific needs to report on particular lifecycle events, and share that data with others in the organization. The Okta system log is powerful but is restricted to Okta admins, and also doesn't allow for scheduled reports. This flow demonstrates building a custom report in an online spreadsheet (using a \"user suspended\" event, and then sharing that report with stakeholders when the event occurs.

Create an Onfido applicant

For identity verification, this flow creates an Onfido applicant using a User Created event card for the Okta connector and saves the applicant ID in the user’s Okta profile.

Create contractor expiry notifications

Many organizations utilize contractors in addition to full-time employees. A contractor typically has a date when their current contract is due to expire. This template shows how to proactively notify people within the organization before this date. For example, the contractor's manager, who can potentially renew the employee's contract.

Create Office 365 guest user accounts

More companies are using multiple Office 365 tenants. This is especially evident in M&A activities. As a result, users need access across multiple tenants. Many are solving the licensing aspect of this issue through a Microsoft Guest account. But automating the creation and management of these users is cumbersome. This flow gets you started creating guest accounts without requiring any code or special infrastructure to host code.

Create users in Salesforce

User provisioning, or creating users in a third-party system, is a foundational use case for Okta lifecycle management. To access a system such as Salesforce, a newly created user needs to have an account in that system with the correct profile attributes and entitlements. This flow helps you create a user in Salesforce and assign them a profile based on their department.

Customized conditional access with Jamf Pro and Okta

Set up a fully customizable conditional access flow for your Okta user based on the compliance status of their Apple devices.

Execute on-premises PowerShell with Okta Workflows

With Okta, you can execute PowerShell on-premises with a combination of Okta Workflows with Azure Automation. Azure Automation delivers a cloud-based automation service that supports automation across Azure, on-premises non-Azure, and hybrid environments.

This guide gives IT administrators what they need to incorporate PowerShell execution into the user’s lifecycle from Okta.

Form submission to Okta Workflows API Endpoint

Various cloud platform services allow IT administrators and developers to configure forms that send a POST operation to a URL endpoint. Okta can use the data sent by the operation to the Workflows API Endpoint to onboard or offboard employees, add or remove users from Okta groups, or use any configured Workflows connector. This template demonstrates how to complete these tasks using Postman, Google Forms, or Microsoft Forms.

Generate unique emails

To onboard users in an organization, IT needs to generate unique email addresses for their end users in downstream applications like Office 365 and G Suite. This flow generates the unique email addresses for all the users onboarded into Okta.

Generate unique Okta username

To onboard users in an organization, IT often needs to generate a unique Okta username for each user to avoid conflicts. The username, such as SamAccountName and UPN, are then used in downstream applications like Active Directory.

Generate unique username with user import inline hooks

IT administrators need to have a unique Okta username to add a new hire within an organization. This template uses inline hooks and Workflows to check to see if the imported user exists within the Okta Universal Directory. If the user exists, the template increments the username to make it unique. For example, jessiedoe1@example.com.

Grant provisioning approvals using ServiceNow

In many organizations that use ServiceNow, a subset of access may require approvals. You may have users provisioned with birthright access when created, but a specific group access needs to be approved before being provisioned. This flow helps you get approvals for such use cases using ServiceNow.

Hardening customer verification with email factor challenge

Hardening customer identity authentication is critical to improving security and avoiding fraud. It should be baked into the customer journey both online and offline - whether it's shopping online or picking up takeout food from your favorite restaurant. Hardening customer identity authentication creates two interesting challenges. First validating the identity of the customer beyond traditional static password-based authentication to include a reliable Time-based one-time password (TOTP). Second, continuing to provide a frictionless experience without compromising security.

Identify inactive Okta users

You can determine whether your Okta tenant has stale accounts that a manual deprovisioning process missed by using specific criteria to identify inactive users. This task can then allow expensive application licences, for example, to become available to other users. This template searches for all users in an Okta tenant whose last login date was before a certain date, and writes information about those users to a table in Workflows. The data in the table can be exported to a CSV file as a download, or as an attachment to an email for periodic reporting. An extra enhancement to this template can also be the suspension of inactive users.

Import users from Google Sheets

When you need to import disconnected user populations, like contractors or specific office locations, a CSV or flat file is the easiest way to create those users in Okta. This flow guides you through how to bring in users from Google Sheets and how to use For Each loops. This flow reads all users in from a specific Google Sheets file and creates them in Okta at a regular weekly cadence of Mondays at 06:00 PT.

Initiate a flow with API Endpoint

Okta Workflows is a powerful tool to implement custom business logic. Instead of creating an object directly in Okta (for example, a user, application, or group) using REST APIs, you can send the object request along with its JSON payload to Workflows. Then you can implement custom business logic to check for existing objects in Okta or to reach out to a third party to verify data. Based on the results of the dynamic logic, Workflows decides on actions and provides flexible processing options.

Introduction to Custom API Actions

Sometimes a connector doesn’t meet your needs because of a missing action. With the Custom API Action method, you can get around this limitation by making a generic HTTP request to any of the connectors that Workflows has available. This flow uses a custom Role attribute as part of an Okta user profile. If the user is created with a Support role attribute, the user is added to the HELP_DESK_ADMIN role in Okta.

Introduction to lists and helper flows

A great deal of data exists in list format, such as user or application objects. Workflows allows you to process lists in a comprehensive manner using helper flows to operate on each member of the list. There are various ways to process a list. Performing a discrete action on each item without returning anything to the parent flow is common. You can also keep a cumulative output of each item iteration that can be returned to the parent flow. There are many other List operations. See Parent flows and other flow types.

Helper flows are simply subroutines that exist as a separate flow but can only be called from a main or parent flow. Helper flows are useful not only for processing lists, but also for reusing code, evaluating team contributions, and cleaning up code.

Lock Apple devices upon user offboarding with Okta and Jamf Pro

IT administrators managing a remote workforce can face a real challenge when a remote user is deactivated. IT needs to make sure that all company-related devices can't be used. This flow offers an automated way to remotely lock all Apple devices assigned to a given user in Jamf Pro when the user is deactivated in Okta.

Make a raw HTTP request to G Suite

Our current Google Workspace connector doesn't provide access to all endpoints within the Google Workspace API. The Custom API Action card is also restricted to the directory and licensing API Endpoints. You can use this template to create a raw HTTP request to obtain the scopes you need.

Make API requests with the HTTP Request card

Many organizations that integrate with web services need to be able to invoke a SaaS application or an on-premises API - secured through an API gateway - by using a secured HTTPS endpoint. This flow illustrates the use of the Okta Workflows HTTP Raw Request card for GET and POST operations with some sample content. It also illustrates how to process JSON using various Workflows cards.

Manage access to GitHub based on Secure Code Warrior assessment status

Adds access to a GitHub repository if the user has passed the required Secure Code Warrior assessment. Triggered when the user is assigned the GitHub application.

Manage AWS SSO entitlements

The AWS SSO connector allows entitlements (accounts and permission sets) to be added and removed for Okta and Amazon Web Service (AWS) users and groups. The connector works with the AWS SSO SCIM provisioning app that’s available in the OIN catalog. The flows in this template are triggered when an Okta user is added to or removed from an Okta group. The Okta group holds the entitlements, and the user is updated accordingly in AWS. There are two examples of how to add and remove entitlements using helper flows and a table.

Manage G Suite user licences

This template allows you to disable a user in G Suite and then after a specified delay remove their assigned G Suite licences. Another part of the flow reactivates the user and reassigns the previously removed G Suite licences.

Manage Okta group membership based on profile attributes

In many organizations, a set of Okta group memberships are determined based on job codes or more generally, by user profile attributes to implement role-based access control (RBAC). This flow illustrates group assignment based on user profile attributes.

Manage on-call rotations and schedules with Opsgenie

This template helps automate various frequently used tasks in Opsgenie in relation to on-call rotations and scheduling.

Modernize your access request management with Okta and Slack

This template uses Slack as the collaboration tool and interface to deliver a modern end-user experience during the request lifecycle. It includes a custom Slack application that allows your Slack workspace to interact with your Okta tenant. To properly run and track requests, the solution uses helper flows, internal tables, the Okta connector, and the Slack connector.

New user registration

In customer identity and access management use cases, many business units, locales, and brands may require distinct user management operations. This template demonstrates how to implement custom processing of the registration context.

Notify a user when their profile is updated

A user profile may be updated for many reasons, including a scheduled change by HR, a change to personal information, or some other automated change. However, can you always be sure that the data in the user profile is accurate and updated legitimately by the user or an authorized admin? This flow allows you to send a message (for example, through email or Slack) to notify the user of a profile update. Then they can review and confirm those changes.

Onboard and offboard with Office 365 Admin

This flow allows you to disable a user in Office 365 Admin and then after a specified delay remove their assigned Office 365 licences. Another part of the flow reactivates the user in Office 365 Admin and reassigns the previously removed Office 365 Admin licences.

Password change notification using SendGrid

End-user security is a major concern for all CIAM customers. Account takeover can be mitigated by notifying an end user when their password has changed, and alerting them if it was performed without their knowledge. Branding this notification across multiple application brands is important. Workflows can act on a password change event and send a customized notice to the end user. The trigger event that initiates the flows is a User Password Changed event in Okta. This occurs whether the user initiates a self-service password change or if an admin sets the password. A customized HTML email template substitutes user and event context dynamically.

Password sync for ChromeOS devices

Google ChromeOS is a rapidly growing platform that has many advantages over legacy operating systems. With ChromeOS and Okta you can authenticate to your device using your Okta credentials and keep those credentials in sync with Okta Workflows.

Populate Okta profile attributes using AWS DynamoDB and Lambda

This flow demonstrates how a user's profile can be enriched with associated values that have been retrieved from an external table. It uses a simple Amazon Web Service (AWS) DynamoDB table and the retrieval of data handled by an AWS Lambda function. This flow utilizes the AWS Lambda Connector to call the respective Lambda function. This use case is based on a user-entered zip code to retrieve associated values like city, state, and time zone.

Pre-enroll users in SMS multifactor authentication before activation

User activations typically allow users to choose and enroll in an MFA factor when they sign in for the first time. Improve your security posture by validating the user's identity during sign-in. Users can be enrolled in the SMS factor using the profile phone number from Active Directory or the HR system. This flow automates this process and verifies that the user is authorized to receive an activation notice and can access their company's resources.

Quarantine an Okta user by sending a webhook to Workflows

Acting on compromised accounts helps increase the security posture of any organization. External systems like Splunk constantly analyze data, searching for specific patterns that could indicate a compromised account. If an account is identified, organizations could quarantine the account and prevent further access to critical applications.

When exposed as a webhook, external systems can invoke this flow to help incident response efforts, by adding the user to a quarantine group. This quarantine group is associated with individual application sign-on policies to deny access. At the end of the flow, Okta clears the user session, forcing the user to re-authenticate. The user is now limited to only the applications that aren't associated with the quarantined event.

This flow could be extended to notify the end user, managers, or administrators through emails, text messages, or collaboration tools such as Slack or Microsoft Teams.

Reassign files while deprovisioning with Box

This template creates a Box account for a user, creates a folder, and sends a notification email to the user's manager. The flow also transfers a user's Box files and folders to a manager if the user is removed from a specific Okta group.

Reassign files while deprovisioning with Google Drive

Many organizations that use Google Drive, require a mechanism to transfer the contents of a user's Google Drive to another user, for example when the original user leaves the company. This flow shows how you can transfer the files from the user's Google Drive to the manager and then delete the user.

Reference an on-premises LDAP MuleSoft

This template is an example of referring to an LDAP repository to perform a generic search within Okta Workflows. It can be modified and applied to any sort of repository such as an SQL database. This example uses the MuleSoft Anypoint platform to host the API Endpoint consumed by Okta Workflows.

Remote sync

Many CIAM customers have multiple user stores that need to be maintained until legacy systems are decommissioned. When the identity information sourced in Okta changes, these attributes need to be synchronized downstream. This template provides an easy-to-implement, fully customizable method to update a remote system with CRUD (create, update, and delete) operations.

Remotely Lock all Kandji devices based on security events

IT administrators want to make sure that all company-related devices can no longer be accessed when an employee is off-boarded. This template offers an automated way to remotely lock all Kandji devices assigned to a given user in Kandji when this user is suspended, deactivated, or reports suspicious activity in their account.

Report suspicious activity

This template provides an end user with the option to report unrecognized activity from an account activity email notification. When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report.

Reset user Sessions in Okta, Zoom, Google Workspace, and Office 365

Revoking a user's IdP and application sessions in a timely manner is a crucial part of responding to security-related events. This template provides an example of how to revoke user sessions in Okta, Zoom, Google Workspace, and Office 365. The template uses a single flow that is triggered as a helper flow. This helper flow is useful with events such as:

• an Okta user being suspended

• an Okta user reporting suspicious activity

• an Okta admin performing a password reset on a user

• an Okta admin triggering a delegated flow

Restart specific Apple mobile devices on a weekly basis

Apple mobile devices such as iPads can be used as shared devices in several scenarios such as meeting room control panels, customer-facing demonstration units, or automated cash machines. Those iPads need to restart from time to time to install pending updates and Jamf Pro doesn't offer a built-in method to schedule such actions over time.

Send a welcome email to a new user of an application

A welcome email is the first impression that an organization makes on a new customer or employee. Welcome emails can deliver a special promotion code, provide information to enhance the user experience, or send a friendly hello. This template demonstrates how a welcome email can be sent automatically to a new user.

Send Active Directory credentials to a manager

Many organizations use Active Directory to manage user credentials, also known as Active Directory Delegated Authentication. While the Okta integration with Active Directory allows for user provisioning, organizations need a solution to communicate the account credentials to the user. When onboarding new hires, companies may need to set up these accounts ahead of time. However, the user may not have system or email access until the day of joining. In these scenarios, companies can email the account credentials to the user’s manager with a one-time password. This flow demonstrates how to identify users who are added to Active Directory using the User Assigned to Application event, then fetch their manager’s email address and send a notification.

Send email notifications with Office 365

This flow sends an email notification with Office 365 when a user is suspended in Okta. It allows administrators to easily track user suspensions. This is a generic notifications template. You can easily swap out both the event or the email provider (to Gmail) based on your notifications use case.

Send email with attachment

This template demonstrates sending an email using Gmail with an attachment from Google Drive.

Send SMS through Twilio

This flow allows you to send SMS messages through Twilio.

Suspend inactive users

In many organizations, access tends to proliferate for far longer than certain users require it. You may be working with a contractor who needs access to a single app. Or your offboarding policies aren't adequate for an ex-employee. For example, when a user hasn’t logged in for months, you would like to suspend them until you’re notified that they do actually need access. You want to implement such a policy as part of a strong security posture. This flow reads all active users in your environment, and if they haven’t logged in within the past six months (180 days), suspends them.

Suspicious activity event alerts in PagerDuty

Okta enables users to report an activity that they don’t recognize as suspicious activity to their organization administrators. Investigating the suspicious activity reported in a timely manner is critical for preventing and deterring fraud. How can the reported suspicious activity automatically create an incident in PagerDuty for internal teams to investigate further? This template provides an example for automatically creating an incident in PagerDuty when suspicious activity is reported.

Temporarily exempt users from MFA

Employees often lose and replace their mobile phones. To give users temporary access to reset a secondary authenticator, users can be scoped to a less strict authentication policy until they have a device that complies with high assurance sign-on policies. This template exempts an Okta user from MFA policies for a predefined period.

Tracking and alerting for possible account takeover attempts in Okta

A main vector for fraud comes from account takeovers, achieved from resetting passwords or changing levels of access to privileged accounts. Dynamically monitoring and responding to these two vectors with automated flows greatly reduces the risk of these costly attacks. This template illustrates how Okta Workflows can automate responses to help combat account takeover (ATO) attempts and mitigate risk with self service and help desk-based account recovery. The template watches for user password and MFA factor reset and activation events to determine if the user's account is under threat of an ATO.

Trigger automatic notifications when all MFA factors are reset

Resetting all MFA factors may be triggered by a bad actor, human error, or an IT administrator helping a customer. Timely notifications that enable internal teams to identify next steps is critical for improving security and reducing risk. This template demonstrates how internal teams can be automatically notified when all MFA factors for a user are reset.

Validate and substitute special characters

When generating technical fields from a user’s name, such as samAccountName or an email address, the data often contains invalid characters in the specified data field (for example, a space in an email address). This template identifies some of the most common special characters and provides substitutions. The validated or repaired name is then placed in a user profile attribute in Okta. This preserves the original name for display purposes, and allows you to use the updated name for technical purposes.

Validate email domains during registration

Okta inline hooks allow you to trigger custom processes at specific points within Okta process flows.

The flow in this template is called by an inline hook during the user self-registration process. It uses a Workflows table to enforce email domain validation. If the user's email domain isn't included in the Workflows table allowlist, the registration is denied with an informative error for the user.