Available Workflows Templates
The following is a list of currently available templates. Setup documentation and supporting resources are stored in GitHub.
To access this templates list in your Workflows environment, you must have the Templates feature enabled.
To get started with one or more of these templates, see Add a template to your Workflows environment.
Template Title |
Template Description |
Connectors Included |
---|---|---|
Assign group memberships temporarily based on time |
Within Okta, grant membership to a user group, but only for a limited time. For example, a group that gives auditors access to applications, but revoked after 30 days. Another example may be a temporary development project to which you want to assign developers access. |
Okta |
Audit Okta admin roles and last login to Admin Console |
Periodically auditing admin access to your Okta org can help to ensure that users are assigned to the correct admin roles and to identify users who may no longer need admin access based on inactivity. This template identifies all admin users (users who are assigned to the Okta Admin Console application) and writes their information - including admin role assigned and last login to the Okta Admin Console - to a table. |
Okta |
Automate account creation from JIRA |
Onboarding new employees is a complex process that requires inputs from several internal teams and integration across different tools for approval and account creation. In addition, certain businesses may require new employees to complete an orientation or pass a certification before activating a user account. This complexity adds overhead for IT Admins - keeping track of approvals and then activating each user account on a specific date. How can this process get automated, reduce human error and enhance security posture? This template provides an example for automating account creation and activation in Okta triggered by an approved service request in Jira. |
Jira Okta |
Automatically sync Shopify customer identity |
Consistently maintaining user identity across downstream applications is critical for excellent user experience, compliance and governance. Automatically provisioning downstream applications based on group membership provides a simple and effective solution. This template provides a blueprint to create, update, and delete Shopify customers based on group membership in Okta. |
Okta Shopify |
Capture device security events from VMware Workspace ONE |
This template listens to VMware Workspace ONE security events to capture when a device is compromised or out of compliance. This information can be used by Okta to determine which systems a user can access and their security level. |
Okta |
Capture document signatures in Adobe Sign |
Many organizations use Adobe Sign to control agreements – such as Non-Disclosure Agreements (NDAs), Lease Contracts, and Terms of Service (TOS) – that dictate which resources users can access. This template leverages Adobe Sign webhooks to capture when a user signed a document. This information can be used by Okta to determine which systems a user can access and their security level. |
Okta |
Capture document signatures in DocuSign |
Many organizations use DocuSign to control agreements, such as Non-Disclosure Agreements (NDAs), Lease Contracts, and Terms of Service (TOS), that dictate which resources users can access. This template leverages DocuSign webhooks to capture when a user signs a document. This information can be used by Okta to populate an attribute which can in turn be used to manage group and application access. |
Okta |
Capture phishing events from GoPhish |
This template listens to phishing events captured by GoPhish when a user opens a email phishing link or submits information or credentials to a phishing page. This information can be used by Okta to change login procedures and reset user credentials upon security events. |
Okta |
Create a report on multiple Okta events |
There are use cases where you need to utilize multiple events for a singular purpose. Instead of creating copies of each flow that then need to be maintained separately, helper flows and tables can be leveraged to limit the repetition in your flows. This template demonstrates a simple pattern for creating a daily report of user attributes from three Okta events: User Created, User Okta Profile Updated, and User Deactivated. It then uploads a daily report to Google Drive using a scheduled flow that runs every midnight. |
Okta Google Drive |
Create a report with Google Sheets |
Many organizations have custom, org-specific needs to report on particular lifecycle events, and share that data with others in the organization. Okta's System Log is powerful but limited to Okta admins, and also doesn't allow for scheduled reports. This flow demonstrates building a custom report in an online spreadsheet (using a |
Gmail Google Sheets Okta |
Create an Onfido applicant |
For identity verification, this flow creates an Onfido applicant using a User Created event card for the Okta connector and saves the applicant ID in the user’s Okta profile. |
Office 365 Mail Okta |
Create contractor expiry notifications |
Many organizations utilize contractors in addition to full time employees. A contractor typically has a contract expiry date. This is the date when their current contract is due to expire. Certain people within the organization, such as the contractor's manager, need to be notified ahead of the expiry date so they can potentially renew the employee's contract. |
Office 365 Mail Okta |
Create Office 365 guest user accounts |
More companies are using multiple Office 365 tenants. This is especially evident in M&A activities. As a result, users need access across multiple tenants. Many are solving the licensing aspect of this issue through a Microsoft Guest account. But automating the creation and management of these users is cumbersome. This flow will get you started with creating guest accounts with no code nor special infrastructure to host code. |
Office 365 Admin Okta |
Create users in Salesforce |
User Provisioning, or creating users in a third-party system, is one of the most foundational use cases for Okta’s Lifecycle Management product. In order to provide access to a system such as Salesforce, a newly created user needs to have an account in that system with the correct profile attributes and entitlements. This flow helps you create a user in Salesforce and assign them a Profile based on their department. |
Okta Salesforce |
Customized conditional access with Jamf Pro and Okta |
Setup a fully customizable conditional access workflow for your Okta user based on their Apple devices compliancy. |
Jamf Pro Classic API Okta |
Execute on-premises PowerShell with Okta Workflows |
With Okta, you can execute PowerShell on-premises with a combination of Okta Workflows with Azure Automation. Azure Automation delivers a cloud-based automation service that supports automation across Microsoft Azure, on-premises non-Azure, and hybrid environments. This guide gives IT administrators what they need to incorporate PowerShell execution into the user’s lifecycle from the Okta Identity Cloud. |
None |
Form Submission to Workflows API Endpoint |
A number of cloud platform services allow IT administrators and developers to configure forms that can perform a POST operation to a URL endpoint. The data that is sent by the operation to the Okta Workflows API endpoint can be used to onboard or offboard employees, add or remove users from Okta groups, or take action using any configured Workflows connector. This template demonstrates how these tasks can be completed using Postman, Google Forms, and Microsoft Forms. |
Okta |
Generate unique emails |
To onboard users in an organization, IT needs to generate unique email addresses for their end users in downstream applications like Office365 and G Suite. This flow generates the unique email addresses for all the users that are onboarded into Okta. |
Google Workspace AdminOffice 365 Admin Okta |
Generate unique Okta usernames |
To onboard users in an organization, IT often needs to generate a unique Okta username for each user in order to avoid conflicts. These usernames, such as SamAccountName and UPN, are then used in downstream applications like Active Directory. |
Okta |
Grant provisioning approvals using ServiceNow |
In many organizations that use ServiceNow, a subset of access may require approvals. You may have users that are provisioned with birthright access when created, but a specific group access needs to be approved before being provisioned. This flow helps you get approvals for such use cases using ServiceNow. |
Okta ServiceNow |
Hardening customer verification with email factor challenge |
Hardening customer identity authentication is critical to improving security and avoiding fraud. It should be baked into the customer journey both online and offline - whether it is shopping online or picking up takeout food from your favorite restaurant. Hardening customer identity authentication creates two interesting challenges - validating the identity of the customer beyond traditional static password-based authentication to include a reliable time-based one-time password (TOTP), and continuing to provide a frictionless experience without compromising security. |
|
Identify inactive Okta users |
You can determine whether your Okta tenant has stale accounts that were otherwise missed by a manual deprovisioning process using specific criteria to identify inactive users. This task can then allow expensive application licenses, for example, to become available to other users. This template searches for all users in an Okta tenant whose last login date was before a certain date, and writes information about those users to a table in Workflows. The data in the table can be exported to a CSV file as a download, or as an attachment to an email for periodic reporting. An additional enhancement to this template can also be the suspension of inactive users. |
Okta |
Import users from Google Sheets |
When there are disconnected user populations like contractors or certain offices that need to be imported into Okta, a CSV or flat file is the easiest way to create those users in Okta. This flow guides you through how to bring in users from Google Sheets and how to use For Each loops. This flow reads all users in a specified Google Sheet and creates them in Okta at a regular weekly cadence of Mondays at 6am PT. |
Okta Google Sheets |
Initiate a flow with API endpoint |
Okta Workflows is a powerful tool to implement custom business logic. Instead of creating an object directly in Okta (for example, a user, application, or group) with Okta REST APIs, you can send the object request along with its JSON payload to Workflows. Then you can implement custom business logic to check for existing objects in Okta or to reach out to a third party to verify data. Based on the results of the dynamic logic, Workflows can make decisions and provide flexible processing options. |
Okta |
Introduction to custom API actions |
Sometimes a connector doesn’t meet your needs because of a missing action. With the Custom API Action method, you can get around this limitation by making a generic HTTP request to any of the connectors that Workflows has available. This flow uses a custom |
Okta |
Introduction to lists and helper flows |
Much of the data we are working with is presented as a list, such as a list of user objects or a list of applications objects. Workflows allows you to process lists in a comprehensive manner leveraging helper flows to operate on each member of the list. There are a number of ways to process a list. Performing a discrete action on each item without returning anything to the parent flow is very common. You can also keep a cumulative output of each item iteration that can be returned to the parent flow. There are many other List operations. See About parent flows. Helper flows are simply subroutines that exist as a separate flow but can only be called from a main or parent flow. Helper flows are very useful not only for the above mentioned List processing, but for code reusability, team contributions and code cleanup. |
Okta Slack |
Lock Apple devices upon user offboarding with Okta and Jamf Pro |
IT Administrators managing a remote workforce can face a real challenge when a user is offboarded while working from home and IT wants to make sure that all company related devices can no longer be accessed. This workflow offers an automated way to remotely lock all Apple devices assigned to a given user in Jamf Pro when this user is deactivated in Okta. |
Jamf Pro Classic API Okta |
Make a raw HTTP request to G Suite |
Our current Google Workspace connector does not provide access to all endpoints within the Google Workspace API. The Custom API Action card is also restricted to the Directory and Licensing APIs. You can use this template to create a raw HTTP request to obtain the scopes you need. |
Google Workspace Admin |
Make API requests with the HTTP Request card |
In many organizations that integrate with web services, there is a requirement to be able to invoke a SaaS application (or on-premise API secured via an API gateway) secured HTTP(S) endpoint. This flow illustrates the use of the Okta Workflows HTTP Raw Request card for GET and POST operations with sample Content-Type of json and x-www-form-urlencoded. It also illustrates how to process JSON using a variety of Workflows cards. |
None |
Manage AWS SSO entitlements |
The AWS SSO connector allows entitlements (accounts and permission sets) to be added and removed for Okta and AWS users and groups. The connector works in conjunction with the AWS SSO SCIM provisioning app that’s available in the OIN catalog. The flows in this template are triggered when an Okta user is added to or removed from an Okta group. The Okta group holds the entitlements, and the user is updated accordingly in AWS. There are two examples of how to add and remove entitlements using helper flows and a table. |
AWS SSO Okta |
Manage G Suite user Licenses |
This template allows you to disable a user in G Suite and then after a specified delay remove their assigned G Suite licenses. Another part of the flow will reactivate the user in G Suite and reassign the previously removed G Suite licenses. |
Gmail Google Workspace Admin Okta |
Manage Okta group membership based on profile attributes |
In many organizations, a set of Okta group memberships are determined based on Job Codes or more generally, by user profile attributes to implement Role-based access control (RBAC). This flow illustrates group assignment based on user profile attributes. |
Okta |
Modernize your access request management with Okta and Slack |
This template leverages Slack as the collaboration tool and interface to deliver a modern end-user experience during the request lifecycle. It includes a custom Slack application that allows your Slack workspace to interact with your Okta Identity Cloud tenant. To properly run and track requests, the solution uses helper flows, internal tables, the Okta connector, and the Slack connector. |
Okta Slack |
New User Registration |
In customer identity and access management use cases, many business units, locales, and brands may require distinct user management operations. This template demonstrates how to implement custom processing of the registration context. |
Okta |
Notify a user when their profile is updated |
A user profile may be updated for many reasons, including a scheduled change by HR, a change to personal information performed by the user themselves, or some type of automated change. But how can you always be sure that the data in the user profile is accurate and was updated legitimately by the user or an authorized admin? This flow allows you to send a message (for example, through email or Slack) to notify the user that their profile was updated, and they can be prompted to review and confirm those changes. |
Okta Slack |
Onboard and offboard with Office 365 Admin |
This flow allows you to disable a user in Office 365 Admin and then after a specified delay remove their assigned Office 365 licenses. Another part of the flow will reactivate the user in Office 365 Admin and reassign the previously removed Office 365 Admin licenses. |
Office 365 Admin Okta |
Password Change Notification Using SendGrid |
End user security is a major concern for all CIAM customers. Account takeover can be mitigated by notifying an end user when their password has changed, thereby alerting them in the event that it was performed without their knowledge. Branding this notification across multiple application brands is important. Workflows can act on a password change event and send a customized notice to the end user. The trigger event which initiates the flows is a User Password Changed event on the Okta Identity Platform. This occurs whether the user initiates a self service password change or a password is set by administrative action. A customized HTML email template is built which will substitute user and event context dynamically. |
Okta SendGrid |
Password sync for ChromeOS devices |
Google ChromeOS is a rapidly growing platform that has many advantages over legacy operating systems. With ChromeOS and Okta you can authenticate to your device using your Okta credentials and keep those credentials in sync with Okta Workflows. |
Google Workspace Admin Okta |
Populate Okta profile attributes using AWS DynamoDB and Lambda |
This workflow demonstrates how a user's profile can be enriched with associated values that have been retrieved from an external table. In this instance, we will be using a simple Amazon Web Service (AWS) DynamoDB table and the retrieval of data will be facilitated by an AWS Lambda function. This workflow utilizes the AWS Lambda Connector to call the respective Lambda function. This use case is based on a user entered Zip Code which will be used to retrieve associated values like City, State and TimeZone |
AWS Lambda Okta |
Pre-enroll users in SMS multi-factor authentication before activation |
User activations typically allow users to choose and enroll in an MFA factor when they sign in for the first time. To improve security by validating the user's identity during sign-in, users can be pre-enrolled in the SMS factor using the profile phone number that was pulled from Active Directory or the HR system. This flow will automate this process and verify that the user is authorized to receive an activation notice and can access their company's resources. |
Gmail Okta |
Quarantine an Okta User By Sending a Webhook to Workflows |
Taking action on compromised accounts helps increase the security posture of any organization. External systems like Splunk constantly analyze data, searching for specific patterns that could indicate a compromised account. If an account is identified, organizations could quarantine the account and prevent further access to critical applications. When exposed as a webhook, this flow can be invoked by external systems and help with incident response efforts by quickly adding the user to a quarantine group associated with individual Application Sign-on policies to deny access to the application. At the end of the flow, Okta will clear the user session, forcing the user to re-authenticate. The user is now be limited to access only the applications that are not associated with the quarantined event. This Worfklow could be extended to notify the end-user, managers, or administrators through emails or messages to collaboration tools, such as Slack or Microsoft Teams. |
Okta |
Reassign files while deprovisioning with Box |
This template creates a Box account for a user, creates a folder, and sends a notification email to the user's manager. The flow also transfers a user's Box files and folders to a manager if the user is removed from a specific Okta group. |
Box Office 365 Mail Okta |
Reassign files while deprovisioning with Google Drive |
In many organizations that use Google Drive, there's a requirement to transfer the contents of a user's Google Drive to another user. That can be the case when you have users who need to be deactivated. Using this flow, you can transfer the files from the user's Google Drive to the manager and delete the user. |
Google Drive |
Reference an on-premise LDAP Mulesoft |
This template is an example of referring to an LDAP repository to perform a generic search within Okta Workflows. It can be modified and applied to any sort of repository such as an SQL database. This example leverages the Mulesoft Anypoint platform to host the API endpoint consumed by Okta Workflows. |
None |
Remote Sync |
Many CIAM customers have multiple user stores that need to be maintained until legacy systems are decommissioned. When the identity information sourced in Okta changes, these attributes need to be synchronized downstream. This template provides an easy-to-implement, fully customizable method to update a remote system with CRUD (create, update and delete) operations. |
Okta |
Report suspicious activity |
This template provides an end user with the option to report unrecognized activity from an account activity email notification. When end users receive a security email notification, they can send a report by clicking Report Suspicious Activity. Once they review the activity, they can confirm and complete the report. |
Okta Slack |
Restart specific Apple mobile devices on a weekly basis |
Apple Mobile Devices such as iPads can be used as shared devices in several scenarios such as meeting room control panels, customer facing demo screens, and cash machines.Those iPads need to restart from time to time to install pending updates and Jamf Pro doesn't offer a native way to schedule such actions over time. |
Jamf Pro Classic API |
Send a welcome email to new user of an application |
A welcome email is the first impression that an organization makes on a new customer or employee. Welcome emails can deliver a special promotion code, provide information to enhance the user experience, or just send a friendly hello. This template demonstrates how a welcome email can be sent automatically to a new user. |
Gmail Okta |
Send Active Directory credentials to a manager |
Many organizations use Microsoft Active Directory to manage user credentials, also known as AD DelAuth. While Okta’s Active Directory integration allows for user provisioning, organizations need a solution to communicate the account credentials to the user. When onboarding new hires, companies may need to set up these accounts ahead of time. However, the user may not have system or email access until the day of joining. In these scenarios, companies can email the account credentials to the user’s manager with a one-time password. This flow demonstrates how to identify users who are added to Active Directory using Okta’s User Assigned to Application event, fetch their manager’s email address, and send an email notification. |
Office 365 Mail Okta |
Send email notifications with Office 365 |
This flow sends an email notification with Office 365 when a user is suspended in Okta. It allows administrators to easily track user suspensions. This is a generic notifications template. You can easily swap out both the event or the email provider (to Gmail) based on your notifications use case. |
Okta Office 365 Mail |
Send email with attachment |
This template demonstrates sending an email using Gmail with an attachment from Google Drive. |
Gmail Google Drive Okta |
Send SMS via Twilio |
This flow allows you to send SMS messages via Twilio. |
None |
Suspend inactive users |
In many organizations, access tends to proliferate for far longer than certain users require it. You may be working with a contractor who needs access to a single app. Or your offboarding policies are not adequate for an ex-employee. For example, when a user hasn’t logged in for months, you would like to suspend them until you’re notified that they do actually need access. You want to implement such a policy as part of a strong security posture. This flow reads all active users in your environment, and if they haven’t logged in within the past six months (180 days), suspends them. |
Okta |
Suspicious activity event alerts PagerDuty |
Okta enables users to report an activity that they don’t recognize as suspicious activity to their organization administrators. Investigating the suspicious activity reported in a timely manner is critical for preventing and deterring fraud. How can the reported suspicious activity automatically create an incident in PagerDuty for internal teams to investigate further? This template provides an example for automatically creating an incident in PagerDuty when suspicious activity is reported. |
Okta PagerDuty |
Temporarily exempt users from MFA |
Employees often lose and replace their mobile phones. In order to provide temporary access to reset a secondary authenticator, users can be scoped to a less strict authentication policy until they have a device that allows them to comply with high assurance sign-on policies. This template will exempt an Okta user from MFA policies for a predefined period of time. |
Okta |
Trigger automatic notifications when all MFA factors are reset |
Resetting all MFA factors can be triggered by a bad actor, human error, or an IT administrator helping a customer. Timely notifications to enable internal teams to identify next steps is critical for improving security and reducing risk. This template demonstrates how internal teams can be automatically notified when all MFA factors for a user are reset. |
Okta Slack |
Validate and substitute special characters |
When using a user’s name to generate technical fields such as samAccountName and email addresses, often the data will contain characters that are invalid in the specified data field (for example, a space in an email address). This template identifies some of the most common special characters and provides substitutions. The validated or repaired name is then placed in a user profile attribute in Okta to allow for preservation of the original name for display purposes, and utilization of the updated name for technical purposes. |
Okta |
Versioning for flows and folders with Github |
This template will allow a flow builder to back up their flows on an on-demand or automated basis to an external system like GitHub or Google Drive. In order to enable this, we’ve created new functions to export either a flow or folder and have enhanced our GitHub connector to allow a builder to make commits and open pull requests. We’ve also shipped a set of templates that can be easily imported into your environment that walks you through exactly how to version both flows and folders. |
GitHub Gmail Okta |