Okta Workflows release notes (2024)
2024.11.2
Addigy connector now available
The Addigy third-party connector is now available in Okta Workflows with the following cards:
- Get Identity User Attributes
- Get Device Facts
- Get Identity User Email
- Get Policy
- Get Device Information
- Custom API Action
- List Policies
- Lock Device
See Addigy connector.
Update to Slack connector for file uploads
Slack has deprecated the current process for uploading files used by the following cards:
As a result, the File Type output field for these cards may now return as empty.
Limit for the number of projects retrieved on Jira connector cards
When populating the dropdown list of projects for the following Jira connector cards, the number of retrieved projects is now limited to 50:
If there are more than 50 Jira projects available to the connector, you can enter a specific Project Key in the corresponding Option or Input fields.
Fixes in Okta Workflows
-
OKTA-796835
The Upload function card returned a Parse Error message when the returned Body wasn't a valid JSON string.
-
OKTA-804082
When running the Clear Table function against an existing table, the card returned an error message that the table was removed and requested a new table.
-
OKTA-816690
The Office hours schedule link on the Workflows home page returned a 404 Not Found error message.
-
OKTA-824073
Uploading a CSV file to an AWS S3 instance failed due to a temporary server misconfiguration.
-
OKTA-831148
The link to the Okta Help Center was broken.
-
OKTA-834143
Clicking a date and time entry field in a Workflows table caused the date to move back one full day, even if no change was made.
2024.11.1
Fixes in Okta Workflows
-
OKTA-222523
With the Show Mappings option enabled, the mapping lines appeared over the Execution History side panel.
-
OKTA-713920
Within the embedded help browser, when an admin clicked Copy on the code samples provided in the help topic, the browser returned a 404 error message.
-
OKTA-805870
When an admin added an app action to a flow, the selection dialog didn't include a Connected apps section. When the dialog updated to include the connected apps, a reload of the Okta apps and All apps sections occurred.
-
OKTA-825399
When the role-based access control feature was enabled for Okta Workflows, the Okta super admin and the Workflows Administrator roles didn't appear on the Role assignments tab of the Settings page.
-
OKTA-832993
Attempting to authorize a Tableau Cloud connector failed if there was a hyphen character in the Tableau Cloud URL domain name.
2024.11.0
Improved look and feel for Okta Workflows
This release introduces various graphical enhancements to Okta Workflows. These changes improve the appearance, readability, and usability of the Workflows Console.
NetSuite connector now available
The NetSuite connector is available in Okta Workflows with the following cards:
See NetSuite connector.
Tableau Cloud connector now available
The Tableau Cloud connector is available in Okta Workflows with the following cards:
Scopes documentation for the Okta Devices and Okta Realms connectors
Two new topics, Scopes for Okta Devices connector cards and Scopes for Okta Realms connector cards, cover the specific OAuth 2.0 scopes required for individual event and action cards of the Okta Devices and Okta Realms connectors.
Updates to the Yubico FIDO Pre-registration template
The Yubico template has been updated with the following enhancements:
-
A new helper flow called Error Flow - Update Shipment Status makes a POST call to the Okta enrollment API.
-
The Create Shipment Trigger - MFA Initiated and Create Shipment Trigger - Group flows now use a Try/Catch block around the call to the Create Shipment flow. If there's an error, this triggers the new error helper flow.
-
Within all the helper flows, the new error flow is called as part of error handling for a card.
-
Updated the Return Error If cards to include an authEnrollmentError object that the parent flow handles.
-
The Process Shipments helper flow includes a new flag in the lookup table to track errors. This is separate from the shipment table status. The new error flow is triggered if there's an error during the shipment process.
Fixes in Okta Workflows
-
OKTA-619484
When an admin added a new row to an Okta Workflows table with a default date column, the default date value was marked as invalid.
-
OKTA-630392
On the Workflows Console home page, the Search all templates field didn't return any search results.
-
OKTA-822629
In the Workflows Console, the Usage window displayed a truncated value for the number of Execution Log Streaming events.
2024.10.1
Fixes in Okta Workflows
-
OKTA-808579
The output of the Difference function card included values that were only different in the letter casing, rather than ignoring the case.
-
OKTA-744552
In Connector Builder, if the Client ID parameter in an OAuth 2.0 Authorization Code flow contained the = character, the authorization request failed.
-
OKTA-750169
If the field name of an item inside a dynamic group matched the dynamic group name, then the card didn't return the dynamic input or output fields.
-
OKTA-798324
After the user viewed a flow execution in the Execution History Inspector and then navigated away from that execution, the execution ID of the helper flow didn't match the execution ID of the parent.
-
OKTA-813958
The search field in the connector selection dialog didn't automatically clear the search keyword after the user selected a connector or closed the dialog. This meant that the user had to manually clear the search term before using the field to search for a specific action card.
2024.10.0
HubSpot CRM connector API update
New connections to HubSpot CRM take advantage of the advanced scope settings in the HubSpot CRM API. However, no action is required for existing connections. See Advanced auth and scope settings for public apps.
Interface improvements for Execution History Inspector
The Execution History Inspector pane is now animated when opening and closing.
Usage indicator now includes ELS events
A new row on the Usage page shows the number of Execution Log Streaming messages sent during the current calendar month.
Fixes in Okta Workflows
-
OKTA-715883
Calling a helper flow from the Map function card sometimes returned null instead of the data generated by the helper flow.
-
OKTA-744552
In Connector Builder, if the Client ID parameter in an OAuth 2.0 Authorization Code flow contained the = character, the authorization request failed.
-
OKTA-746992
The Okta Workflows Pendo guide contained an embedded Vidyard video, but the Content-Security-Policy browser settings prevented the video from playing.
-
OKTA-756368
When activities were performed on Workflows tables, other IP addresses appeared in the System Log.
-
OKTA-792431
If an admin returned to a deleted folder, it showed the error message action.payload.filter is not a function instead of a 404 - Not found error.
-
OKTA-815618
In the header field for the JWT Sign card, using the x5t key returned an error if the corresponding value contained padded Base 64 values.
2024.09.3
Deprecation of long-form syntax for JWT Sign card
For the JWT Sign function card, the use of long-form syntax (seconds or milliseconds) in the expiresIn and notBefore fields is deprecated. Replace any long syntax with their short forms (for example, s or ms).
See Sign.
Fixes in Okta Workflows
-
OKTA-804915
With the role-based access control (RBAC) feature enabled, users who had the Okta Workflows app unassigned and then reassigned received an error when they signed in to the Workflows app.
2024.09.2
Fixes in Okta Workflows
-
OKTA-790208
If an admin enabled the Execution Log Streaming feature for an org, but then disabled it for one or more individual flows, then an attempt to disable the feature at the org level returned an internal server error.
-
OKTA-803507
This update fixes several display issues for the new connector catalog interface.
2024.09.1
Workflows templates
The following Okta Workflows templates are now available:
-
Okta Identity Governance: Implement backup of OIG app entitlements with Okta Workflows
-
Okta Realms: Generate detailed realms and realm user reports
The following Okta Workflows templates have been updated:
-
Automate account creation from Jira
-
Temporarily exempt users from MFA
Fixes in Okta Workflows
-
OKTA-604373
When a scheduled flow invoked a webhook flow, the webhook flow was counted twice in the workflow execution.
-
OKTA-740976
If a connection was deleted in Okta Workflows, then importing a flow pack that used the deleted connection failed.
-
OKTA-756368
When activities were performed on Okta Workflows tables, extra IP addresses appeared in the System Log.
-
OKTA-798681
Flows that used the Add or Subtract Date & Time function cards returned an error if these cards were configured to result in impossible date values. For example, adding months to a date so that the resulting date was February 30.
2024.09.0
IP session restrictions for Okta Workflows is now a Generally Available feature in Production orgs
Okta super admins can now enable IP session restrictions for Okta Workflows.
This feature ensures that all Okta Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the admin must sign in again.
If you want to disable the feature, contact Okta Support.
Role-based access control is now available as an Early Access feature in Production orgs
As Okta Workflows can make comprehensive changes both within Okta and out to other connected SaaS apps, access to Workflows was restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the ability to scale the use of Okta Workflows, and reduced its overall value to customers.
With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.
To support this feature, three new admin roles are available:
-
Workflows Administrator: For full-access administration within Okta Workflows only
-
Workflows Auditor: For compliance management with read-only access
-
Connection Manager: For securely handling accounts and credentials
RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.
To turn on this EA feature for your org, go to Admin Console and enable these options:
in the-
Workflows Access Control
-
Workflow Admin Role
-
Workflows Provisioning
See Access Control.
The addition of the RBAC feature includes four new event types to record related actions in Okta Workflows:
-
workflows.user.role.user.add
-
workflows.user.role.user.remove
-
workflows.user.role.group.add
-
workflows.user.role.group.remove
See the Event Types API.
Improvements to Workflows Connector Catalog
When selecting an event or an action card in Okta Workflows, the available connectors catalog has been updated with significant organizational and usability enhancements.
The interface can now display the following information for a connector:
-
A detailed description
-
Who made the connector
-
The release version and when it was last updated
-
Links to relevant user documentation and support contacts
Some fields may not be present for existing connectors.
To help you quickly find the connectors you need, they're organized into three searchable sections: Connected apps, Okta apps, and All apps.
In addition, when an admin adds an event card to a flow, the updated card selection dialog now provides a better usability experience.
Context field added for ULID support
The output section for helper flows has a new wf_id field. The field tracks the Universally Unique Lexicographically Sortable Identifier (ULID) of the parent flow. The existing id output field remains as a reference to the parent flow's id value.
Documentation improvement for Okta connector scopes
The OAuth 2.0 scopes for each event and action card in the Okta connector have been documented to indicate what specific scopes are required for individual cards.
Update to Jamf Pro Classic API connector
The Send Computer MDM command card for the Jamf Pro Classic API connector has a new Lock Message input field so admins can include a message when performing a device lock action.
Workflows throttling improvements
If Okta Workflows throttles a flow, the execution history now provides a dialog with more details. The dialog indicates if the throttling occurred due to problems at the flow, org, or execution level.
Also, if your org exceeds the allowed resource limits, Okta Workflows displays a banner to indicate that flow executions in your org have been either throttled or blocked.
System Log events added for flow and table changes
The workflows.user.flow.move and workflows.user.table.move events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.
Fixes in Okta Workflows
-
OKTA-581584
There was a typographical error in the Group Privilege Revoked event card description of the Okta connector.
-
OKTA-736026
In the Okta connector, the Excluded Users output field on the Read Group Rule card returned an array with an empty string rather than an empty array. This caused the list length to be 1 when it should have been 0.
-
OKTA-737784
When reauthorizing an existing connection, the default or custom scope selections weren't retained.
Now when reauthorizing existing connections, the scopes are either set to the default scopes or retain any custom scope settings.
-
OKTA-791345
The Region list used when authorizing an AWS Lambda connector was missing several AWS regions.
-
OKTA-794139
When an org upgraded from the Okta Workflows Free Trial version to Unlimited Workflows, the free trial limit prevented flows from executing.
-
OKTA-795297
For RBAC-enabled orgs, if you deleted an Okta user and then created a user with the same email or username, the new user couldn't perform any actions in Okta Workflows.
-
OKTA-798723
When an admin added an OAuth 2.0 authentication to a connector in Connector Builder, the Base URL, Authorize Path, Token Path, and Refresh Token Path fields wouldn't accept URLs where an authorization parameter was used as part of the subdomain address. For example, https://{{auth.authorization_subdomain}}.workday.com/{{auth.tenant}}/authorize.
2024.08.3
FedRAMP High support for Microsoft connectors
The following connectors now support the Federal Risk and Authorization Management Program (FedRAMP) High Baseline and can be used in Okta for Government High:
- Excel Online
- Azure Active Directory
- Microsoft Teams
- Office 365 Calendar
- Office 365 Mail
- OneDrive
Okta Workflows in Okta for Government High only supports connections using accounts from Office 365 GCC High tenants.
Fixes in Okta Workflows
-
OKTA-794118
Download File action cards sometimes returned an Invalid Authentication Token error message.
-
OKTA-754284
After you configure the Execution Log Streaming feature, if the feature was later turned off, streaming events were still sent to the downstream service.
2024.08.2
Fixes in Okta Workflows
-
OKTA-613668
In Connector Builder, dynamic groups didn't have a header in a card's Input or Output section when using a reserved group name.
-
OKTA-790175
With the Execution History Inspector feature enabled, the Execution History view didn't display a warning message if a flow was modified after it was run.
-
OKTA-790836
The AES Encryption function card contained unsupported OpenSSL encryption algorithms.
-
OKTA-790882
Attempting to cancel one helper flow from the Execution History view of another helper flow produced misleading results. The view showed that the other helper flow's cancellation was in progress, but the other helper flow wasn't canceled.
-
OKTA-793480
In the Yubico FIDO Pre-registration template, the Process shipment flow could be turned on even if there wasn't a valid connection in the Yubico connector.
-
OKTA-794205
Users who previously signed in to an org with the RBAC feature enabled, but weren't assigned an RBAC role, didn't appear in search results with the No role assigned filter selected.
2024.08.1
Credential rotation for Slack Admin connector
OAuth 2.0 credentials have been rotated for the Slack Admin connector.
If you experience any issues with this connector, go to the Connections tab in your Workflows Console and reauthorize.
Fixes in Okta Workflows
-
OKTA-726331
Canceling a nested helper flow failed unless the cancellation action was initiated from the top-level flow.
-
OKTA-742519
For the AWS S3 connector, the Read Object Tags card returned an invalid input type error instead of a list of tags set for the specified object.
-
OKTA-744174
For the AWS S3 connector, the Upload Object card didn't pass through the Object Lock Retain Until Date field when uploading an object.
-
OKTA-756178
If a flow's ULID value was passed as a dynamic input into the Export Flow function, the flow returned a 500 Internal Server error.
-
OKTA-791013
In Workflows tables with a True/False column, admins couldn't manually change a value from True to False.
-
OKTA-791122
The Execution History view and the Execution History Inspector sometimes showed inconsistent duration times.
-
OKTA-793480
In the Yubico FIDO Pre-registration template, the Process shipment flow could be turned on even if there wasn't a valid connection in the Yubico connector.
2024.08.0
OAuth 2.0 security to invoke API endpoints now available in EA
Okta Workflows users can securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature provides more security while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.
Improvements to clarify incorrect card input
When provided with invalid input, some cards return a Max command request/response attempts reached error message instead of returning an error that the input is invalid. This behavior has been corrected and the card doesn't attempt to retry the query with invalid input.
Improvements to Execution History Inspector view
When you view an in-progress flow execution, the Execution History Inspector now automatically scrolls to bring the most recently executed card into view.
Browser interface improvement for folders
The folder name is now included on your browser tab when you have a folder open in either the Folders view or in Connector Builder.
Fixes in Okta Workflows
-
OKTA-744830
After reverting a moved folder action in Okta Workflows, the System Log didn't correctly record the folder paths.
-
OKTA-749052
Sometimes a currently running flow was marked as complete in the flow's Execution History.
-
OKTA-754269
The Tables Search Row function card returned an internal server error when it contained a filter that used a string value instead of a strict boolean.
-
OKTA-791779
The Yubico template failed for orders that were made in countries without a state in the address.
2024.07.2
Okta Privileged Access connector now available
The Okta Privileged Access connector is now available in Okta Workflows with the following cards:
- Create Access Report
- Create Project
- Create Project Enrollment Token
- Create Resource Group
- Custom API Action
- Delete Project
- Delete Resource Group
- Delete Server
- Download Access Report
- Find Group By Name
- Find Groups
- Find Project By Name
- Find Resource Group By Name
- Find Servers
- Find Service User By Username
- Find Users
- List Access Reports
- List Enrolled Servers in Project
- List Project Enrollment Tokens
- List Resource Group Projects
- List Resource Groups
- List Service Accounts
- Retrieve Access Report
- Update Resource Group
Fixes in Okta Workflows
-
OKTA-619031
When a table column with a True/False field type had a default value of True, the properties dialog for the column incorrectly displayed the default value as False.
-
OKTA-653941
The text size on the Flow Activation button made it difficult to read.
-
OKTA-736923
The Multipart Upload function card didn't pass the HTTP content-type header for a file upload.
-
OKTA-747044
In the Execution Log Streaming EA feature, setting a custom body event sometimes caused the downstream system to return an invalid request error.
-
OKTA-748261
Redirect URL values entered for the OAuth 2.0 Auth Code flow in Connector Builder were incorrectly appended with a :443 port.
-
OKTA-750773
In the Workflows Console, the documentation links for the Execution Log Streaming and Execution History Inspector EA features pointed to incorrect destination URLs.
-
OKTA-752756
On the Flow Chart page, parts of the flow navigation were hidden or difficult to read if the browser window was small, if the flow was very large, or if the flow contained a card with nested or branched areas (like If/ElseIf).
2024.07.1
New action cards for ServiceNow connector
The ServiceNow connector has been updated to include five new action cards:
See the ServiceNow connector.
Yubico connector updated
The documentation link for the Yubico connector has been updated.
See the Yubico connector.
Workflows templates added
The following Okta Workflows templates are now available:
Fixes in Okta Workflows
-
OKTA-729321
The Create Cloud User card in the Azure Active Directory connector didn't have an Email input field for setting the user email address.
-
OKTA-746306
The Execution History panel included two options for Network Ingress and Network Egress, but these options aren't available for this EA feature.
-
OKTA-747316
The Execution History view of a deleted execution displayed an in progress status message instead of a message that the execution doesn't exist.
2024.07.0
Execution Log Streaming now available in Early Access
Previously, customers could audit user-directed actions in Okta Workflows, but had little insight into the automated work executed by the individual flows.
With the Execution Log Streaming feature, customers can monitor execution history and performance across all of their flows. This is done by sending execution logs to a downstream security information and event management (SIEM) tool.
This feature allows you to configure alerts and dashboards to provide proactive identification and resolution of potential issues. The centralized monitoring capability also provides a holistic view across all Workflows operations for better insights and decision making.
The feature adds the following new System Log event types:
-
workflows.user.execution_log_stream_connection.activate
-
workflows.user.execution_log_stream_connection.deactivate
-
workflows.user.execution_log_stream_connection.update
-
workflows.user.flow.execution_log_stream.activate
-
workflows.user.flow.execution_log_stream.deactivate
To turn on this EA feature for your org, go to Admin Console and enable the Workflows Execution Log Streaming option.
in theExecution History Inspector now available in Early Access
Okta Workflows customers frequently reach out to Okta Support for assistance when experiencing unexpected throttles, low latency mode evictions, or other performance changes.
The new Execution History Inspector feature provides various detailed usage metrics directly to you. This diagnostic view helps you to understand flow performance and provides you with the ability to diagnose issues and optimize your flows.
See History Inspector.
The feature adds the following new System Log event types:
-
workflows.user.flow.execution_history.activate
-
workflows.user.flow.execution_history.deactivate
-
workflows.user.flow.execution_history.delete
To turn on this EA feature for your org, go to Admin Console and enable the Workflows Execution History Inspector option.
in theChanges to save and clear flow execution history
This release improves the ability to clear the execution history for a flow. You can now choose to clear either the saved input and output values for a flow, or clear all execution history, including the flow metadata.
This update includes revised documentation on how to save, view, and clear execution history for flows.
Move folders functionality now available
Improved folder organization in Okta Workflows gives you the flexibility to drag and drop folders into other folders, or to move them up to become a top-level folder.
See Move a folder and Move a subfolder to a higher level.
When a folder move occurs, this triggers the new workflows.user.folder.move event type in the System Log.
See the Event Types API.
Universal identifiers for flow and folder references
The URL paths for flows (for example, /app/folders/{foldernumber}/flows/{flownumber}/) have been updated to use a Universally Unique Lexicographically Sortable Identifier (ULID) /app/flows/{ULID}/. For example, /app/flows/01HZKPGVPXYA6ZWMKKADVXYJ1H.
This change has also been made for folder identifiers, which now have the form /app/folders/{ULID}.
Users can continue to use any existing saved links for flows and folders, but are automatically redirected to the new external ID URL. Also, any System Log events for flows now use this ULID instead of the previous format.
Improvements to the Execution History interface
Previously, the time value that appeared for older executions included the seconds value, while newer execution times only included the hour and minute values. The older formats now show the hour and minute values.
The exact execution time is still available using the hover action on the execution time.
Event hook limit increased
The limit on active event hooks per org has been increased from 10 to 25.
See Create an event hook and Hooks in Workflows system limits.
Fixes in Okta Workflows
-
OKTA-738244
For some function cards, when an admin changed the data type from a boolean to a string, the input field retained the previous value (True or False), instead of clearing the field.
2024.06.2
Improvements to the Okta connector
The Okta connector has been updated with the following enhancements:
-
The Sync User in External Application event card is now User Synced in External Application.
-
The Custom API Action card now has a GET(Streaming) option for the Request Type. This option enables streaming data from a web server request.
-
The Record Limit input field has been changed from 10,000,000 to 1,000,000 for the following action cards:
-
The Application and Application Instance fields have been clarified for the following event cards:
-
These four cards also have a new All App Instances option for the App Instances field. This option triggers the event if the user change happens in any application in your org.
New action card for AWS S3 Connector
The AWS S3 connector has added an Upload Object action card. This new card enables users to upload objects (files) to S3 buckets through the AWS S3 connector.
See AWS S3 connector.
Workflows templates
The following Okta Workflows template is now available:
Fixes in Okta Workflows
-
OKTA-554482
When scrolling horizontally in the Execution History page, the expansion icon for any long output field moved to the center of the field, instead of remaining on the right side.
-
OKTA-734371
When executing multiple flows that used a single Google account for the Google Sheets connections and contained any of the Read Row, Read All Rows, Clear Row, or New Row action cards, admins occasionally received a ScriptError message. If you still encounter this error, reauthenticate your Google Sheets connection.
-
OKTA-737380
The SFTP Write File action card returned a value of FALSE to the Succeeded field, even if the action was completed successfully.
-
OKTA-739820
Attempting to change the name of a flow while the flow was already being saved returned a blank page.
-
OKTA-740846
In Connector Builder, the authentication settings couldn't be saved when the Authorize Path or Token Path only used partial paths built on the Base URL. Saving the connection returned a Failed to save auth schema error.
-
OKTA-743767
The Schedule Flow dialog window didn't contain the previously supported UTC and Zulu time zone options.
2024.06.1
OAuth scope customization enabled for the Okta, Okta Devices, and Okta Realms connectors
You can now specify custom scopes for OAuth connections to the Okta, Okta Devices, and Okta Realms connectors in Okta Workflows.
When you create or reauthorize a connection, you must go to the Permissions tab in the connection window. Select Use Default Scopes if you want to run any of the connector cards with the regularly assigned scopes. To use the customized scopes feature, specify the desired scopes in Customize scopes (advanced). Grant these scopes in the Okta Workflows OAuth app before you create or reauthorize the connection.
For Okta, see Authorization.
For Okta Devices, see Authorization.
For Okta Realms, see Authorization.
Rename the Test action on all cards
The Test this card action has been renamed to Run this card for all cards that support the functionality.
Fixes in Okta Workflows
-
OKTA-720351
The Compose card hid an output field name if a curly bracket { character came immediately before the field name. However, the card included the variable when executed.
2024.06.0
Okta Devices event cards now hidden from the Okta connector
The following event cards are no longer available from the Okta connector. New flows should use the identical event cards from the Okta Devices connector. For existing flows, you can keep using the Okta event cards or update your flows to use the equivalent Okta Devices event cards.
-
Authenticator Activated
-
Authenticator Deactivated
-
Device Activated
-
Device Added to User
-
Device Deactivated
-
Device Deleted
-
Device Enrolled
-
Device Suspended
-
Device Unsuspended
-
Phone Verification Call Sent
-
Phone Verification SMS Sent
-
User MFA Factor Activated
-
User MFA Factor Deactivated
-
User MFA Factor Reset All
-
User MFA Factor Suspended
-
User MFA Factor Unsuspended
-
User MFA
Enhancements to the Zoom connector
This release provides updates to existing Zoom connector cards:
-
The Get User card is now the Read User card.
-
Several input and output fields have been added to the Create User, Read User, and Update User action cards.
These are backward-compatible changes, so there's no need to replace existing cards. However, if you want to take advantage of the new input and output fields, you must use the new versions of these cards.
This release also includes a new action card for the Zoom connector:
See the Zoom connector.
Updates to the Cisco Identity Intelligence connector
This update removes the lastSignInLocation attribute of the End User State output, as it's no longer supported on the Get End User State action card.
This update also corrects the attribute type of the checkId output field on the Identity Intelligence Webhook event card.
Improvements to date formatting
Date formats have been modified to reflect localized user settings.
For users in the United States, there are minimal changes. The main changes are to provide consistent use of day periods and number of digits in dates, for example, 05/30/24 instead of 5/30/24 or 05/30/2024.
For users in other locales, date formats are now localized, for example, in Australia, the date is now DD/MM/YY.
Fixes in Okta Workflows
-
OKTA-728494
When searching for scopes in the Permissions tab, the required scopes were unexpectedly removed. Also, users couldn't deselect a scope from the filtered results while searching for that scope.
-
OKTA-735073
For the Scheduled Flow event card, if the end time was set to 12:00 AM, the card incorrectly reported this as an invalid time.
2024.05.2
Fixes in Okta Workflows
-
OKTA-728360
The Slash Command event card for the Slack connector returned an encryption failure error if the Signing Key field was empty.
2024.05.1
Action cards added to the Google Workspace connector
The Google Workspace connector has four new action cards to support role assignments.
- Create Role Assignment
- Delete Role Assignment
- Search Role Assignments
- List Roles
Event cards added to the Okta Devices connector
The Okta Devices connector has been updated with 19 new event cards.
- Authenticator Activated
- Authenticator Deactivated
- Device Activated
- Device Added to User
- Device Deactivated
- Device Deleted
- Device Enrolled
- Device Removed From User
- Device Suspended
- Device Unsuspended
- MFA Preregistration Initiated
- Phone Verification Call Sent
- Phone Verification SMS Sent
- User MFA
- User MFA Factor Activated
- User MFA Factor Deactivated
- User MFA Factor Reset All
- User MFA Factor Suspended
- User MFA Factor Unsuspended
To use these new event cards, go to the Connections tab in your Workflows Console and reauthorize the Okta Devices connection.
These Okta Devices event cards will replace the equivalent event cards of the Okta connector in a future release.
2024.05.0
Improvements to Execution History interface
The card duration indicators for Execution History have been updated for clarity and accuracy.
Updates to address mis-typed date conversions
The True-False Expression function card now converts Date fields to a UNIX timestamp when a Date type output field is used as input for a Number type field. Previously, this conversion returned a value of 0. Update any flows containing a card where a Date output was sent to a Number input and the result was then modified to return a UNIX timestamp.
Fixes in Okta Workflows
-
OKTA-712091
The Delete Import Session card for the Okta connector reported a failure when an XaaS job was stuck.
-
OKTA-719410
When admins created a connector in Connector Builder, the text they entered in the description field of the Create new connector dialog wasn't saved.
-
OKTA-722302
When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log.
-
OKTA-724710
Attempting to import a flow that contained an Export Folder card resulted in a TypeError message and the import action failed. Also, any successful import actions didn't show the name of the flow in the pop-up notification banner.
2024.04.3
Custom API Action card now available for the Okta Devices connector
A Custom API Actions card has been added to the Okta Devices connector in Okta Workflows.
See the Custom API Action card.
Organization and repository option limits for the GitHub connector
The following GitHub connector action cards now include a manual selection field when you choose the Organization and Repository options:
-
Create File Content
-
Create Branch
-
Create Issue
-
Create Pull Request
-
Read Issue
-
Read Pull Request
-
Search Branches
-
Update File Content
-
Update Issue
-
Update Pull Request
These option fields are now limited to displaying the first 100 options. These changes prevent timeout issues when there are a large number of repositories to choose from.
See GitHub connector
Template page updated
The Modernize your Access Request Management with Okta and Slack template on the Okta templates interface has been replaced with the Create Users in Salesforce template.
Fixes in Okta Workflows
-
OKTA-620819
When streaming action cards or helper flows were called from inside an If/Else or Try function card, the parent execution ID that was passed in the caller input for the helper flow didn't match.
-
OKTA-703886
If the authorized user belonged to a large number of repositories, some GitHub connector cards timed out and reported a "failed to load" error when a user opened the dropdown menu for the Repository option.
-
OKTA-716527
The True/False Expression function card didn't properly handle date or boolean comparison operations.
-
OKTA-722178
After dismissing the Execution History sidebar in the Execution History interface, it remained accessible using the horizontal scroll bar.
-
OKTA-722534
Sometimes Okta Workflows wouldn't create a connection for the Okta connector when the connection was configured using OAuth 2.0.
2024.04.2
Okta Realms connector now available
The Okta Realms connector is now available in Okta Workflows with the following cards:
-
Create Realm
-
Create Realm User
-
List Realm Users
-
Read Realm
-
Search Realms
-
Update Realm
-
Update Realm for User
New action card for Okta Devices connector
The Okta Devices connector has added a List Device Users card. See List Device Users.
Oracle HCM connector now available
The Oracle HCM connector is now available in Okta Workflows with the following cards:
-
Read Worker
-
Search Workers
-
Update Worker
See the Oracle HCM connector.
Workflows templates
The following Okta Workflows template is now available:
Fixes in Okta Workflows
-
OKTA-667322
The Connection usage dialog displayed an incorrect number of flows if the connector was used by a flow inside a subfolder.
2024.04.1
Important updates for Asana connector
Asana is deprecating their external endpoints currently used by the cards:
-
Add Users to Project
-
Remove Users from Project
Any existing flows that use these cards will continue to work until Asana completes the API deprecation. However, these cards have been removed from the Asana connector. See Upcoming changes to project memberships for details on the change and the deprecation time frame.
If you currently use the cards marked for deprecation, you can update your flows to use the following new cards that replicate the functionality and use the new Asana endpoints:
-
Create Membership
-
Delete Membership
These cards provide more functionality by supporting both the Goal and Project memberships for Asana.
See Asana connector.
Cisco Identity Intelligence connector now available
The Cisco Identity Intelligence connector is now available in Okta Workflows with the following cards:
-
Identity Intelligence Webhook
-
Get End User State
-
Get End Users By IP
Fixes in Okta Workflows
-
OKTA-704077
Admins received an authorization error when the OAuth token expired for a Client Credentials grant type connection made with an API connector.
-
OKTA-716447
The Hash and Sign function cards didn't return properly padded results when using the binary option in the digest output.
2024.04.0
Identity Threat Protection with Okta AI
Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user's session. When Identity Threat Protection discovers a risk, it can immediately end the user's sessions, prompt an MFA challenge, or invoke an Okta Workflow to restore your org's security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen.
New System Log event for Workflows execution history
There are two new System Log events for flow execution history. When a user activates or deactivates the Save all data that passes through the flow option, the System Log records the date, time, and name of the user.
Fixes in Okta Workflows
-
OKTA-688152
In some flows, the body format of the payload was incorrect when an API Connector card was used as the flow trigger or event.
-
OKTA-704998
Flow control Return cards displayed a Duplicate Card button.
-
OKTA-708420
Flows that used an HTTP connection to web resources failed for some users.
2024.03.2
Okta Devices connector now available
The Okta Devices is now available in Production orgs with the following cards:
-
Activate Device
-
Deactivate Device
-
Delete Device
-
Read Device
-
Search Device
-
Suspend Device
-
Unsuspend Device
See the Okta Devices connector.
KnowBe4 connector now available
The KnowBe4 connector is available in Okta Workflows with the following cards:
-
Custom API Action
-
List Group Members
-
List Groups
-
List Users
-
Read Group
-
Read User
See the KnowBe4 connector.
SecureFlag connector now available
The SecureFlag connector is available in Okta Workflows with the following card:
-
Remove User License
See the SecureFlag connector.
Authorization URL examples added to several connectors
The authorization connection dialog now includes an example URL for the following connectors:
- Advanced Server Access
- Duo Security Admin
- Freshservice
- Jira
- Jira Service Management
- Marketo
- OneTrust
- ServiceNow
- Shopify
- Zendesk
These example URLs demonstrate the expected format for connectors that enforce an https:// prefix or a domain suffix (for example: .com, .ca, .customdomain) for the connection URL.
Credential rotation for Zoom connector
OAuth 2.0 credentials have been rotated for the Zoom connector.
If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize.
Fixes in Okta Workflows
-
OKTA-225379
Object subfields couldn't be dragged into a filter condition for the Search Rows card.
-
OKTA-597055
When an admin created inputs in a For Each card that used dynamic flow inputs, the icon to delete an input field overlapped with the icon used to select a list item from the dropdown menu.
-
OKTA-625849
If a Search Rows card containing draggable input fields for filter conditions was moved into or out of an If/Error card, it caused the flow to fail.
-
OKTA-705684
For the Microsoft Teams connector, the flow identifier appeared as the State input on the helper flow when streaming records using the Search Teams and Search Chats cards.
-
OKTA-706352
For the Okta Devices connector, the Search Devices card didn't stream data to helper flows when using the Stream Matching Records option.
2024.03.1
Credential rotation for Shopify connector
The backend credentials for the Shopify connector were rotated on March 12, 2024 at 12:00 PM PST.
This action has no immediate impact on existing connections. However, admins must reauthorize their existing Shopify connections before March 26, 2024 at 12:00 PM PST to ensure that flows continue working.
Credential rotation for Slack connector
OAuth 2.0 credentials have been rotated for the Slack connector.
If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize the connection.
Fixes in Okta Workflows
-
OKTA-351074
On the Flows tab of Connector Builder, admins could click Save when a required field was empty.
-
OKTA-643500
Tables with filtered results didn't display correctly when the view filter was removed.
-
OKTA-667322
The Connection usage dialog displayed an incorrect number of flows. This occurred if the connector was used in a flow contained in a subfolder.
-
OKTA-687930
For tables containing a column with a long name, the options gear icon didn't appear.
2024.03.0
OAuth 2.0 security to invoke an API endpoint (Early Access)
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.
Scope search added for OAuth connection configurations
This update adds a search field to the scopes configuration interface for OAuth connections. Users can filter the list of available scopes by entering the name of the scope.
Low-latency mode restrictions for ineligible cards
Okta Workflows now prevents ineligible cards (like those with streaming actions) from entering low-latency mode instead of removing them after they hit a latency restriction or execution limit. This change improves overall flow performance.
New logo navigation behavior
Clicking the Workflows logo now returns you to the Flows view of the Workflows Console and shows the most recently selected folder.
New action card added to Miro Administration connector
The Miro Administration connector has added a card:
-
User Session Wipeout
See User Session Wipeout at miro.com.
Upcoming credential rotation for Shopify connector
A credential rotation for the Shopify connector is scheduled for March 12, 2024 at 12:00 PM PST. This action has no immediate impact on existing connections. However, users must reauthorize existing Shopify connections between March 12, 2024 at 12:00 PM PST and March 26, 2024 at 12:00 PM PST to ensure that flows continue to work.
Upcoming credential rotation for Slack connector
A rotation of the OAuth 2.0 credentials for the Slack connector is scheduled for March 10, 2024 on preview cells, and March 17, 2024 for production cells. No action is required for existing connections. However, if you do experience any issues with a connection, go to the Connections tab in your Workflows Console and reauthorize the connection.
Fixes in Okta Workflows
-
OKTA-646470
The editable output fields for extensible objects in a helper flow card used a green border instead of dark blue.
-
OKTA-649011
Sometimes in Connector Builder, if a field was configured but hidden for an OAuth connector, the delivered output fields were empty rather than containing the hidden values.
-
OKTA-659894
Using an HTTP Raw Request card to call a URL with a trailing slash returned an invalid input error, even though the URL was valid.
-
OKTA-690275
For the AWS Multi-Account Access connector, the Instance ARN dropdown menu failed to load for the List AWS Entitlements card. This occurred only if the Options section of the card was opened.
2024.02.2
Update to Jamf Pro Classic API connector authentication flow
The authorization flow for this connector has been updated from Basic Auth to use the OAuth 2.0 Resource Owner Password Credentials flow. This change is transparent for existing flows, but if you experience any issues with this connector, reauthorize your connection to Jamf Pro Classic API.
See Authorization.
Fixes in Okta Workflows
-
OKTA-690784
The Search Users action card for GitHub only returned 100 results instead of the maximum limit of 1000 results.
2024.02.1
Group assignment changes for Okta Workflows application
The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.
Credential rotation
Credentials have been rotated for the following connectors:
- Asana
- Box
- DocuSign
- GitHub
- Smartsheet
If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.
Workflows templates
The following Okta Workflows template is now available:
See the Available Workflows templates.
Fixes in Okta Workflows
-
OKTA-564782
If a helper flow contained an HTTP Close card, its parent flow resumed in low-latency mode. This occurred when the parent flow used a synchronous Call Flow card.
-
OKTA-690027
When filtering using the Search Rows card within an If Error card, admins could only use the output fields from other cards inside the If Error card.
2024.02.0
App integration tile now available for Okta Workflows users
Users who are assigned to the Okta Workflows app now have a dedicated tile on the Okta End-User Dashboard to launch the Workflows Console. See Workflows Console.
OAuth Scopes Customization feature
Today, when Workflows users authenticate to a connector using the OAuth 2.0 protocol, they must grant permissions for all OAuth scopes associated with the connector, regardless of whether those scopes are necessary for a specific use case. Unfortunately, this approach often results in the creation of overly permissive connections.
The OAuth Scope Customization feature empowers users with finer control over OAuth token requests. Now users can selectively remove unnecessary scopes from the token request before initiating the token exchange process. When OAuth Scope Customization is enabled for a connector, users gain the flexibility to create connections tailored to their specific needs. They can limit flows to only essential actions required in a third-party application, minimizing the risk associated with overly permissive connections.
Also, select connectors can provide users the ability to add scopes that aren't initially associated with the connector. This feature becomes valuable when using a Custom API Action card. Users can easily make HTTP requests to a service even for actions that the connector doesn't direct support, greatly expanding the capabilities of Okta Workflows.
See Use OAuth 2.0 Authorization Code and Use OAuth 2.0 Client Credentials.
Client Credentials support added to API connector functions
The API Connector function cards now support authentication using OAuth 2.0 Client Credentials. See Authenticate with API Connector cards.
Duplicate card functionality
Currently, duplicating an existing action or function card in Okta Workflows involves manually adding and recreating the card. This process entails a significant amount of time and effort to configure the new card to match an existing card. There's also the potential for errors when replicating the details of an individual card, leading to wasted time and frustration.
This release introduces the Duplicate Card feature to simplify and accelerate the process of replicating cards within Okta Workflows. Users can now duplicate most function and action cards with a single click. This is invaluable when building use cases that involve complex object or list construction, or when modifying logic within branching functions.
See Duplicate a card.
IP session restrictions for Okta Workflows
Okta super admins can now enable IP session restrictions for Okta Workflows.
This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match for any request, the session is terminated and the Workflows admin must sign in again.
See Manage Early Access and Beta features for instructions on how to enable this feature for your org through the Okta Admin Console.
Group assignment changes for Okta Workflows application
The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.
Greenhouse connector now available
The Greenhouse connector is now available in Okta Workflows with the following cards:
-
Add User Email Address
-
List Candidates
-
List Users
-
Read Candidate
-
Read User
-
Update Candidate
-
Update User
See the Greenhouse connector.
Darwinbox connector now available
The Darwinbox connector is now available in Okta Workflows with the following cards:
-
Update Email ID
-
Update User Attributes
See the Darwinbox connector.
Adobe User Management connector updated
Adobe User Management is deprecating the Service Account (JWT) credential in favor of the new OAuth Server-to-Server credential. The Adobe User Management connector has been updated to change the default authorization flow from JWT to OAuth.
See the Authorization page for Adobe User Management.
Workflows templates
The following Okta Workflows templates are now available:
See the Available Workflows templates.
Credential rotation
Credentials have been rotated for the following connectors:
- Asana
- Box
- Dropbox for Business
- DocuSign
- GitHub
- HubSpot CRM
- Salesforce
- Shopify
- Slack
- Slack Admin
- SmartRecruiters
- Smartsheet
- Zendesk
- Zoom
If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.
Fixes in Okta Workflows
-
OKTA-576957
When admins opened the Deployment tab in Connector Builder, the loading indicator appeared in the Private deployment pane instead of indicating that the entire page was loading. Also, when a new version was added, the table briefly said that no versions were available.
2024.01.2
Fixes in Okta Workflows
-
OKTA-627817
When an admin added or edited a row in a Workflow table, the new or updated row was automatically placed at the top of the table rather than where it was in the table originally.
-
OKTA-643523
When a user attempted to manually test a flow, the flow builder view sometimes indicated that there was no new data and didn't redirect to the new execution in the Execution History view.
-
OKTA-682162
When an admin created a connection for some Okta Workflows connectors, the process would hang if a connection field contained invalid characters.
2024.01.1
This release includes back-end fixes and improvements, but there are no external changes.
2024.01.0
Groups assignment changes for Okta Workflows application
To enhance the security of the Okta Workflows application, the following changes have been implemented in the Okta Admin Console:
-
On the Applications page:
-
In the Assign Users to App option, the Workflows app is no longer included in the list of available applications.
-
For the Workflows app itself, if you select the Assign to Groups option from the dropdown actions menu, the assignment dialog reports that this is an unsupported operation.
-
-
If the Self Service feature is enabled for your Okta org, your users can't add the Workflows application to their dashboard.
-
On the Assignments tab inside the Okta Workflows application, the Assign to Groups option is no longer available.
-
In the Assign applications to a specific group, the Okta Workflows app isn't available through the Assign Applications to {group} dialog.
interface, if you try to -
Assigning the Okta Workflows application to a group through the Okta public API is also no longer permitted.
Update to flow testing UI
The interface for testing flows inside the flow builder has been updated to provide clarity in message text and button naming.
Improvements to action card dialogs
The selection dialog for action cards now closes immediately when the user selects an action card.
Subfolder icon improvements
The import and export icons shown on the subfolder action menu have been updated to more appropriately reflect the action.
BambooHR connector now available
The BambooHR connector is now available in Okta Workflows with the following cards:
- Read Employee
- Update Employee
- List Employees
See BambooHR connector.
Domain selection added to Jira Service Management connector
Previously, the Jira Service Management connector would fail if the service wasn't on the atlassian.net domain. This update adds a Domain dropdown to the connector authorization dialog so that users can select either atlassian.net or jira.com for the service location. No action is required for existing connections.
See Authorization.
Fixes in Okta Workflows
-
OKTA-591951
A user could edit the name of an existing flow and replace it with a name that consisted of a null value.
-
OKTA-604699
For the Microsoft Teams connector, when the Stream Matching Records option was chosen, the results on the List Members and List Channel Members cards didn't match the requested Record Limit.
-
OKTA-617595
The information provided when importing a folder wasn't clear about the destination of the imported folder.
-
OKTA-660523
For Google Workspace Admin flows that use the Create User card, sometimes Google hadn't finished the user creation process before it attempted to assign a license, so the assignment failed.
-
OKTA-668196
For the Google Workspace connector, the function of the Deactivate User action card was to suspend a user, not deactivate one. The card has been renamed Suspend User to more accurately reflect the action. No change is required for existing flows that use this card.