Okta Workflows release notes (2024)

2024.10.1

Fixes in Okta Workflows

  • OKTA-808579

    The output of the Difference function card included values that were only different in the letter casing, rather than ignoring the case.

  • OKTA-744552

    In Connector Builder, if the Client ID parameter in an OAuth 2.0 Authorization Code flow contained the = character, the authorization request failed.

  • OKTA-750169

    If the field name of an item inside a dynamic group matched the dynamic group name, then the card didn't return the dynamic input or output fields.

  • OKTA-798324

    After the user viewed a flow execution in the Execution History Inspector and then navigated away from that execution, the execution ID of the helper flow didn't match the execution ID of the parent.

  • OKTA-813958

    The search field in the connector selection dialog didn't automatically clear the search keyword after the user selected a connector or closed the dialog. This meant that the user had to manually clear the search term before using the field to search for a specific action card.

2024.10.0

HubSpot CRM connector API update

New connections to HubSpot CRM take advantage of the advanced scope settings in the HubSpot CRM API. However, no action is required for existing connections. See Advanced auth and scope settings for public apps.

Interface improvements for Execution History Inspector

The Execution History Inspector pane is now animated when opening and closing.

Usage indicator now includes ELS events

A new row on the Usage page shows the number of Execution Log Streaming messages sent during the current calendar month.

Fixes in Okta Workflows

  • OKTA-715883

    Calling a helper flow from the Map function card sometimes returned null instead of the data generated by the helper flow.

  • OKTA-744552

    In Connector Builder, if the Client ID parameter in an OAuth 2.0 Authorization Code flow contained the = character, the authorization request failed.

  • OKTA-746992

    The Okta Workflows Pendo guide contained an embedded Vidyard video, but the Content-Security-Policy browser settings prevented the video from playing.

  • OKTA-756368

    When activities were performed on Workflows tables, other IP addresses appeared in the System Log.

  • OKTA-792431

    If an admin returned to a deleted folder, it showed the error message action.payload.filter is not a function instead of a 404 - Not found error.

  • OKTA-815618

    In the header field for the JWT Sign card, using the x5t key returned an error if the corresponding value contained padded Base 64 values.

2024.09.3

Deprecation of long-form syntax for JWT Sign card

For the JWT Sign function card, the use of long-form syntax (seconds or milliseconds) in the expiresIn and notBefore fields is deprecated. Replace any long syntax with their short forms (for example, s or ms).

See Sign.

Fixes in Okta Workflows

  • OKTA-804915

    With the role-based access control (RBAC) feature enabled, users who had the Okta Workflows app unassigned and then reassigned received an error when they signed in to the Workflows app.

2024.09.2

Fixes in Okta Workflows

  • OKTA-790208

    If an admin enabled the Execution Log Streaming feature for an org, but then disabled it for one or more individual flows, then an attempt to disable the feature at the org level returned an internal server error.

  • OKTA-803507

    This update fixes several display issues for the new connector catalog interface.

2024.09.1

Workflows templates

The following Okta Workflows templates are now available:

  • Okta Identity Governance: Implement backup of OIG app entitlements with Okta Workflows

  • Okta Realms: Generate detailed realms and realm user reports

The following Okta Workflows templates have been updated:

  • Automate account creation from Jira

  • Temporarily exempt users from MFA

See Available Workflows templates.

Fixes in Okta Workflows

  • OKTA-604373

    When a scheduled flow invoked a webhook flow, the webhook flow was counted twice in the workflow execution.

  • OKTA-740976

    If a connection was deleted in Okta Workflows, then importing a flow pack that used the deleted connection failed.

  • OKTA-756368

    When activities were performed on Okta Workflows tables, extra IP addresses appeared in the System Log.

  • OKTA-798681

    Flows that used the Add or Subtract Date & Time function cards returned an error if these cards were configured to result in impossible date values. For example, adding months to a date so that the resulting date was February 30.

2024.09.0

IP session restrictions for Okta Workflows is now a Generally Available feature in Production orgs

Okta super admins can now enable IP session restrictions for Okta Workflows.

This feature ensures that all Okta Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the admin must sign in again.

If you want to disable the feature, contact Okta Support.

Role-based access control is now available as an Early Access feature in Production orgs

As Okta Workflows can make comprehensive changes both within Okta and out to other connected SaaS apps, access to Workflows was restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the ability to scale the use of Okta Workflows, and reduced its overall value to customers.

With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.

To support this feature, three new admin roles are available:

  • Workflows Administrator: For full-access administration within Okta Workflows only

  • Workflows Auditor: For compliance management with read-only access

  • Connection Manager: For securely handling accounts and credentials

RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable these options:

  • Workflows Access Control

  • Workflow Admin Role

  • Workflows Provisioning

See Access Control.

The addition of the RBAC feature includes four new event types to record related actions in Okta Workflows:

  • workflows.user.role.user.add

  • workflows.user.role.user.remove

  • workflows.user.role.group.add

  • workflows.user.role.group.remove

See the Event Types API.

Improvements to Workflows Connector Catalog

When selecting an event or an action card in Okta Workflows, the available connectors catalog has been updated with significant organizational and usability enhancements.

The interface can now display the following information for a connector:

  • A detailed description

  • Who made the connector

  • The release version and when it was last updated

  • Links to relevant user documentation and support contacts

Some fields may not be present for existing connectors.

To help you quickly find the connectors you need, they're organized into three searchable sections: Connected apps, Okta apps, and All apps.

In addition, when an admin adds an event card to a flow, the updated card selection dialog now provides a better usability experience.

Context field added for ULID support

The output section for helper flows has a new wf_id field. The field tracks the Universally Unique Lexicographically Sortable Identifier (ULID) of the parent flow. The existing id output field remains as a reference to the parent flow's id value.

Documentation improvement for Okta connector scopes

The OAuth 2.0 scopes for each event and action card in the Okta connector have been documented to indicate what specific scopes are required for individual cards.

See Scopes for Okta connector cards.

Update to Jamf Pro Classic API connector

The Send Computer MDM command card for the Jamf Pro Classic API connector has a new Lock Message input field so admins can include a message when performing a device lock action.

See Send Computer MDM Command.

Workflows throttling improvements

If Okta Workflows throttles a flow, the execution history now provides a dialog with more details. The dialog indicates if the throttling occurred due to problems at the flow, org, or execution level.

Also, if your org exceeds the allowed resource limits, Okta Workflows displays a banner to indicate that flow executions in your org have been either throttled or blocked.

System Log events added for flow and table changes

The workflows.user.flow.move and workflows.user.table.move events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.

Fixes in Okta Workflows

  • OKTA-581584

    There was a typographical error in the Group Privilege Revoked event card description of the Okta connector.

  • OKTA-736026

    In the Okta connector, the Excluded Users output field on the Read Group Rule card returned an array with an empty string rather than an empty array. This caused the list length to be 1 when it should have been 0.

  • OKTA-737784

    When reauthorizing an existing connection, the default or custom scope selections weren't retained.

    Now when reauthorizing existing connections, the scopes are either set to the default scopes or retain any custom scope settings.

  • OKTA-791345

    The Region list used when authorizing an AWS Lambda connector was missing several AWS regions.

  • OKTA-794139

    When an org upgraded from the Okta Workflows Free Trial version to Unlimited Workflows, the free trial limit prevented flows from executing.

  • OKTA-795297

    For RBAC-enabled orgs, if you deleted an Okta user and then created a user with the same email or username, the new user couldn't perform any actions in Okta Workflows.

  • OKTA-798723

    When an admin added an OAuth 2.0 authentication to a connector in Connector Builder, the Base URL, Authorize Path, Token Path, and Refresh Token Path fields wouldn't accept URLs where an authorization parameter was used as part of the subdomain address. For example, https://{{auth.authorization_subdomain}}.workday.com/{{auth.tenant}}/authorize.

2024.08.3

FedRAMP High support for Microsoft connectors

The following connectors now support the Federal Risk and Authorization Management Program (FedRAMP) High Baseline and can be used in Okta for Government High:

  • Excel Online
  • Azure Active Directory
  • Microsoft Teams
  • Office 365 Calendar
  • Office 365 Mail
  • OneDrive

Okta Workflows in Okta for Government High only supports connections using accounts from Office 365 GCC High tenants.

Fixes in Okta Workflows

  • OKTA-794118

    Download File action cards sometimes returned an Invalid Authentication Token error message.

  • OKTA-754284

    After you configure the Execution Log Streaming feature, if the feature was later turned off, streaming events were still sent to the downstream service.

2024.08.2

Fixes in Okta Workflows

  • OKTA-613668

    In Connector Builder, dynamic groups didn't have a header in a card's Input or Output section when using a reserved group name.

  • OKTA-790175

    With the Execution History Inspector feature enabled, the Execution History view didn't display a warning message if a flow was modified after it was run.

  • OKTA-790836

    The AES Encryption function card contained unsupported OpenSSL encryption algorithms.

  • OKTA-790882

    Attempting to cancel one helper flow from the Execution History view of another helper flow produced misleading results. The view showed that the other helper flow's cancellation was in progress, but the other helper flow wasn't canceled.

  • OKTA-793480

    In the Yubico FIDO Pre-registration template, the Process shipment flow could be turned on even if there wasn't a valid connection in the Yubico connector.

  • OKTA-794205

    Users who previously signed in to an org with the RBAC feature enabled, but weren't assigned an RBAC role, didn't appear in search results with the No role assigned filter selected.

2024.08.1

Credential rotation for Slack Admin connector

OAuth 2.0 credentials have been rotated for the Slack Admin connector.

If you experience any issues with this connector, go to the Connections tab in your Workflows Console and reauthorize.

Fixes in Okta Workflows

  • OKTA-726331

    Canceling a nested helper flow failed unless the cancellation action was initiated from the top-level flow.

  • OKTA-742519

    For the AWS S3 connector, the Read Object Tags card returned an invalid input type error instead of a list of tags set for the specified object.

  • OKTA-744174

    For the AWS S3 connector, the Upload Object card didn't pass through the Object Lock Retain Until Date field when uploading an object.

  • OKTA-756178

    If a flow's ULID value was passed as a dynamic input into the Export Flow function, the flow returned a 500 Internal Server error.

  • OKTA-791013

    In Workflows tables with a True/False column, admins couldn't manually change a value from True to False.

  • OKTA-791122

    The Execution History view and the Execution History Inspector sometimes showed inconsistent duration times.

  • OKTA-793480

    In the Yubico FIDO Pre-registration template, the Process shipment flow could be turned on even if there wasn't a valid connection in the Yubico connector.

2024.08.0

OAuth 2.0 security to invoke API endpoints now available in EA

Okta Workflows users can securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature provides more security while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.

See Invoke a flow with an API endpoint.

Improvements to clarify incorrect card input

When provided with invalid input, some cards return a Max command request/response attempts reached error message instead of returning an error that the input is invalid. This behavior has been corrected and the card doesn't attempt to retry the query with invalid input.

Improvements to Execution History Inspector view

When you view an in-progress flow execution, the Execution History Inspector now automatically scrolls to bring the most recently executed card into view.

Browser interface improvement for folders

The folder name is now included on your browser tab when you have a folder open in either the Folders view or in Connector Builder.

Fixes in Okta Workflows

  • OKTA-744830

    After reverting a moved folder action in Okta Workflows, the System Log didn't correctly record the folder paths.

  • OKTA-749052

    Sometimes a currently running flow was marked as complete in the flow's Execution History.

  • OKTA-754269

    The Tables Search Row function card returned an internal server error when it contained a filter that used a string value instead of a strict boolean.

  • OKTA-791779

    The Yubico template failed for orders that were made in countries without a state in the address.

2024.07.2

Fixes in Okta Workflows

  • OKTA-619031

    When a table column with a True/False field type had a default value of True, the properties dialog for the column incorrectly displayed the default value as False.

  • OKTA-653941

    The text size on the Flow Activation button made it difficult to read.

  • OKTA-736923

    The Multipart Upload function card didn't pass the HTTP content-type header for a file upload.

  • OKTA-747044

    In the Execution Log Streaming EA feature, setting a custom body event sometimes caused the downstream system to return an invalid request error.

  • OKTA-748261

    Redirect URL values entered for the OAuth 2.0 Auth Code flow in Connector Builder were incorrectly appended with a :443 port.

  • OKTA-750773

    In the Workflows Console, the documentation links for the Execution Log Streaming and Execution History Inspector EA features pointed to incorrect destination URLs.

  • OKTA-752756

    On the Flow Chart page, parts of the flow navigation were hidden or difficult to read if the browser window was small, if the flow was very large, or if the flow contained a card with nested or branched areas (like If/ElseIf).

2024.07.1

New action cards for ServiceNow connector

The ServiceNow connector has been updated to include five new action cards:

See the ServiceNow connector.

Yubico connector updated

The documentation link for the Yubico connector has been updated.

See the Yubico connector.

Workflows templates added

The following Okta Workflows templates are now available:

See Available Workflows templates.

Fixes in Okta Workflows

  • OKTA-729321

    The Create Cloud User card in the Azure Active Directory connector didn't have an Email input field for setting the user email address.

  • OKTA-746306

    The Execution History panel included two options for Network Ingress and Network Egress, but these options aren't available for this EA feature.

  • OKTA-747316

    The Execution History view of a deleted execution displayed an in progress status message instead of a message that the execution doesn't exist.

2024.07.0

Execution Log Streaming now available in Early Access

Previously, customers could audit user-directed actions in Okta Workflows, but had little insight into the automated work executed by the individual flows.

With the Execution Log Streaming feature, customers can monitor execution history and performance across all of their flows. This is done by sending execution logs to a downstream security information and event management (SIEM) tool.

This feature allows you to configure alerts and dashboards to provide proactive identification and resolution of potential issues. The centralized monitoring capability also provides a holistic view across all Workflows operations for better insights and decision making.

See Execution Log Streaming.

The feature adds the following new System Log event types:

  • workflows.user.execution_log_stream_connection.activate

  • workflows.user.execution_log_stream_connection.deactivate

  • workflows.user.execution_log_stream_connection.update

  • workflows.user.flow.execution_log_stream.activate

  • workflows.user.flow.execution_log_stream.deactivate

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable the Workflows Execution Log Streaming option.

Execution History Inspector now available in Early Access

Okta Workflows customers frequently reach out to Okta Support for assistance when experiencing unexpected throttles, low latency mode evictions, or other performance changes.

The new Execution History Inspector feature provides various detailed usage metrics directly to you. This diagnostic view helps you to understand flow performance and provides you with the ability to diagnose issues and optimize your flows.

See History Inspector.

The feature adds the following new System Log event types:

  • workflows.user.flow.execution_history.activate

  • workflows.user.flow.execution_history.deactivate

  • workflows.user.flow.execution_history.delete

To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable the Workflows Execution History Inspector option.

Changes to save and clear flow execution history

This release improves the ability to clear the execution history for a flow. You can now choose to clear either the saved input and output values for a flow, or clear all execution history, including the flow metadata.

This update includes revised documentation on how to save, view, and clear execution history for flows.

See Flow execution history.

Move folders functionality now available

Improved folder organization in Okta Workflows gives you the flexibility to drag and drop folders into other folders, or to move them up to become a top-level folder.

See Move a folder into another folder and Move a subfolder to a higher level.

When a folder move occurs, this triggers the new workflows.user.folder.move event type in the System Log.

See the Event Types API.

Universal identifiers for flow and folder references

The URL paths for flows (for example, /app/folders/{foldernumber}/flows/{flownumber}/) have been updated to use a Universally Unique Lexicographically Sortable Identifier (ULID) /app/flows/{ULID}/. For example, /app/flows/01HZKPGVPXYA6ZWMKKADVXYJ1H.

This change has also been made for folder identifiers, which now have the form /app/folders/{ULID}.

Users can continue to use any existing saved links for flows and folders, but are automatically redirected to the new external ID URL. Also, any System Log events for flows now use this ULID instead of the previous format.

Improvements to the Execution History interface

Previously, the time value that appeared for older executions included the seconds value, while newer execution times only included the hour and minute values. The older formats now show the hour and minute values.

The exact execution time is still available using the hover action on the execution time.

Event hook limit increased

The limit on active event hooks per org has been increased from 10 to 25.

See Create an event hook and Hooks in Workflows system limits.

Fixes in Okta Workflows

  • OKTA-738244

    For some function cards, when an admin changed the data type from a boolean to a string, the input field retained the previous value (True or False), instead of clearing the field.

2024.06.2

Improvements to the Okta connector

The Okta connector has been updated with the following enhancements:

New action card for AWS S3 Connector

The AWS S3 connector has added an Upload Object action card. This new card enables users to upload objects (files) to S3 buckets through the AWS S3 connector.

See AWS S3 connector.

Workflows templates

The following Okta Workflows template is now available:

See Available Workflows templates.

Fixes in Okta Workflows

  • OKTA-554482

    When scrolling horizontally in the Execution History page, the expansion icon for any long output field moved to the center of the field, instead of remaining on the right side.

  • OKTA-734371

    When executing multiple flows that used a single Google account for the Google Sheets connections and contained any of the Read Row, Read All Rows, Clear Row, or New Row action cards, admins occasionally received a ScriptError message. If you still encounter this error, reauthenticate your Google Sheets connection.

  • OKTA-737380

    The SFTP Write File action card returned a value of FALSE to the Succeeded field, even if the action was completed successfully.

  • OKTA-739820

    Attempting to change the name of a flow while the flow was already being saved returned a blank page.

  • OKTA-740846

    In Connector Builder, the authentication settings couldn't be saved when the Authorize Path or Token Path only used partial paths built on the Base URL. Saving the connection returned a Failed to save auth schema error.

  • OKTA-743767

    The Schedule Flow dialog window didn't contain the previously supported UTC and Zulu time zone options.

2024.06.1

OAuth scope customization enabled for the Okta, Okta Devices, and Okta Realms connectors

You can now specify custom scopes for OAuth connections to the Okta, Okta Devices, and Okta Realms connectors in Okta Workflows.

When you create or reauthorize a connection, you must go to the Permissions tab in the connection window. Select Use Default Scopes if you want to run any of the connector cards with the regularly assigned scopes. To use the customized scopes feature, specify the desired scopes in Customize scopes (advanced). Grant these scopes in the Okta Workflows OAuth app before you create or reauthorize the connection.

For Okta, see Authorization.

For Okta Devices, see Authorization.

For Okta Realms, see Authorization.

Rename the Test action on all cards

The Test this card action has been renamed to Run this card for all cards that support the functionality.

Fixes in Okta Workflows

  • OKTA-720351

    The Compose card hid an output field name if a curly bracket { character came immediately before the field name. However, the card included the variable when executed.

2024.06.0

Okta Devices event cards now hidden from the Okta connector

The following event cards are no longer available from the Okta connector. New flows should use the identical event cards from the Okta Devices connector. For existing flows, you can keep using the Okta event cards or update your flows to use the equivalent Okta Devices event cards.

  • Authenticator Activated

  • Authenticator Deactivated

  • Device Activated

  • Device Added to User

  • Device Deactivated

  • Device Deleted

  • Device Enrolled

  • Device Suspended

  • Device Unsuspended

  • Phone Verification Call Sent

  • Phone Verification SMS Sent

  • User MFA Factor Activated

  • User MFA Factor Deactivated

  • User MFA Factor Reset All

  • User MFA Factor Suspended

  • User MFA Factor Unsuspended

  • User MFA

Enhancements to the Zoom connector

This release provides updates to existing Zoom connector cards:

  • The Get User card is now the Read User card.

  • Several input and output fields have been added to the Create User, Read User, and Update User action cards.

    These are backward-compatible changes, so there's no need to replace existing cards. However, if you want to take advantage of the new input and output fields, you must use the new versions of these cards.

This release also includes a new action card for the Zoom connector:

See the Zoom connector.

Updates to the Cisco Identity Intelligence connector

This update removes the lastSignInLocation attribute of the End User State output, as it's no longer supported on the Get End User State action card.

This update also corrects the attribute type of the checkId output field on the Identity Intelligence Webhook event card.

Improvements to date formatting

Date formats have been modified to reflect localized user settings.

For users in the United States, there are minimal changes. The main changes are to provide consistent use of day periods and number of digits in dates, for example, 05/30/24 instead of 5/30/24 or 05/30/2024.

For users in other locales, date formats are now localized, for example, in Australia, the date is now DD/MM/YY.

Fixes in Okta Workflows

  • OKTA-728494

    When searching for scopes in the Permissions tab, the required scopes were unexpectedly removed. Also, users couldn't deselect a scope from the filtered results while searching for that scope.

  • OKTA-735073

    For the Scheduled Flow event card, if the end time was set to 12:00 AM, the card incorrectly reported this as an invalid time.

2024.05.2

Fixes in Okta Workflows

  • OKTA-728360

    The Slash Command event card for the Slack connector returned an encryption failure error if the Signing Key field was empty.

2024.05.1

Action cards added to the Google Workspace connector

The Google Workspace connector has four new action cards to support role assignments.

  • Create Role Assignment
  • Delete Role Assignment
  • Search Role Assignments
  • List Roles

See Google Workspace Admin connector.

Event cards added to the Okta Devices connector

The Okta Devices connector has been updated with 19 new event cards.

  • Authenticator Activated
  • Authenticator Deactivated
  • Device Activated
  • Device Added to User
  • Device Deactivated
  • Device Deleted
  • Device Enrolled
  • Device Removed From User
  • Device Suspended
  • Device Unsuspended
  • MFA Preregistration Initiated
  • Phone Verification Call Sent
  • Phone Verification SMS Sent
  • User MFA
  • User MFA Factor Activated
  • User MFA Factor Deactivated
  • User MFA Factor Reset All
  • User MFA Factor Suspended
  • User MFA Factor Unsuspended

See Okta Devices connector.

To use these new event cards, go to the Connections tab in your Workflows Console and reauthorize the Okta Devices connection.

These Okta Devices event cards will replace the equivalent event cards of the Okta connector in a future release.

2024.05.0

Improvements to Execution History interface

The card duration indicators for Execution History have been updated for clarity and accuracy.

Updates to address mis-typed date conversions

The True-False Expression function card now converts Date fields to a UNIX timestamp when a Date type output field is used as input for a Number type field. Previously, this conversion returned a value of 0. Update any flows containing a card where a Date output was sent to a Number input and the result was then modified to return a UNIX timestamp.

Fixes in Okta Workflows

  • OKTA-712091

    The Delete Import Session card for the Okta connector reported a failure when an XaaS job was stuck.

  • OKTA-719410

    When admins created a connector in Connector Builder, the text they entered in the description field of the Create new connector dialog wasn't saved.

  • OKTA-722302

    When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log.

  • OKTA-724710

    Attempting to import a flow that contained an Export Folder card resulted in a TypeError message and the import action failed. Also, any successful import actions didn't show the name of the flow in the pop-up notification banner.

2024.04.3

Custom API Action card now available for the Okta Devices connector

A Custom API Actions card has been added to the Okta Devices connector in Okta Workflows.

See the Custom API Action card.

Organization and repository option limits for the GitHub connector

The following GitHub connector action cards now include a manual selection field when you choose the Organization and Repository options:

  • Create File Content

  • Create Branch

  • Create Issue

  • Create Pull Request

  • Read Issue

  • Read Pull Request

  • Search Branches

  • Update File Content

  • Update Issue

  • Update Pull Request

These option fields are now limited to displaying the first 100 options. These changes prevent timeout issues when there are a large number of repositories to choose from.

See GitHub connector

Template page updated

The Modernize your Access Request Management with Okta and Slack template on the Okta templates interface has been replaced with the Create Users in Salesforce template.

Fixes in Okta Workflows

  • OKTA-620819

    When streaming action cards or helper flows were called from inside an If/Else or Try function card, the parent execution ID that was passed in the caller input for the helper flow didn't match.

  • OKTA-703886

    If the authorized user belonged to a large number of repositories, some GitHub connector cards timed out and reported a "failed to load" error when a user opened the dropdown menu for the Repository option.

  • OKTA-716527

    The True/False Expression function card didn't properly handle date or boolean comparison operations.

  • OKTA-722178

    After dismissing the Execution History sidebar in the Execution History interface, it remained accessible using the horizontal scroll bar.

  • OKTA-722534

    Sometimes Okta Workflows wouldn't create a connection for the Okta connector when the connection was configured using OAuth 2.0.

2024.04.2

Okta Realms connector now available

The Okta Realms connector is now available in Okta Workflows with the following cards:

  • Create Realm

  • Create Realm User

  • List Realm Users

  • Read Realm

  • Search Realms

  • Update Realm

  • Update Realm for User

See Okta Realms connector.

New action card for Okta Devices connector

The Okta Devices connector has added a List Device Users card. See List Device Users.

Oracle HCM connector now available

The Oracle HCM connector is now available in Okta Workflows with the following cards:

  • Read Worker

  • Search Workers

  • Update Worker

See the Oracle HCM connector.

Workflows templates

The following Okta Workflows template is now available:

Fixes in Okta Workflows

  • OKTA-667322

    The Connection usage dialog displayed an incorrect number of flows if the connector was used by a flow inside a subfolder.

2024.04.1

Important updates for Asana connector

Asana is deprecating their external endpoints currently used by the cards:

  • Add Users to Project

  • Remove Users from Project

Any existing flows that use these cards will continue to work until Asana completes the API deprecation. However, these cards have been removed from the Asana connector. See Upcoming changes to project memberships for details on the change and the deprecation time frame.

If you currently use the cards marked for deprecation, you can update your flows to use the following new cards that replicate the functionality and use the new Asana endpoints:

  • Create Membership

  • Delete Membership

These cards provide more functionality by supporting both the Goal and Project memberships for Asana.

See Asana connector.

Cisco Identity Intelligence connector now available

The Cisco Identity Intelligence connector is now available in Okta Workflows with the following cards:

  • Identity Intelligence Webhook

  • Get End User State

  • Get End Users By IP

See Cisco Identity Intelligence connector.

Fixes in Okta Workflows

  • OKTA-704077

    Admins received an authorization error when the OAuth token expired for a Client Credentials grant type connection made with an API connector.

  • OKTA-716447

    The Hash and Sign function cards didn't return properly padded results when using the binary option in the digest output.

2024.04.0

Identity Threat Protection with Okta AI

Identity Threat Protection with Okta AI is a powerful risk assessment and response solution that provides post-authentication security to your org. By continuously analyzing risk signals that are native to Okta, risk signals from integrated security partner vendors, and your policy conditions, it safeguards orgs against identity attacks that occur during and outside of a user's session. When Identity Threat Protection discovers a risk, it can immediately end the user's sessions, prompt an MFA challenge, or invoke an Okta Workflow to restore your org's security posture. Using intuitive dashboard widgets and reports, you can easily monitor security threats as they happen.

See Identity Threat Protection with Okta AI.

New System Log event for Workflows execution history

There are two new System Log events for flow execution history. When a user activates or deactivates the Save all data that passes through the flow option, the System Log records the date, time, and name of the user.

Fixes in Okta Workflows

  • OKTA-688152

    In some flows, the body format of the payload was incorrect when an API Connector card was used as the flow trigger or event.

  • OKTA-704998

    Flow control Return cards displayed a Duplicate Card button.

  • OKTA-708420

    Flows that used an HTTP connection to web resources failed for some users.

2024.03.2

Okta Devices connector now available

The Okta Devices is now available in Production orgs with the following cards:

  • Activate Device

  • Deactivate Device

  • Delete Device

  • Read Device

  • Search Device

  • Suspend Device

  • Unsuspend Device

See the Okta Devices connector.

KnowBe4 connector now available

The KnowBe4 connector is available in Okta Workflows with the following cards:

  • Custom API Action

  • List Group Members

  • List Groups

  • List Users

  • Read Group

  • Read User

See the KnowBe4 connector.

SecureFlag connector now available

The SecureFlag connector is available in Okta Workflows with the following card:

  • Remove User License

See the SecureFlag connector.

Authorization URL examples added to several connectors

The authorization connection dialog now includes an example URL for the following connectors:

  • Advanced Server Access
  • Duo Security Admin
  • Freshservice
  • Jira
  • Jira Service Management
  • Marketo
  • OneTrust
  • ServiceNow
  • Shopify
  • Zendesk

These example URLs demonstrate the expected format for connectors that enforce an https:// prefix or a domain suffix (for example: .com, .ca, .customdomain) for the connection URL.

Credential rotation for Zoom connector

OAuth 2.0 credentials have been rotated for the Zoom connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize.

Fixes in Okta Workflows

  • OKTA-225379

    Object subfields couldn't be dragged into a filter condition for the Search Rows card.

  • OKTA-597055

    When an admin created inputs in a For Each card that used dynamic flow inputs, the icon to delete an input field overlapped with the icon used to select a list item from the dropdown menu.

  • OKTA-625849

    If a Search Rows card containing draggable input fields for filter conditions was moved into or out of an If/Error card, it caused the flow to fail.

  • OKTA-705684

    For the Microsoft Teams connector, the flow identifier appeared as the State input on the helper flow when streaming records using the Search Teams and Search Chats cards.

  • OKTA-706352

    For the Okta Devices connector, the Search Devices card didn't stream data to helper flows when using the Stream Matching Records option.

2024.03.1

Credential rotation for Shopify connector

The backend credentials for the Shopify connector were rotated on March 12, 2024 at 12:00 PM PST.

This action has no immediate impact on existing connections. However, admins must reauthorize their existing Shopify connections before March 26, 2024 at 12:00 PM PST to ensure that flows continue working.

Credential rotation for Slack connector

OAuth 2.0 credentials have been rotated for the Slack connector.

If you experience any issues with this connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-351074

    On the Flows tab of Connector Builder, admins could click Save when a required field was empty.

  • OKTA-643500

    Tables with filtered results didn't display correctly when the view filter was removed.

  • OKTA-667322

    The Connection usage dialog displayed an incorrect number of flows. This occurred if the connector was used in a flow contained in a subfolder.

  • OKTA-687930

    For tables containing a column with a long name, the options gear icon didn't appear.

2024.03.0

OAuth 2.0 security to invoke an API endpoint (Early Access)

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.

See Invoke a flow with an API endpoint.

Scope search added for OAuth connection configurations

This update adds a search field to the scopes configuration interface for OAuth connections. Users can filter the list of available scopes by entering the name of the scope.

See Configure a connection.

Low-latency mode restrictions for ineligible cards

Okta Workflows now prevents ineligible cards (like those with streaming actions) from entering low-latency mode instead of removing them after they hit a latency restriction or execution limit. This change improves overall flow performance.

See Criteria for low-latency flows.

New logo navigation behavior

Clicking the Workflows logo now returns you to the Flows view of the Workflows Console and shows the most recently selected folder.

New action card added to Miro Administration connector

The Miro Administration connector has added a card:

  • User Session Wipeout

See User Session Wipeout at miro.com.

Upcoming credential rotation for Shopify connector

A credential rotation for the Shopify connector is scheduled for March 12, 2024 at 12:00 PM PST. This action has no immediate impact on existing connections. However, users must reauthorize existing Shopify connections between March 12, 2024 at 12:00 PM PST and March 26, 2024 at 12:00 PM PST to ensure that flows continue to work.

Upcoming credential rotation for Slack connector

A rotation of the OAuth 2.0 credentials for the Slack connector is scheduled for March 10, 2024 on preview cells, and March 17, 2024 for production cells. No action is required for existing connections. However, if you do experience any issues with a connection, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-646470

    The editable output fields for extensible objects in a helper flow card used a green border instead of dark blue.

  • OKTA-649011

    Sometimes in Connector Builder, if a field was configured but hidden for an OAuth connector, the delivered output fields were empty rather than containing the hidden values.

  • OKTA-659894

    Using an HTTP Raw Request card to call a URL with a trailing slash returned an invalid input error, even though the URL was valid.

  • OKTA-690275

    For the connector, the Instance ARN dropdown menu failed to load for the List AWS Entitlements card. This occurred only if the Options section of the card was opened.

2024.02.2

Update to Jamf Pro Classic API connector authentication flow

The authorization flow for this connector has been updated from Basic Auth to use the OAuth 2.0 Resource Owner Password Credentials flow. This change is transparent for existing flows, but if you experience any issues with this connector, reauthorize your connection to Jamf Pro Classic API.

See Authorization.

Fixes in Okta Workflows

  • OKTA-690784

    The Search Users action card for GitHub only returned 100 results instead of the maximum limit of 1000 results.

2024.02.1

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Credential rotation

Credentials have been rotated for the following connectors:

  • Asana
  • Box
  • DocuSign
  • GitHub
  • Smartsheet

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Workflows templates

The following Okta Workflows template is now available:

See the Available Workflows templates.

Fixes in Okta Workflows

  • OKTA-564782

    If a helper flow contained an HTTP Close card, its parent flow resumed in low-latency mode. This occurred when the parent flow used a synchronous Call Flow card.

  • OKTA-690027

    When filtering using the Search Rows card within an If Error card, admins could only use the output fields from other cards inside the If Error card.

2024.02.0

App integration tile now available for Okta Workflows users

Users who are assigned to the Okta Workflows app now have a dedicated tile on the Okta End-User Dashboard to launch the Workflows Console. See Workflows Console.

OAuth Scopes Customization feature

Today, when Workflows users authenticate to a connector using the OAuth 2.0 protocol, they must grant permissions for all OAuth scopes associated with the connector, regardless of whether those scopes are necessary for a specific use case. Unfortunately, this approach often results in the creation of overly permissive connections.

The OAuth Scope Customization feature empowers users with finer control over OAuth token requests. Now users can selectively remove unnecessary scopes from the token request before initiating the token exchange process. When OAuth Scope Customization is enabled for a connector, users gain the flexibility to create connections tailored to their specific needs. They can limit flows to only essential actions required in a third-party application, minimizing the risk associated with overly permissive connections.

Also, select connectors can provide users the ability to add scopes that aren't initially associated with the connector. This feature becomes valuable when using a Custom API Action card. Users can easily make HTTP requests to a service even for actions that the connector doesn't direct support, greatly expanding the capabilities of Okta Workflows.

See Use OAuth 2.0 Authorization Code and Use OAuth 2.0 Client Credentials.

Client Credentials support added to API connector functions

The API Connector function cards now support authentication using OAuth 2.0 Client Credentials. See Authenticate with API Connector cards.

Duplicate card functionality

Currently, duplicating an existing action or function card in Okta Workflows involves manually adding and recreating the card. This process entails a significant amount of time and effort to configure the new card to match an existing card. There's also the potential for errors when replicating the details of an individual card, leading to wasted time and frustration.

This release introduces the Duplicate Card feature to simplify and accelerate the process of replicating cards within Okta Workflows. Users can now duplicate most function and action cards with a single click. This is invaluable when building use cases that involve complex object or list construction, or when modifying logic within branching functions.

See Duplicate a card.

IP session restrictions for Okta Workflows

Okta super admins can now enable IP session restrictions for Okta Workflows.

This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match for any request, the session is terminated and the Workflows admin must sign in again.

See Manage Early Access and Beta features for instructions on how to enable this feature for your org through the Okta Admin Console.

Group assignment changes for Okta Workflows application

The group assignment options for the Okta Workflows app have been removed for all orgs. See the 2024.01.0 release notes.

Greenhouse connector now available

The Greenhouse connector is now available in Okta Workflows with the following cards:

  • Add User Email Address

  • List Candidates

  • List Users

  • Read Candidate

  • Read User

  • Update Candidate

  • Update User

See the Greenhouse connector.

Darwinbox connector now available

The Darwinbox connector is now available in Okta Workflows with the following cards:

  • Update Email ID

  • Update User Attributes

See the Darwinbox connector.

Adobe User Management connector updated

Adobe User Management is deprecating the Service Account (JWT) credential in favor of the new OAuth Server-to-Server credential. The Adobe User Management connector has been updated to change the default authorization flow from JWT to OAuth.

See the Authorization page for Adobe User Management.

Credential rotation

Credentials have been rotated for the following connectors:

  • Asana
  • Box
  • Dropbox for Business
  • DocuSign
  • GitHub
  • HubSpot CRM
  • Salesforce
  • Shopify
  • Slack
  • Slack Admin
  • SmartRecruiters
  • Smartsheet
  • Zendesk
  • Zoom

If you experience any issues with these connections, go to the Connections tab in your Workflows Console and reauthorize the connection.

Fixes in Okta Workflows

  • OKTA-576957

    When admins opened the Deployment tab in Connector Builder, the loading indicator appeared in the Private deployment pane instead of indicating that the entire page was loading. Also, when a new version was added, the table briefly said that no versions were available.

2024.01.2

Fixes in Okta Workflows

  • OKTA-627817

    When an admin added or edited a row in a Workflow table, the new or updated row was automatically placed at the top of the table rather than where it was in the table originally.

  • OKTA-643523

    When a user attempted to manually test a flow, the flow builder view sometimes indicated that there was no new data and didn't redirect to the new execution in the Execution History view.

  • OKTA-682162

    When an admin created a connection for some Okta Workflows connectors, the process would hang if a connection field contained invalid characters.

2024.01.1

This release includes back-end fixes and improvements, but there are no external changes.

2024.01.0

Groups assignment changes for Okta Workflows application

To enhance the security of the Okta Workflows application, the following changes have been implemented in the Okta Admin Console:

  • On the Applications page:

    • In the Assign Users to App option, the Workflows app is no longer included in the list of available applications.

    • For the Workflows app itself, if you select the Assign to Groups option from the dropdown actions menu, the assignment dialog reports that this is an unsupported operation.

  • If the Self Service feature is enabled for your Okta org, your users can't add the Workflows application to their dashboard.

  • On the Assignments tab inside the Okta Workflows application, the Assign to Groups option is no longer available.

  • In the DirectoryGroups interface, if you try to Assign applications to a specific group, the Okta Workflows app isn't available through the Assign Applications to {group} dialog.

  • Assigning the Okta Workflows application to a group through the Okta public API is also no longer permitted.

Update to flow testing UI

The interface for testing flows inside the flow builder has been updated to provide clarity in message text and button naming.

Improvements to action card dialogs

The selection dialog for action cards now closes immediately when the user selects an action card.

Subfolder icon improvements

The import and export icons shown on the subfolder action menu have been updated to more appropriately reflect the action.

BambooHR connector now available

The BambooHR connector is now available in Okta Workflows with the following cards:

  • Read Employee
  • Update Employee
  • List Employees

See BambooHR connector.

Domain selection added to Jira Service Management connector

Previously, the Jira Service Management connector would fail if the service wasn't on the atlassian.net domain. This update adds a Domain dropdown to the connector authorization dialog so that users can select either atlassian.net or jira.com for the service location. No action is required for existing connections.

See Authorization.

Fixes in Okta Workflows

  • OKTA-591951

    A user could edit the name of an existing flow and replace it with a name that consisted of a null value.

  • OKTA-604699

    For the Microsoft Teams connector, when the Stream Matching Records option was chosen, the results on the List Members and List Channel Members cards didn't match the requested Record Limit.

  • OKTA-617595

    The information provided when importing a folder wasn't clear about the destination of the imported folder.

  • OKTA-660523

    For Google Workspace Admin flows that use the Create User card, sometimes Google hadn't finished the user creation process before it attempted to assign a license, so the assignment failed.

  • OKTA-668196

    For the Google Workspace connector, the function of the Deactivate User action card was to suspend a user, not deactivate one. The card has been renamed Suspend User to more accurately reflect the action. No change is required for existing flows that use this card.