Conquering User Provisioning with Okta Workflows



I just got back from Okta's SKO this week and one of the major technical focuses was on the new Okta Workflows engine which is currently in EAP (early adopters program). Workflows is a new component of the Okta Advanced Identity Lifecycle Management (ILM) offering that enables organizations to perform complex logic triggered by joiner, mover and leaver events such as the creation of a new user, an employee transferring a different department, a user being added to a group or being terminate in an HR system. There are many more events than this but this gives you a flavor. When these events are triggered, Okta workflow can perform any number of actions such as sending an email, assigning a personal folder in a file management solution like Box or SharePoint (among others), and assigning the user to a Slack channel. Okta workflows follows an event-based model:


"When this happens" -> "If this" -> "Do This" -> "Do That"
           [Event]               [Function]        [Action]        [Action]


 From Okta's Website:


The workflows interface is a very friendly drag and drop UI (I wish I could show it)  that allows Okta engineers and administrators to easily string together the workflow steps using out of the box connectors for many popular applications and cloud platforms as well as the ability to call other ReST-based services. Workflows can be triggered by scheduled events, internal Okta events or even events in other applications such as a new Jira issue or a new AWS Lambda event. Okta Workflows includes OOTB connectors for many popular cloud platforms such as Office 365, G Suite, Github and many others. At the time of this post there are 32 named connectors and I expect that there will be many more by GA.

In every identity management project there are tricky requirements that we receive from customers that go beyond the traditional use cases. For example, when an employee is disabled in Okta, the system should disable their accounts, terminate any existing Okta and Slack sessions, forward email to the user's manager, remove the user's Office 365 license and send an email to the help desk distribution list. Custom requirements such as these in most IGA solutions require custom development either in a workflow or rules engine or through external PowerShell scripts. The Okta Workflows engine provides a very powerful interface to implement and maintain these complex workflows without having to write a ton of code which is difficult to maintain.

What's not in the Workflows engine is any capability to pause for human activity, such as gathering an approval from a manager or application owner or generating a manual event such as a ServiceNow ticket that pauses the process until the ticket is closed. As mentioned above the Okta Workflows engine will be available to any organization that owns the Advanced Lifecycle Management component which is Okta's workforce identity management solution. This capability isn't being included (at least initially) in Okta's Customer IAM offering as well.

Comments

Post a Comment

Popular posts from this blog

Load Balancing Web Services with WebSEAL

I came across this bit of information from an old email from several years ago, and wanted to capture it here for future reference. In case you're thinking of using a WebSEAL server as a proxy for a web service based application (SOAP or REST), there are some details you need to be aware of in how you tune your servers for a successful implementation. The advantage to using a WebSEAL server for proxying web service traffic is that you can enforce authorization based on the client ip address (typically a client web application). This isn't as strong of security as performing authenitcation and authorization using WS-Security or SAML, but if these options aren't available, WebSEAL can increase the security by only allowing certain ip addresses to access the application using POPs (Protected Object Policies). What you have to be aware of is the fact that the client opening the connection to the WebSEAL server is typically another application. This creates a problem if th...
Read more

Leveraging Azure MFA with CyberArk

Image
Posting this here for future reference. We had a customer that wanted to leverage Azure MFA for authenticating users (IT Administrators) to CyberArk for accessing servers and checking out privileged credentials. CyberArk has two mechanisms to support this: 1) RADIUS authentication or 2) SAML authentication. We initially attempted to implement RADIUS authentication using Microsoft's Network Policy Server with the Azure MFA plug-in but threw up the white flag after many hours of debugging network packet captures. In the end we implemented this use case using Azure SSO to provide SAML-based single sign-on to CyberArk. RADIUS authentication is a bit more "legacy"but has been the de facto protocol for step-up authentication use cases for many years. I won't get into the history of RADIUS but it has been around for a very long time (almost as long as the internet) and is widely used for network authentication such as to an IPSEC-based VPNs and 802.11X based Wireless network...
Read more

Role-based Identity Management Best Practices

Image
This is a white paper that I put together a few years ago for a large financial organization that was struggling with how to approach RBAC or role-based identity management without having the new AI and machine learning capabilities with some of the new IGA solutions such as SailPoint IdentityAI. Introduction Role-Based Identity Management and Role-Based Access Control (RBAC) has long been the nirvana of Identity & Access Management programs since the concept of distributed systems was introduced. The idea of aligning access needs to the business functions that users fulfill and streamline provisioning of that access has proved to be a constant challenge in terms of both IT operational efficiency as well as Compliance, Risk and Security needs. This paper aims to address the challenges for effectively managing role-based access and identify best practices to help organizations achieve better IT efficiency, reduce risk and increase security for their users, data and applications. Rol...
Read more