In this chapter, we will look at how we can use some of the knowledge we gained in previous chapters for a complete user life cycle. We will look at how we can use integrations for user provisioning, such as setting up a Human Resources Information System (HRIS) as a mastering service. We will also go deeper into editing a user's profile, for instance, with Expression Language. For the groups we learned about in Chapter 2, Working with Universal Directory, we'll now learn how to use automation to get them to work for us. Lastly, we will deep dive into the different kinds of hooks offered within Okta, as well as how we can utilize workflows.

These are some skills you will learn:

• Automating user provisioning
• Provisioning rich profiles
• Setting up group rules
• Setting up self-service options
• Using workflow capabilities
• Using Okta Workflows

Previously, we've looked at several things that together become a complete user provisioning process. Groups, directory integrations, and so on, all come together for complete onboarding and offboarding. Let's look at how we can put it all together.

As mentioned in Chapter 3, Single Sign-On for a Great End User Experience, there are different kinds of integrations available in the Okta Integration Network (OIN), and many of the applications have System for Cross-domain Identity Management (SCIM) possibilities. SCIM is an open standard to use for managing user identity information. With SCIM, there is a defined schema and a REST API for Create, Read, Update, Delete (CRUD) operations. To say it more simply, SCIM is a protocol to store user information in a way that identity data can easily be shared with multiple applications.

Let's look at it with an example. If an end user quits, and an administrator deactivates their account in Okta...

The capabilities in Okta to enrich user profiles within provisioning are big. One example of a feature that will help you is the Okta Expression Language. It is based on the Spring Expression Language (SpEL), with which you can transform and query objects at runtime. With Expression Language, you can make changes to attributes and reference them before storing them on the Okta user, or before sending them to an application for authentication or provisioning. There is a lot of information on this topic, and going through all of it is out of the scope of this book. What we will do is look at the most commonly used categories and examples of them. If you have any other needs within your organization, you can find more information here: https://developer.okta.com/docs/reference/okta-expression-language/. To be able to look into these topics, we need some basic knowledge. All users have an Okta profile, independent of how the user is mastered. In addition to that...

Group automation, or group rules, can be considered the best way to simplify administrators' work with Okta. Anything that requires setup and maintenance and is repetitive work can be automated with Okta's group rules.

Setting up group rules allows you to manage your workforce in bulk and allows you to manage the following:

• The user directory
• Application provisioning and single sign-on assignments
• Security policy assignments
• Directory and application group pushes

Because of the 360-degree view of a user in Okta, and its assigned groups, administrators can easily deliver quick setup, automation, remediation, and application management when using Okta groups. By allowing users to come in from different sources, and have their groups be added to Okta too, you can make sure the users are correctly assigned and managed by using Okta's group rules.

The strength lies in the simple options for the multitude of functions...

Users have their personal dashboards to see and manage their applications. For applications integrated with SAML or OIDC, they would be automatically signed in when clicking on any of them. For SWA applications, where admins have set that end users will enter their own credentials, they will be prompted to do so the first time they click on an icon. After they are logged in, Okta will ask whether the login was successful. If the answer is yes, the credentials will be stored. If not, the end user will be able to try again.

The end users can re-arrange their applications by simply clicking and dragging. To find applications quickly, you can arrange applications in different tabs or simply use the search bar at the top of the page.

With the Add Applications feature for end users, they are able to add private applications, or corporate-owned applications if this is enabled. Navigate to Applications | Self Service in the admin console. In the topmost...

The workflow capabilities within Okta expand across three areas: Inline Hooks, Event Hooks, and Automation. These areas have different functionalities and different options they can fulfill.

Inline Hooks

With Inline Hooks, you can call your own custom code with help from Okta's REST API. The outbound calls are triggered by events in your Okta process flows. Your custom code will be a web service with an internet accessible endpoint. The service isn't hosted in Okta; it's hosted by you. Inline Hooks use synchronous calls, which means that the process that triggered the hook/outbound call is paused until it receives an answer from your service.

So how are these hooks added? Let's look at that.

Tip

Only super administrators can view and configure Inline Hooks.

Navigate to Workflow | Inline Hooks. Click Add Inline Hook and then select what kind you want to use:

• SAML: Lets you modify assertions sent to SAML applications...

Okta Workflows is a GUI-driven no-code automation tool Okta released in 2019. This large pool of functionality allows Okta to be capable of managing different aspects of the user life cycle more granularly. This differs quite extensively versus the simpler automations we talked about in the previous section. Workflows allows you to incorporate dozens of applications, and your own functionalities as part of a workflow.

Important note

Workflows is part of the Advanced Life Cycle Management (ALCM) product from Okta and requires additional licensing. Not every Okta org will have these features.

Workflows can do a lot. Let's look at a few use cases:

• The provisioning and deprovisioning of app accounts: Okta Workflows can automatically detect and act on newly added accounts. These newly joined employees with their Okta account will be assigned to the required applications, be granted the necessary entitlements, and even receive folder shares based...

In this chapter, we have pieced together things we've learned in previous chapters, and with that looked at how a complete user provisioning life cycle can work. We've looked at how using your HR system as a master brings extra power to your IT resources and reduces friction between HR and IT. We have gone through how you can work with mapping from different applications and directories, as well as an introduction to referencing and changing attributes with Expression Language. Further, we have looked at the capabilities within group automations, specifically for provisioning flows. Lastly, we have dived into how you can use different kinds of hooks to automate processes to and from Okta, as well as using Okta's new advanced features for Workflows. With this knowledge, you will be able to start your provisioning setup with ease. Secondly, you have gained knowledge about how to use Okta's automation to help your IT operations. Lastly, understanding the basics...