🔁Okta Workflows Webhook Example

8/2023

Overview

Okta Workflows provide a flexible and extensible platform for orchestrating common operations within an Okta environment. Now with the new Oort Webhooks feature, you can combine the power of Oort identity analytics and Okta Workflow automation to accomplish numerous things.

This article provides a basic example of how to use Oort webhook destinations with Okta Workflows.

Assumptions

This article assumes the following:

General familiarity with the Okta Workflows platform
An Okta tenant capable of supporting the Workflows module (not a Developer tenant)
Additional downstream or adjacent platform integrations in Okta Workflows, such as Slack, Microsoft 365, ServiceNOW, etc.
Okta Super Admin role

High-Level Design

This example traces the following design:

Creation of an API Endpoint in Okta Workflow for ingesting Oort notification events
Parsing of the JSON event message, including event type, criticality, and list of users failing
Invoking a For Each function for each user listed in the notification, which invokes a Helper flow to evaluate specific logic and perform certain actions
Sending a Slack message with the output of the failed check notification

Import Pre-Configured Workflows

Oort has exported the Okta Workflows for this example, which can then be imported into your Workflow console for review and testing.

82KB

Oort Workflow demo_2023.09.14.folder

Configuration Steps

Create a new flow and provide a suitable name for it
Add a new event type of API Endpoint
Select Expose as Webhook and copy the Invoke URL and Client Token. These will be used in the Oort configuration.
Next add an API Connector - Close action.
Set the status code value to 200. Because the workflow is async and may take time, this will return a value to Oort and allow the action to close on the Oort side.
Next add a JSON Parse action, using the Body from the API endpoint as input. Structure the output fields as shown below. If using the Test Connectivity action in Oort to test the API endpoint and workflow, the specific event message sent will be:

{
  "version": "0",
  "id": "abf0607d-3856-b397-5138-0131ec1b63d7",
  "detail-type": "WebhookTest",
  "source": "11111111-2222-3333-4444-555555555555__66666666",
  "account": "000000000000",
  "time": "2023-08-08T13:27:22Z",
  "region": "us-east-2",
  "resources": [],
  "detail": {
    "id": "11111111-2222-3333-4444-555555555555",
    "checkId": "oort-test-check-id",
    "title": "OORT Failing Check Event Test",
    "description": [
      "description1",
      "description2"
    ],
    "recommendedActions": [
      "action1",
      "action2"
    ],
    "severity": "critical",
    "usersFailing": [
      "user1@example.com",
      "user2@example.com"
    ],
    "published": "2023-08-08T13:27:22.416Z"
  }

Add several List actions to convert the JSON strings to text, for later use in the workflow.

At this point, it's useful to Save this flow and create a 2nd flow of type Helper to execute specific actions for each failing user, referenced in the next step. See the Helper Flow section. This will act as a placeholder.
In this example, we want to invoke a Helper workflow named Demo - Dispatcher for each user listed in the check failure event message, so a For Each is added to do this. Note that the email address listed is specified as type ITEM.
Additional actions for the primary API flow are added at this point. This includes
1. Using Compose Test to create a message block with the Lists created in previous actions
2. Using the output of the Compose action to send a Slack message to a channel (requires a Slack app connector)

Helper Flow

The Demo - Dispatcher Helper flow reference above is constructed of the following:

The on-demand Helper flow that receives the input of the List - For Each action in the primary API flow
Okta Actions to
1. Read the Okta user ID based on the email provided
2. Revoke any existing sessions
3. Suspend the user

Oort Configuration

Using the API Endpoint Invoke URL and Client Token from above, create a Webhooksnotification target in your Oort tenant.

Note:

The auth method should be API Key
The API Key name will be x-api-client-token as described in Okta documentation
You can use the Test Connectivity function to trigger event messages to your webhook
When ready, make sure to enable the Webhook notification target in the specific Check or Checks you want to use it with. You can review this list in the Cisco Identity Insightssection.