Using Okta Workflows to Automate User Deprovisioning via Slack
Slack apps are a great way to integrate a variety of SaaS applications into its platform. Okta Workflows is no exception and works particularly well since it supports webhook triggers via its API Endpoint trigger card. We can setup flows using this to help automate the user lifecycle deprovisioning process to fill in the gaps that SCIM or other offboarding automations may not cover.
This guide will go over a basic setup on how this will work in your environment, but your specific use-case will have to be tailored by you and your team.
- Okta with Okta Workflows
- You will need super admin to create workflows
- Access to create Slack apps in your Slack environment
- I don’t believe you need a special SKU for Slack, but this setup was achieved on a Business+ plan
This is the flow chart for how the process is designed.
- Handle Command is the starter flow that handles a Slash Command from Slack.
- Approved Users Table is used to determine whether or not the calling user is privileged to use the tool.
- Kick Off Deprovisioning handles the offboarding tasks as well as button interactions from the user calling the command.
- Task Flow # are placeholders for actual tasks you’ll be using.
- When those tasks succeed or fail, the data is fed to Process Results which adds a flag to column in Offboarding Table, a database such as Workflows Tables, Google Sheets, Airtable, etc. It also pauses the flow if a task fails and creates payload information to loop back into Kick off Deprovisioning for button handling.
This is how the process would ideally look like from a user’s perspective
First, we will create the two main flows that we will be using to handle offboarding. Handle Command will handle the Slash Command, and Kick Off Deprovisioning will kick off the actual process as well as handle button actions during the process. If you want to be more organized you can split the button interactions into a third flow, but this guide will combine them into one.
- Go to workflows and create a new folder for offboarding. Create your first flow and label it “Handle Command”. This is one of two main flows you will need for the interaction.
- Create an event for the flow using the Slack “Slash Command” trigger
- You will need a connection setup for this beforehand. If you don’t have one, add it from the Connections menu on top
- “Save” the workflow. Make sure to save all data processed through the flow.
- On the event card hit the </> icon on the bottom shown below:
- Copy the webhook URL for use in the Slack setup later.
- Create a second flow for kicking off the flow and handling button interactions. Call this “Kick Off Deprovisioning” for now. In this flow use the “API Endpoint” event card
- For Security Level, use “Expose as Public Service”. Since we’ll be managing an approved users list in workflows this should be acceptable. Hit “close” and save the flow. Again, make sure to save all data processed in the flow.
- As with step 4, click on the </> icon at the bottom of the event card and copy the “invoke url” for user later during the Slack setup.
We will now create the Slack app responsible for user interaction for the tool.
- Start by creating a Slack app with an appropriate name, such as “Offboarding tool”. This app will primarily be used to handle event interactions between Slack and Okta Workflows and reporting in a selected Slack channel.
- Add collaborators if this is not a solo project.
- Go to the “Oauth & Permissions” section and add the bot token scopes for