Production release of Okta Workflows 2024.09.0 began deployment on September 17, 2024.
IP session restrictions for Okta Workflows is now a Generally Available feature in Production orgs
Okta super admins can now enable IP session restrictions for Okta Workflows.
This feature ensures that all Okta Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn’t match any request, the session is terminated and the admin must sign in again.
If you want to disable the feature, contact Okta Support.
Role-based access control is now available as an Early Access feature in Production orgs
As Okta Workflows can make comprehensive changes both within Okta and out to other connected SaaS apps, access to Workflows was restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the ability to scale the use of Okta Workflows, and reduced its overall value to customers.
With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.
To support this feature, three new admin roles are available:
- Workflows Administrator: For full-access administration within Okta Workflows only
- Workflows Auditor: For compliance management with read-only access
- Connection Manager: For securely handling accounts and credentials
RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.
To turn on this EA feature for your org, go to SettingsFeatures in the Admin Console and enable these options:
- Workflows Access Control
- Workflow Admin Role
- Workflows Provisioning
See Access Control.
The addition of the RBAC feature includes four new event types to record related actions in Okta Workflows:
- workflows.user.role.user.add
- workflows.user.role.user.remove
- workflows.user.role.group.add
- workflows.user.role.group.remove
See the Event Types API.
Improvements to Workflows Connector Catalog
When selecting an event or an action card in Okta Workflows, the available connectors catalog has been updated with significant organizational and usability enhancements.
The interface can now display the following information for a connector:
- A detailed description
- Who made the connector
- The release version and when it was last updated
- Links to relevant user documentation and support contacts
Some fields may not be present for existing connectors.
To help you quickly find the connectors you need, they’re organized into three searchable sections: Connected apps, Okta apps, and All apps.
In addition, when an admin adds an event card to a flow, the updated card selection dialog now provides a better usability experience.
Context field added for ULID support
The output section for helper flows has a new wf_id field. The field tracks the Universally Unique Lexicographically Sortable Identifier (ULID) of the parent flow. The existing id output field remains as a reference to the parent flow’s id value.
Documentation improvement for Okta connector scopes
The OAuth 2.0 scopes for each event and action card in the Okta connector have been documented to indicate what specific scopes are required for individual cards.
See Scopes for Okta connector cards.
Update to Jamf Pro Classic API connector
The Send Computer MDM command card for the Jamf Pro Classic API connector has a new Lock Message input field so admins can include a message when performing a device lock action.
See Send Computer MDM Command.
Workflows throttling improvements
If Okta Workflows throttles a flow, the execution history now provides a dialog with more details. The dialog indicates if the throttling occurred due to problems at the flow, org, or execution level.
Also, if your org exceeds the allowed resource limits, Okta Workflows displays a banner to indicate that flow executions in your org have been either throttled or blocked.
System Log events added for flow and table changes
The workflows.user.flow.move and workflows.user.table.move events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.
Fixes in Okta Workflows
- There was a typographical error in the Group Privilege Revoked event card description of the Okta connector.
- In the Okta connector, the Excluded Users output field on the Read Group Rule card returned an array with an empty string rather than an empty array. This caused the list length to be 1 when it should have been 0.
- When reauthorizing an existing connection, the default or custom scope selections weren’t retained.Now when reauthorizing existing connections, the scopes are either set to the default scopes or retain any custom scope settings.
- The Region list used when authorizing an AWS Lambda connector was missing several AWS regions.
- When an org upgraded from the Okta Workflows Free Trial version to Unlimited Workflows, the free trial limit prevented flows from executing.
- For RBAC-enabled orgs, if you deleted an Okta user and then created a user with the same email or username, the new user couldn’t perform any actions in Okta Workflows.
- When an admin added an OAuth 2.0 authentication to a connector in Connector Builder, the Base URL, Authorize Path, Token Path, and Refresh Token Path fields wouldn’t accept URLs where an authorization parameter was used as part of the subdomain address. For example, https://{{auth.authorization_subdomain}}.workday.com/{{auth.tenant}}/authorize.