Sample workflow that is called by an API endpoint and populates the IP address into a pre-existing network zone (if needed)
addIpToBlocklistZone.flow (45.9 KB)
1 Like
I can download the file but unable to open the flow, how do i view the sample flow ?
You will need to import the file into your workflows
I tried to import that in to my WF console but it keeps on loading for so long time. can you share me the flow diagram atleast so that i can get some idea.?
Taking a screenshot is difficult since the flow has 22 cards (steps). Letâs figure out why import is not working. What happens when you try to import? Can you try importing again?
Once I download the flow I tried to import the same in workflow console⌠it keeps on loading again and never seems to be set. At the same time itâs doesnât throws me an error as well. I am trying to create a delegate flow which allows the Help Desk admns to add IPs to the network zone.
Can you share a screenshot of how it looks? Can you build a sample flow, export it, and try to import it?
I wonder if there are errors in the browser console when you try to upload.
Good morning @maxkatz this looks great! Thank you for creating this flow! I was curious if you could demo this flow as I have a hope to use a delegated flow to enable our Help Desk to do the reverse of this which is white list a threatinsight blocked IP, but I am not sure how I would kick off this flow with a delegated flow. Any ideas would be greatly appreciated!
Andy
Hi @andy.dolinger, welcome to the forum!
Let me know if the How to Configure Delegated Workflows KB helps you run a delegated flow.
Thanks for the reply Max, I think we are going to run into some snags with permissions as I donât see an Okta role that will allow granular permissions to update a Network Zone. Also when testing the flow you shared I keep receiving a 403 error just querying the relative url: /api/v1/zones. This is odd as my account is a super admin in Okta.
Hey Andy,
Try to make sure the Okta connection in Workflows youâre using is authorized with that scope.
This article might be helpful; assuming that youâve already granted the scope in the API Scopes tab of the Okta Workflows OAuth app in the Admin console, you might need to use the âcustom scopesâ tab when you reauthorize or setup a new connection in Workflows, .
Thanks so much for the suggestion Bryan, I granted the following scopes on the OAuth Workflows app: okta.networkZones.manage and okta.networkZones.read, as well as configured the Okta Connection in workflows to allow okta.networkZones.manage and okta.networkZones.read, and I was able to read from Network Zones, however I was still unable to write to the network Zone using Maxâs flow. Receiving this error: âwww-authenticateâ: âBearer authorization_uri="http://subdomain.com/oauth2/v1/authorize\â, realm="http://subdomain.com", scope="okta.networkZones.manage", error="insufficient_scope", error_description="The access token provided does not contain the required scopes.", resource="/api/v1/zones/"",
Hi @andy.dolinger,
You set the scopes in the following two places, correct?
Also, the user authorizing the connection needs to have a Role with permissions (Super Admin or Org Admin): https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm#:~:text=sign-on%20policies.-,Org%20security,-Permission
Thanks for the update Max, I added both okta.networkZones.manage and okta.networkZones.read in the manual scope form and clicked Add but not sure where they went, then tried to update the network zone again in the workflow but still received the 403 error: âwww-authenticateâ: âBearer authorization_uri="http://lowerenvironment.com/oauth2/v1/authorize\â, realm="http://lowerenvironment.com", scope="okta.networkZones.manage", error="insufficient_scope", error_description="The access token provided does not contain the required scopes.", resource="/api/v1/zones/"". I tried re-adding the scopes again to the connection but same error. I am still able to read which is nice, but not sure why Im unable to write. Thanks for all your help!
I do not, hmm maybe itâs not saving the custom scopes
I see the scopes at the top. Does it work now, or do you still get the same error? Can you share a screenshot of the scopes in the Okta Workflows Oauth app?
What you can also try, instead of reauthorizing an existing connection, is to create a new connection (donât forget to add the two scopes in Permissions).
Thanks for all the help Max, I have recreated the connection three times now and applied the custom scopes, I stil donât see a âcustomâ scope in the list in the connector though even when building a new connection. Hereâs a scree shot of the OAuth Workflows appâs scopes though:
