Offboarding can be pretty difficult, and with all the apps in the cloud it just becomes a hard job to manage it all.
Luckily with tools like Okta and Bettercloud we can create all sorts of automated ways to offboard users and manage the end of their lifecycle in apps that have provisonable features.
One problem we have encountered, and what hasn't been solved, is a timed, or scheduled offboarding.
HR could sends out a scheduled offboarding message weeks in advance, and you as IT will have to set a calendar event just to remind yourself of this action.
With the following tips, i believe life can be better managed and less manual.
To consider, the following method requires an API token from Okta to do actions, information will be stored in tools that might not meet your security standards, please follow with caution.
Some preliminary steps:
- We need an API token with at least organizations rights from Okta, follow this how to create such a token
- We need a payed Zapier account to create a multistep zap (any other automation tool that supports the flow will suffice)
- A form tool that can be read by Zapier is preferred, we will be using GSuite forms and sheets
- A bettercloud account to manage offboarding steps and messaging
This method consists out of 4 independent sections; 1. submission, 2. scheduled timing, 3. triggering, 4 actions and messaging
Submission
The biggest issue is creating that piece of data to have other items in the flow trigger on. With the help of some simple data we can create this scheduled moment.
Google forms is a handy tool to simply create a form with some data. Because its integrated into Google sheets, we can directly dump form data into a sheet for later.
Because we need a few items to make sure the full workflow continues the minimal fields required are:
- A string field - UserID (Okta ID is preferred here)
- A date field - to set the a date on which everything targets starts from
- A time field - for when you want to target on a specifi moment, ie. 5pm/9am etc
- a dropdown field - to choose a time zone, this is particularly handy if you have an organization across the globe and need to take TZ into account for offboarding.
Make sure to setup your form in a way that suits your needs, especially in regards to sharing permission and submission rights.
The reason we are using the USERID in Okta is because, we need to have an ID to send along with the API. we can also do it with an email or other information, but that information stays in zapier and will be more readible than a string as the ID.
By clicking on the repsonse tab of the form, we can generate a sheet that will have the submission gathered. This will generate a a tab called Form responses 1 in the sheet.
This will be the place where we will connect to zapier.
Scheduled Timing
In zapier we are going to create a zap that will consist out of several steps.
Click on make a Zap! and search for google sheet as the trigger app. We want to trigger on a new row, so select the option New spreadsheet Row as the trigger.
Connect the correct account (preferably a service account to avoid disruptions in service) test, and continue.
Select the right spreadsheet and correct worksheet (Form responses 1) to connect Zapier to the sheet.
If you havent already created some dummy data, recommended is to do now, add some form submissions so Zapier can pull that in as data to test with.
Once you've selected the test data, we can add actions to the zap.
Click on the + add a step on the left side to add an actions and search for delay. Select Delay Until and click on Save + Continue.
In the required we set up the following sequence:
Date time TZ
these can be selected by the selector from your worksheet and should look something like this:
Set the second field How should we handle dates in the past to you own preference.
Click continue.
No click on Send Test to Delay by Zapier to test if the delay works.
If set up correctly the response will be set. The release_at response can show a different time, this is because Zapier translates the given timestamp to the account owners settings, see here for more details.
Once this is done, we can now set up the actual action to trigger the rest of the workflow.
In the zap click on + add a step and search for webhooks.
Once added, select the PUT option and continue
No we will be setting up the POST to Okta to add the user to a group for ofboarding triggering in Bettercloud.
-
URL field: add the base URL of your Okta, add the API string, add the group ID (the group on which Betterloud will trigger) and finally add the user ID from the worksheet
it will look like this:
https://<OKTA BASEURL>.okta.com/api/v1/groups/<GROUPID>/users/<USERID>
- Payload Type: set to Raw
- Data: leave blank
- Wrap Request In Array: set to No
- File: leave blank
- Unflatten: set to Yes
- Basic Auth: leave blank
-
Headers: add the following
-
Accept
application/json
Content-Type application/x-www-form-urlencoded
Authorization SSWS <OKTA_API_KEY>
-
click Continue
Click send test to Zapier
This should send your test user to the Okta group you defined.
Click Finish
Name your zap and turn it on, your sheduled method is up and running!
Triggering
Bettercloud and Okta work hand in hand to do alot of the heavy lifting when it comes to offboarding.
To make sure we do everything on the right moment, we want to trigger a workflow in Bettercloud. that will do a whole bunch of steps in the process. Thats why we move a user to a group without changing their status in Okta. We have Bettercloud do this at the moment we need to in the workflow.
Actions
Actions in Bettercoud can do alot, but based on it, we can make sure that offboarded users are managed in such a way that data is safe and management is done in a automated way.
creating a flow is personal and specific to your organization.