FlowRunner
Pricing
Theme

Connect AI agents to your Okta org. Agents manage users, groups, and group rules, assign applications and admin roles, run MFA and password help-desk flows, read the System Log, rotate credentials, and revoke sessions and OAuth grants.

1 trigger 276 actions available
On New System Log Event fires for a high-risk sign-in anomaly
Agent reads the actor, target user, client, and IP from the log event
Agent lists the user's admin roles, app assignments, and active OAuth grants
Agent confirms the event pattern matches a suspend-and-revoke policy
Suspend User, then Revoke All User Grants and Revoke All User Sessions in Okta
Slack message summarizes the containment action and affected access
Analyst confirms whether to escalate to full deactivation or reinstate the account

What This Integration Enables

Agents run the identity lifecycle as workflow steps rather than console clicks. On the provisioning side they create, activate, suspend, deactivate, and delete users, keep group membership current directly or through group rules that auto-assign by attribute, grant or revoke application access for a user or a whole group, and enroll or reset MFA factors for help-desk and security flows. On the governance side they read the System Log, audit and revoke a user's OAuth grants and refresh tokens, clear active sessions, and manage org security posture: sign-on and password policies with their rules, network zones, trusted origins, event and inline hooks, external identity providers, and custom OAuth authorization servers. Credential rotation is covered too: generate or clone SSO signing keys, manage CSRs, register OAuth client keys and secrets, and rotate authorization-server signing keys on a routine. The connector exposes the surface; the surrounding flow decides which changes an agent makes on its own and which ones wait for a person.

Without FlowRunner

Manual containment Suspending a compromised account means clicking through users, tokens, and sessions by hand under time pressure
Onboarding drift New hires get their groups, apps, and MFA set up inconsistently across help-desk tickets
Stale access OAuth grants and admin roles accumulate because nobody reviews them on a schedule

With FlowRunner

One-flow containment A single flow suspends the user, revokes grants and tokens, and clears sessions with an audit trail
Repeatable onboarding Create user, assign groups and apps, and enroll a factor run the same way every time
Scheduled recertification Access is listed and compared against expectation on a routine, with exceptions surfaced

Use Case Scenarios

Security-incident response from the System Log

The On New System Log Event trigger fires on a suspicious event, for example an impossible-travel sign-in. The agent reads the actor and target user, lists the user's admin roles and active OAuth grants for the record, then suspends the user, revokes all grants and refresh tokens, and clears every active session. It posts the containment summary to the security channel with [Slack](/integrations/slack). The account is contained in one flow instead of a scramble across several Okta screens while the session is still live.

Automated onboarding tied to a new-hire record

A new-hire record starts the flow. The agent creates the user, adds them to the right groups (or lets a group rule auto-assign them by department attribute), assigns their applications, and enrolls an MFA factor. The whole identity setup runs the same way for every hire, so the tenth new employee of the month gets the same access as the first, and the help desk stops reconstructing the checklist from memory.

Scheduled access recertification

On a recurring routine, the agent lists a user's admin roles, application assignments, and OAuth grants, compares them against an expected baseline, and flags anything unexpected. Access that should have been removed at a role change, or a lingering third-party grant, surfaces as an exception for review rather than sitting undiscovered until an audit finds it.

Human-in-Loop Highlight

Deprovisioning is the moment where an agent should stop and ask. When the System Log trigger surfaces a suspicious event, containment (suspend, revoke grants, clear sessions) is reversible and safe to run immediately. Full deactivation or deletion is not. So the agent takes the reversible containment steps on its own, then pauses before the irreversible one and asks the on-call analyst through Slack: "Suspended [user] and revoked their grants and sessions after [event type] from [IP]. Deactivate the account, or reinstate it if this was a legitimate sign-in?" The analyst answers in the channel and the flow resumes. The agent never deletes an identity on a guess, and it never leaves a compromised session open while it waits.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via Slack
Human decides
Agent resumes with decision

Agent Capabilities

24 actions

Users and Lifecycle

7
  • Create User Creates a user in the Okta org during onboarding.
  • Activate User Activates a staged user account.
  • Suspend User Suspends a user in response to a security event. Reversible, so agents can run it before a human confirms the next step.
  • Deactivate User Deactivates a user, blocking sign-in.
  • Unlock User Unlocks a locked-out user for the help desk.
  • Reset Password Resets a user's password. Pairs with recovery-question and forgot-password flows for self-service help desk.
  • Reset Factors Resets a user's enrolled MFA factors when a device is lost or a factor is compromised.

Groups and Group Rules

3
  • Add User to Group Adds a user to a group to apply its access.
  • Create Group Rule Creates a group rule that auto-assigns users by profile attribute, so membership stays current without manual edits.
  • Assign Group Owner Assigns an owner to a group for delegated administration.

Applications and Roles

3
  • Assign User to Application Grants a user access to an application.
  • Assign Group to Application Grants a whole group access to an application in one call.
  • Assign Role to User Assigns a standard admin role to a user for delegated administration.

MFA and Authenticators

2
  • Enroll Factor Enrolls an MFA factor for a user.
  • Create Authenticator Adds an MFA authenticator such as Duo or WebAuthn to the org.

System Log and Session Control

3
  • Get Logs Pulls System Log events for auditing, alerting, or reporting.
  • Revoke All User Grants Revokes all of a user's OAuth grants during incident containment.
  • Revoke All User Sessions Clears all of a user's active sign-in sessions during incident containment.

Policy and Posture

3
  • Create Network Zone Defines an IP or dynamic network zone for sign-on policy.
  • Create Trusted Origin Registers a CORS or redirect trusted origin for app security.
  • Update ThreatInsight Configuration Toggles ThreatInsight to enforce security posture from version-controlled definitions.

Identity Providers and Credential Rotation

3
  • Create Identity Provider Connects an external OIDC, SAML, or social identity provider.
  • Rotate Authorization Server Keys Rotates a custom authorization server's signing keys on a recurring routine.
  • Generate Application Key Generates an application SSO signing key for credential rotation. The connector exposes the full Okta management surface beyond these highlights, including inline and event hooks, profile schemas and mappings, behavior rules, user types, devices, linked objects, and application and identity-provider credential management.

Triggers

1 triggers

Event Triggers

1
  • On New System Log Event Polls the Okta System Log and fires when a new event is recorded. This is the real-time hook for security automation: a suspicious sign-in, an admin change, or a policy violation can start a containment flow the moment Okta logs it, rather than waiting for the next scheduled review.

Start building with Okta

$100 in credits. No card required. Connect in minutes.