Setup Instructions
This document is designed to provide the required configuration to enable Okta Workflows to provision and deprovision users to ManageEngine / ServiceDesk as Requesters and Technicians.
Step 1 – Create Okta Groups
Go to your Okta tenant’s administration console, go to Directory > Groups and create the following groups:
- Requesters
- Technicians
These groups will be used to provision users to ManageEngine.
Step 2 – Create Profile Attributes
In your Okta tenant’s administration console, go to Directory > Profile Editor and open the default Okta profile and add the following custom attributes:
- requester_id
- technician_id
These attributes will be used to store the respective Id’s once the users are provisioned to ManageEngine.
Step 3 – Generate Authorization Code
Go to the Zoho API Console (https://api-console.zoho.com/) and create a new Self Client with the Scope of SDPOnDemand.users.ALL and set the time duration to 10 minutes.
The console will then generate an Authorization Code that will be valid for 10 minutes.
Also take note of the client id and client secret.
For more details, see the ManageEngine documentation here: https://www.manageengine.com/products/service-desk/sdpod-v3-api/getting-started/oauth-2.0.html#generate-access-token-and-refresh-token
Step 4 – Generate Refresh Token
Using an API client like Postman, call the following endpoint POST https://accounts.zoho.com/oauth/v2/token
Note
- You must use your domain-specific Zoho Accounts URL to generate access and refresh tokens. The following are the various domains and their corresponding accounts URLs.
- For US: https://accounts.zoho.com
- For AU: https://accounts.zoho.com.au
- For EU: https://accounts.zoho.eu
- For IN: https://accounts.zoho.in
- For CN: https://accounts.zoho.com.cn
- For JP: https://accounts.zoho.jp
- If you have more than one organization, then the grant token generated will be specific to a particular organization, and the same applies to the access and refresh tokens generated using the grant token.
With the following x-www-form-urlencoded parameters:
| Name | Value |
| code | The Authorization Code generated in Step 3 |
| grant_type | authorization_code |
| client_id | The Client Id copied from Step 3 |
| client_secret | The Client Secret copied from Step 3 |
| redirect_uri | Any URL eg. https://www.zoho.com |
If successful, the response will include an access_token and a refresh_token.
Step 5 – Configure Okta Workflows
Open the Workflow console and create a new folder and import the workflows that you can download here. Then under tables, open the configuration table and add the following entries:
| Name | Value |
| client_d | The Client Id copied from Step 3 |
| client_secret | The Client Secret copied from Step 3 |
| refresh_token | The refresh token generated in Step 4 |
| access_token | Leave blank (This is used to cache the access token) |
| token_endpoint | https://accounts.zoho.com/oauth/v2/token or https://accounts.zoho.com.au/oauth/v2/token |
Under Connectors, create an Okta Connector if one does not already exist. Also create an API Connector with an Auth Type of None.
Open each flow and ensure the respective Okta and API Connectors have been selected within the Okta and API cards.
Ensure each flow has been enabled.
Testing the Workflows
- Add a user to the Requesters group in Okta. The respective user will be created as a Requester in ServiceDesk.
- Remove the user from the Requesters group in Okta. The respective user will be removed as a Requester in ServiceDesk.
- Add a user to the Technicians group in Okta. The respective user will be created as a Technician in ServiceDesk.
- Remove the user from the Technicians group in Okta. The respective user will be removed as a Technician in ServiceDesk.
Appendix
Adding Additional Attributes
It may be the case that additional values will need to be added to the ServiceDesk requester or Technician profile. This is done by retrieving the additional attribute from the users Okta profile and adding it to the payload when creating a Requester or Technician. As an example, we will use “department”.
Step 1
Open the flow titled Create Requester or Create Technician and add an additional input parameter. Then map that parameter to the payload used to create the respective user. EG:
Step 2
Open the flow titled User Added to Requester Group or User Added to Technician Group and update the card that reads the users Okta profile. Click on the cog icon in the bottom right corner and select Choose Fields. Then add the additional value by selecting the respective attribute and then click Save. EG:
Then map the additional value to the call to the helper flow. EG:
Note that you will need to reselect the Helper Flow (Create Requester or Create Technician) before the additional input parameter appears.
Special Credits
Mark Smith (Okta Solution Engineer)
