Okta enrolled factor verification tool for Helpdesk to reset password/factors using Okta workflows and Slack modal

3rd party Integrations, Okta Identity Engine, Uncategorized, Workflows 6 Minutes

Prerequisite:

  • Okta Workforce Identity Cloud tenant.
  • Okta Workflows Console Access
  • Okta Admin Access to Okta Admin Dashboard
  • Slack workspace and Admin access

Problem statement:

Okta enables selfservice to reset your password. This requires some high assurance factor for verification. Also some times they need to reset factors which does not have a way to do self service.

If a end user calls Helpdesk to reset their password or factors. They always require the user to verify his/her enrolled Okta factors in order to reset their password or factors. Today in admin console there is no way to trigger a verification and valdiate the user has verified their current enrolled factors.

Solution:

In this example we will create a simple Helpdesk Application inside Slack and make it interactive with Okta workflows. Which takes the request from Slack and return JSON response for the factor challenge and response interacting with Okta admin API’s. In this way you don’t need to provide console access or roles to any helpdesk personal. They can just interact with him modal to complete this task.

In this example we only reset passwords after verifying their enrolled factors in Okta. This can be further enhanced to do additional factor resets as well. Or can be used as a tool to just verify endusers with their enrolled factors and use Okta admin console to complete the reset tasks.

Setup:

This password reset verification with workflows use case is implemented using a total of 9 flows, the flows follow a naming convention to help identify their purpose but also, to allow extensibility. Currently, this use case only focuses on a helpdesk verifying a user using Okta factors. We can also extend this feature by verifying attributes.

The Request.01 flow is the “router” and will orchestrate the exchange between Slack and Workflows.

The Util flows controls the JWT token used to control each request, and the flows responsible for signing and verifying the signature of every request.

getUser flow is used to perform a search in Okta UD when helpdesk searches for a user.

The Request.interaction flows are responsible for handling all the interactions during an helpdesk request process, the different modals that are displayed to the user, the notifications etc.

Package Tables

The solution uses one table. The Variables table is used to store specific configuration information of the solution.

Step-by-step instructions

Importing the FLOWPACK

  1. Download the flopack from helpdesk verification flopack
  2. Go to Okta workflows and create a folder called Helpdesk Verification or use your own naming convention and upload the flopack.
  3. Once the upload is complete, you will see the following list.

4. We need to configure the “Request.00.SlackBot.Acknowledgement” to be a public end-point API. To do that, click the cog at the end of the flow.

5. Click .

6. Confirm that the API Endpoint Settings is exposed as Webhook and copy the Invoke URL, we will use this information to setup the Slack App. This will be your request_url in slack.

7. Close the window.

Create the custom Slack application

  1. Log in to your Slack workspace, and navigate to https://api.slack.com/apps/.

Note if you already have any applications your screen will be different.

  1. Select “From an app manifest” option and select your workspace

3. Now click on yaml and copy the contents from https://github.com/krishvenkatraman-okta/helpdeskverificationflow/blob/main/manifest.yml

4. Edit the yaml file and update the two URL’s. request_url and message_menu_options_url.

5. Now go to Okta workflows. Open Request.00.SlackBot.Acknowledgement and click on api endpoint settings in the API card and copy the invoke URL and udpate in the file request_url

6. Similarly open the getUser flow and copy the invoke URL from api endpoint card and update in message_menu_options_url

7. You can also update the name of the app of your choice, I have setup as helpdesk.

8. Review the summary and create the app.

9. Now we need to install our app to the Workspace. We do that by scrolling to the top of the page and clicking “Install to Workspace”.

10. Review the information and select a channel for the Okta Requests app to post to.I’m using a private channel which only Helpdesk admins have access to. Once you are done, click “Allow”.

11. To use a private channel, an Slack Workspace administrator must invite the app to join the channel, otherwise the app won’t be able to send messages.

12. Once the installation is complete, you will have access to the OAuth Tokens. For the purpose of this demo, we will be using the “Bot User OAuth Token”, so go ahead and copy it for later use (you can always come back to this screen to copy the token).

13. As I mentioned previously, I’m using a private channel to receive the notifications, so I’ll go ahead and invite the app to the channel.

Configuring Okta Workflows

  1. Log in to your Okta tenant administration console and open “Workflows console”.
  1. Click “Connections”.
  1. Click .
  1. Select HTTP from the list.
  1. For the new connection use “Slack – Okta Requests” as the connection nickname and for the auth type select “Custom”. Here we will use the bot user OAuth token that we copied on Create the custom Slack application step 26.
    1. Header Name = Authorization
    2. Header Value = Bearer
      1. There is a space between the bearer and the actual token.
  1. Once you are done, click “Create”.
  2. To create a Okta connection, we need to restrict the scopes of the admin functionalities to below API access.
  1. okta.users.read
  2. okta.factors.read
  3. okta.factors.manage

8.Login to Okta admin console and create a group called Helpdesk and add all helpdesk users who needs access to this group.

9. Login to Okta Admin console and create a app as below.

10. In the redirect URI’s add the below URL based on the Okta domain.

  1. Preview tenants: Use https://oauth.workflows.oktapreview.com/oauth/okta/cb
  2. Prod tenants – Use https://oauth.workflows.okta.com/oauth/okta/cb

11. In the assignments section skip the assignments and save the app. Add yourself to the app, So we can create the connection in the workflow.

12. Now follow the below document to create the connection. Note: In the second step, Instead of using the Okta workflows app, you will use the custom app OAUTH creds.Workflow connection to Okta

13. For the next steps, we need to associate the new “Slack – Okta Requests” connection with HTTP cards and make sure the Okta cards have an Okta connection. The following flows need to be updated:

  1. Request.01. SlackBot.Router – HTTP
  2. Request.interaction.01. SlackBot.Form – HTTP and Okta
  3. Oktaverifyverification – Okta
  4. getUser– Okta

14. Select the folder where you imported the FLOWPACK.

15. Select Request.01. SlackBot.Router.

16. Scroll to the right until you see the “If/ElseIf” card.

17. From the “Edit Conditions” drop down, select the first “if callback_id == “request…””.

18. If any API connector was available, all API connector cards will automatically be associated with that connection once you import the FLOWPACK. In this case, you need to change the connection and select “Change All” when prompted. If you already have multiple custom API connections, Then you will need to select the slack – Okta requests

19.
If not, you will see a at the HTTP Card, click it.

20. Select the “Slack – Okta Requests”.

21. Now the “HTTP Post” card has a connection to your Slack App.

22. Now select the push from the if/else block and update the Okta connection to the card and similarly accept to change other connections as well.

23. Save your flow and go back to the flow list. (If prompted for a new name/description just click save to continue).

24. Now go through below requests and update the connections. For all API connector use the Slack – Okta requests and Okta connector use the Okta connection.

  1. Request.interaction.01. SlackBot.Form – HTTP and Okta
  2. Oktaverifyverification – Okta
  3. getUser– Okta

25. Go back to “Home”.

26. We need to update the “Variables” table. Click on the “Tables (2)” to change from the flow view to the tables view.

27.The flow uses one table: Variables

28. Select the “Variables” table. We need to update the “Slack Signing Secret”

29. The Slack Signing Secret is copied from your Slack Application. Go to https://api.slack.com/ and select your application. From the basic information section, copy the Signing Secret.

30. Paste the secret into the Slack Signing Secret column.

31. Also update the oktaTenant value to your oktatenant URL ex: https://krish.oktapreview.com

32. Click Folder to go back to the tables view, and select Flows (9).

33. You are ready to activate all flows and perform your first test.

Testing the flow.

  1. Log in to your Slack Workspace.
  2. As a helpdesk personal, from any chat window type /Helpdesk, this will bring up the shortcut that we defined in our Slack App.

3. Once you hit enter Modal should open.

4. If you go to Okta workflows and Check the execution history of the Request.01. SlackBot.Router. You should see the request came in for the app and JSON response to the modal is provided by Okta workflows.

5. Now type the 3 letter starting of the username in Okta. That should call the Okta workflows getUser. Which should return the users from the tenant.

6.Select the user and hit listFactors button. This should list all the factors for the users to do verify from.

Click on any factors to verify .

Published by iamkrishvr

Published

One thought on “Okta enrolled factor verification tool for Helpdesk to reset password/factors using Okta workflows and Slack modal

  1. Pingback: Prevent Social engineering attacks by implementing Okta's best practices.

Leave a Reply