Okta Entitlements for Disconnected Applications – Dynamic Entitlement Bundle Creation

OIG, OIG Entitlement Management, Workflows for IGA 9 Minutes

OVERVIEW

This blog is a continuation of the Okta Entitlements for Disconnected Applications that I posted previously. Some of the introductory content is duplicate to reenforce some of the basic concepts around Okta Identity Governance – Entitlement Management.

With the release of Okta Identity Governance, one of the newly released features is entitlements at the application level. 

Entitlements open a deeper level of represented access for Access Reviews, Access Certification Campaigns and Access Requests through the representation of fine grain access and licensing that a given user has in a relationship to for the various applications they are assigned.

As of the writing of this article there are five key applications in the Okta Integration Network that support entitlements out of the box. A summery of the entitlement features of the applications is as follows:

SAAS APPLICATIONENTITLEMENTS
salesforce.com            Feature Licenses               
Permission Sets
Profiles
Public Groups
Roles
Google WorkspaceLicenses
Roles
Oracle NetSuiteRoles
boxRoles
Microsoft Office365Licenses
Roles
Okta Integration Network Applications with Entitlements support


This blog is the one that covers Dynamic creation of entitlement bundles using table data in Okta Workflows for applications that do not currently in the list above or are disconnected applications.

In the previous blog in this series we took a look at the dynamic creation of entitlements using table data and Okta Workflows in the Okta Entitlements for Disconnected Apps post.

In this post, we are now going to look at creating entitlement bundles using table data and Okta Workflows utilizing existing entitlements for give applications. Note this flow pack will work even if you manually created the entitlements and / or entitlement bundles using other means such as the Okta administrator dashboard.

What are disconnected applications you may ask, well disconnected applications can typically be summarized in two categories:

  1. Legacy Applications – These are applications that do not have readily available APIs in which to pull the entitlement data or applications that are too costly or will be retired soon to create such an interface for
  2. SaaS Applications – Unfortunately not all SaaS (Software as a Service) applications provide API or other support for automated provisioning and / or entitlement management. This can also include license management related data as well.

To summarize the relationship structure again for review, each application can have a serious of entitlements and those entitlements can have one or more values. When I refer to “entitlement types” think of that as the high level entitlement such as Licenses or Roles. Then when I refer to “entitlement values” this refers to the actual possible values of the entitlement such as Adobe Creative Cloud or Global Administrator.

Once entitlements are established of a given application, entitlement bundles can be created representing one or more of those entitlements. These bundles can contain one or more values from the same entitlement (if the entitlement supports multiple values) or across entitlements. There are a couple of example screen shots below:

The updated flow pack can be downloaded below (as of January 2025). This version incorporates the latest API updates, so previous flow packs will no longer function correctly. We are continually making enhancements:

identityGovernanceEntitlements_01092025Download

If you have not already done so, once you have downloaded the flow pack identityGovernanceEntitlements.folder file, in the Okta Workflows console:

  1. Create a new folder titled [IDENTITY GOVERNANCE] Entitlements.
  2. Import the identityGovernanceEntitlements.folder file you downloaded by selecting the three dots, then choose Import. From there you can select the location of the identityGovernanceEntitlements.folder and then the file.

For the Dynamic creating of entitlement bundles using table data Okta Workflow flow pack consists of one major (delegated flow) workflow and four helper flows.

The individual flows, what they perform in the flow pack and their relationship to the other flows is outlined below:

  1. [1.0] Process All Records – Dynamic Entitlement Bundle Creation – This is the main delegated Okta workflow that is used to process all of the active records in the Entitlement Bundles table. The process identifies each unique application in the table and then passes each one to the [1.1] Get Entitlement Bundles flow.
  2. [1.1] Get Entitlement Bundles – This flow is used to distill and pass on to be processed the individual Entitlement Types found in the Application Entitlements table for each unique application in the able. The application being processed is being passed by the [1.0] Process All Records flow.
  3. [1.2] Process Entitlement Data – This flow will iterate through each entitlement bundle found for the given application as passed by [1.1] Get Entitlement Bundles flow . This flow then uses additional helper flows to get the JSON structure needed in the API call to actually create the given entitlement bundle.
  4. [1.3] Get Entitlement Types Structure – This flow is used to process and return the entitlements structure for each entitlement type passed by flow [1.2] Process Entitlement Data. The structure returned is created by a couple of other helper flows that formulate all the given entitlements for each entitlement type. This finished structure is then added to the over all entitlement bundle structure being accumulated in [1.2] Process Entitlement Data. The entitlements for a give type utilizes the [1.4] Get Entitlements By Type Structure flow.
  5. [1.4] Get Entitlements By Type Structure – This flow is used to build and return a single entitlement structure JSON for each of the entitlements for a given entitlement type. This flow is utilized by the [1.3] Get Entitlement Types Structure flow. 
  6. [4.0] Get Application Entitlement Structure – This flow is used to get get the JSON structure for the current entitlements of a given application. This structure is then used to gather the information needed about the entitlements for that given application when creating the entitlement bundle JSON structure used to create the actual bundle. This helper flow is utilized in the [1.2] Process Entitlement Data flow.

PREREQUISITS

Before you start the flow pack to create the entitlements for given applications that are specified in the Application Entitlements table you will need to:

If you have not already done so from the first blog in this series I put together “Okta Entitlements for Disconnected Apps’, you will need to do the following:

API Key:

You will need to create an API connector that uses an API key created in your Okta tenant. To do so you will need to create an API Key. Be sure to capture the API Key somewhere secure as you will need it for the connector.

To create the API Connector, add an API connector and choose Custom as the type. Then for the Header type in Authorization. For the value type in SSWS <API Key>. The <API Key> is that value you coped from the step above.

Okta Connector

Open each flow in the flow pack and where there is an Okta connector, select the Okta connector in your environment. If you have not create an Okta connector in your environment, you will need to create one.

In each flow that has an API Connector card you will need to select the API connector that you created in the step above.

Okta Applications

You will need to populate the Application Entitlements table with the desired applications, entitlement types and individual entitlements. This flow pack is capable of processing entitlements for multiple applications inside your Okta tenant.

As a reminder the applications will need to already exist in your Okta tenant as well as for each application have the Identity Governance – Governance Engine enabled.

Currently the following applications types support the Governance Engine:

SWA (OIN): Secure Web Authentication applications in the Okta Integration Network. Custom SWA applications are not supported at this time.

SAML: Applications that support SAML authentication

WS-Federation: Applications that support WS-Federation authentication

OpenID Connect: Applications that support OpenID Connect

Initialization Variables

You will need to run the [HELPER] Initialize Global Variables flow to establish the global variables used by various flow packs inside the overall flow pack here. 

As of the writing of this blog, there are not prebuilt cards for many of the entitlement management APIs. Additionally the Okta Connector – Custom API card is not authorized to call many of the entitlement management APIs. Thus there is currently a need to use the Raw Request API card. To facilitate the utilization of this card an understanding of the Okta tenant base URL is needed. The [HELPER] Initialize Global Variables flow will populate that table based on inputs for the flow storing them in a Global Variables table.

This flow can be found at the root of the overall flow pack in the [IDENTITY GOVERNANCE] Entitlements folder.

The inputs are OktaSubdomain and OktaEnvironment. These two parts can be found in your Okta tenant URL when you login to Okta enduser dashboard with the Okta subdomain first and the Okta environment second. (ex. https://<oktasubdomain>.okta.com or https://<oktasubdomain>.oktapreview.com.) Simply you open the flow, simply click the Run button, provide the two input values and click Run button on the input dialog. 

NOTE: This blog is making the assumption that you have already either followed the Data Driven Entitlements Creation flow pack instructions in my Okta Entitlements for Disconnected Apps blog or created the desired entitlements using the Okta Admin Dashboard. In short the entitlements to be included in the entitlement bundles you will define here need to already exist for the application(s) you specify for this flow pack.

USING THE FLOW PACK

For the example in this blog, I am using the Adobe Okta Integration Network application as my sample application. Once you have all of the Prerequisites completed lets populate our table for this flow pack with some data shall we? 

The table in question is the Entitlements Bundles table contained under the Data Driven Entitlements Bundle Creation folder.

Tables in the Data Driven Entitlements Creation flow pack folder.

One of those tables is the Entitlement Bundles table. This is where we will defined the desired entitlement.bundles. You will need to populate the Entitlement Bundles table with the desired applications, entitlement bundles (with description) and associated entitlements for those bundles. You will need to include an entitlement type for the associated entitlements as well. (ex. Entitlement Type: Licenses, Entitlement Name: Adobe Creative Cloud) . 

To upload the sample data, open the Entitlement Bundles, then choose Import where you can then select the file (entitlementBundles.csv) that you just downloaded to import.

This flow pack is capable of processing entitlement bundles for multiple applications inside your Okta tenant.

The columns in this table are as follows:

COLUMN NAMECOLUMN DESCRIPTIONEXAMPLE
Application NameThe name of an application that exists in your Okta tenant.
This needs to have the Identity Governance engine
enabled to make the entitlements structure available
to that application.  See the image below for enabling
the Okta Identity Governance – engine for a given application.
In this example it is the Adobe Secure Web Authentication
app in the Okta Integration Network.		Adobe
Entitlement Bundle Name         This is the actual name you wish to give a specified entitlement bundle as it will be shown to the end user.
		Adobe Pro Bundle
Entitlement Bundle DescriptionThis should be a detailed description for the entitlement
bundle you are creating so that it is clear what the
entitlement bundle is for / grants to the end user(s)		Dreamweaver
Entitlement TypeThis is entitlement type for the given entitlement
you wish to add to the entitlement bundle.
This must match an existing entitlement already
defined in the entitlement structure for that
given application. An example would be Licenses.		Licenses
Entitlement NameThis is the actual name of the individual entitlement
(values) that will be associated with the specified
entitlement type. This must match an existing
entitlement value already defined in the entitlement structure for that given entitlement type and given application. Examples might be
Premium Business License, Global Administrator.		Dreamweaver license for the Adobe suite
ProcessedThis flag indicates whether the given record
has already been processed. Once processed the value will automatically be set to true. To reprocess the record you will need to change the value to false.		false

Once the Applications Entitlements page has been populated and all of the Workflows mentioned above have been enabled…

You will simply open the open the [1.0] Process All Records workflow and click on the Run button.

You will then be presented with the following prompts. The only one that you need to set if desired is the one to “Clear Error Report Table”. If you want to clear previous entries from the Error Report table set that value to True.

Then click Run Test.

Once completed you will see a green checkmark on the card in the flow. For Each – Ignore Errors card as shown below. 

Now you will be able to go to the various applications in your Okta tenant that you specified in the Entitlement Bundles table an you will see the entitlement bundles dynamically created from the data in the table.  

If you do not see the desired results, open the Error Report Table to find out what flows had errors and the nature of the error(s).

Error Report Table – This table is used to track any error conditions that occur in the processing of the records in the Application Entitlements table.

The columns in this table are:

Flow: This is the name of the flow in question in which the error condition occurred.

Description: This is the detailed description of the error condition that happened.

You can also execute the [1.0] Process All Records flow you can also uses the Delegated Flows option on the Okta Admin Dashboard as shown below.

Congratulations!! You have now completed the creation of entitlements for given application(s) with the entitlements you specified.

In the next post you will see how to dynamically assign entitlement bundles from the entitlement bundles that you just created.

Note: The original flow pack was authored by Marc Miller. Updates have been made by Jennifer Saylor and Ajay Seetharam.

Published by Marc Miller

Marc is a solutions engineer with over 30 years of experience in the IT space and thrives on the challenge of meeting with customers to solve the complex issues they faced in the ever changing global landscape. Motivated by the uniqueness of each customer and their needs, he strives to provide not just a solution but partnership. Possessing a proven track record of presenting highly complex technical ideas and materials in a manner that resounds with customers and as such, has a sterling record of customer satisfaction. He has over 20 years in Identity and Access Management alone and over 5 years at Okta.

Published

2 thoughts on “Okta Entitlements for Disconnected Applications – Dynamic Entitlement Bundle Creation

  1. Pingback: Okta Entitlements for Disconnected Applications – Dynamic Entitlement Bundle Assignments – IAMSE
  2. Pingback: Okta Entitlements for Disconnected Apps – IAMSE

Leave a Reply