Account Access Integration - Okta
Moveworks' Account Access skill provides employees secure, self-service ways for users to resolve their login issues and can be integrated with Okta to do so.
Okta
Unlock Account
By polling your organization’s Okta system every 30 seconds to check for account lockout events, Moveworks can help unlock user’s Okta account for them.
Configuration options
- Check for Lockout Frequency: By default the Moveworks checks for locked out users every 30 seconds. The amount of time between when the bot checks for locked out users can be configured (e.g. every 60 seconds, every 90 seconds, etc.).
- Account Lockout Notifications: Users will be notified of an account lockout at most four times a day, with a six hour gap between each notification message. Users can configure the amount of messages users receive about account lockout over a period of time — the period of time is also configurable. Users can also configure the gap between each account lock out message.
Behind the Scenes
Moveworks communicates with Okta’s API over HTTPS to securely request account operations. For the most up-to-date information on Okta’s API, see Okta’s online documentation.
How does Moveworks identify locked out accounts?
Moveworks queries Okta’s System Log API for lockout events every 30 seconds, using the following search criteria:
eventType eq "user.account.lock" or eventType eq "user.session.start" and outcome.reason eq "LOCKED_OUT"
How does Moveworks unlock accounts?
The bot unlocks a user’s account with a LOCKED_OUT
status and returns them to ACTIVE
status by using the following API call: POST /api/v1/users/${userId}/lifecycle/unlock
Once unlocked, the user will be able to log back into Okta with their existing password.
Password Reset
If a user forgets their password, the Moveworks bot can help users reset it by giving the user a single-use link to the Okta forgot password portal. The actual password change happens in your organization’s ITSM system, so any existing security policies defined in Okta will apply.
Behind the Scenes
Moveworks utilizes the “Reset Password” method of the Okta Users API to generate a one-time use link to the Okta Reset Password portal where they can change their Okta password.
MFA Reset
When employees ask the bot to reset their Okta Verify MFA factors, Moveworks will initiate an Okta reset, by removing all factors associated with the user. Once the factors are removed, Moveworks will link the user to your organization’s Okta portal, where the user can log in. Once user’s log in, they will be prompted to set up a new MFA factor within Okta.
Configuration options
The Moveworks bot can be configured in one of two ways for the MFA Reset functionality:
- Allow the user to reset all factors in one step.
- Allow the user to choose which factor to reset. In this case, when the user clicks
Yes, reset MFA
, they will be given a list of their factors to choose from.
Behind the Scenes
Moveworks is able to reset employee’s Okta MFA by using the following API call: /users/{request.user_id}/lifecycle/reset_factors
Updated 10 months ago