Documentation
DocumentationDeveloperAcademyCommunitySupportLogin
Start typing to search…

Account Access Integration - Okta

The Moveworks Account Access skill enables end users to resolve their login issues in a secure, self-service way via Okta.

Okta

Unlock Account

If enabled, this feature continuously polls your organization’s Okta system to check for account lockout events. Moveworks initiates a process to unlock user’s Okta account in response to the lockout event.

Configuration options

  • Frequency of Lockout Checks: By default, Moveworks checks (polls) Okta for locked out users every 30 seconds. This cadence can be customized (e.g. every 60 seconds, etc) by Moveworks on request.
  • Frequency of Account Lockout Notifications: Users are notified of an account lockout a maximum of four times a day, with a notification every six hours sent to the user via your organizations's chat surface(s). The frequency of notifications (e.g. 4 reach outs per day) is also customizable.

Behind the Scenes

Moveworks communicates with Okta’s API over HTTPS to securely request account operations. For the most up-to-date information on Okta’s API, see Okta’s online documentation.

How does Moveworks identify locked out accounts?

Moveworks queries Okta’s System Log API for lockout events every 30 seconds, using the following search criteria:

eventType eq "user.account.lock" or eventType eq "user.session.start" and outcome.reason eq "LOCKED_OUT"

How does Moveworks unlock accounts?

The bot unlocks a user’s account with a LOCKED_OUT status and returns them to ACTIVE status by using the following API call: POST /api/v1/users/${userId}/lifecycle/unlock

Once unlocked, the user will be able to log back into Okta with their existing password.

Password Reset

If a user forgets their password, the Moveworks bot can help users reset it by giving the user a single-use link to the Okta forgot password portal. The actual password change happens in your organization’s ITSM system, so any existing security policies defined in Okta will apply.

Behind the Scenes

Moveworks utilizes the “Reset Password” method of the Okta Users API to generate a one-time use link to the Okta Reset Password portal where they can change their Okta password.

MFA Reset

When employees ask the bot to reset their Okta Verify MFA factors, Moveworks will initiate an Okta reset, by removing all factors associated with the user. Once the factors are removed, Moveworks will link the user to your organization’s Okta portal, where the user can log in. Once user’s log in, they will be prompted to set up a new MFA factor within Okta.

Configuration options

The Moveworks bot can be configured in one of two ways for the MFA Reset functionality:

  1. Allow the user to reset all factors in one step.
  2. Allow the user to choose which factor to reset. In this case, when the user clicks Yes, reset MFA, they will be given a list of their factors to choose from.

Behind the Scenes

Moveworks is able to reset employee’s Okta MFA by using the following API call: /users/{request.user_id}/lifecycle/reset_factors

Updated 5 days ago