This tutorial is a walk-through of one of the most common use cases in Okta: provisioning a user to Salesforce. After you turn on this flow, you can create a complete Salesforce user profile simply by assigning a user to the Salesforce app in Okta. The flow is triggered when you make either an individual or a group assignment.
- If the user does not exist in Salesforce, the flow creates the Salesforce user, assigning a profile and feature licenses.
- If the user is already active in Salesforce, the flow ends.
- If the user is inactive in Salesforce, the flow re-activates the user.
After the flow runs successfully, the user is created in Salesforce with the correct entitlements. The user can then log into Salesforce by launching the Salesforce chiclet on their dashboard.
By the end of this tutorial, you will understand how to set up a flow for your org, how to edit that flow to add a notification, and how to trigger the flow and read the results.
Before You Begin
- Create an Okta user profile. The user must have a first name, last name, email address, and department (Sales, Marketing, or Operations). These attributes are case-sensitive.
- Configure a Salesforce application in Okta. If you do not have a Salesforce account, set up a Developer account here. For this template, we recommend that you disable Provisioning (the application is only used for Sign-On).
- Authorize your Okta connection and your Salesforce connection.
Access the Flow
In Admin Console, navigate to Workflow → Workflows Console. On the Home tab of Okta Workflows, select [Salesforce] Create User in Salesforce (Basic).
How the Template Works
The Flow Chart is a high-level view of the template. Each icon represents an event, an action, or a function.
User Assigned to Application
The event card is User Assigned to Application. This means that the flow is triggered whenever a user is assigned to the designated application in Okta. If you’ve already connected your Okta accounts, click Choose Connection and select the one you want to use. If you haven’t connected an account, click New Connection and follow the authorization steps here.
Whenever this flow is triggered, the event card will generate the following values as output:
- ID: unique identifier for the AppUser, Okta User, or AppInstance
- Alternate ID: userName for the AppUser or Okta User, or the customizable AppInstance name for an Application
- Display Name: name of the AppUser or Okta User, or the default application name for an Application
- Type: User, AppUser or AppInstance
For details, refer to the Okta connector document.
The first action card is Search Users. If you’ve already connected your Salesforce accounts, click Choose Connection and select the one you want to use. If you haven’t connected an account, click New Connection and follow the authorization steps here.
The output of the event card is used to search users in Salesforce. The AppUser’s Alternate ID is mapped from the Okta event card to the Username input field on the Salesforce card. If the user is found in Salesforce, their Salesforce User ID and Is Active? status will appear in the Result fields.
Read User > Lookup > Lookup > Create User
This branch of the flow is part of the If/Else function. If the User ID is null in the Search Users card, the user does not exist in Salesforce.
- The Read User card fetches the entire Okta User output.
- The first Lookup card checks the user’s department and assigns a Salesforce profile. You can change the mapping and edit the assignments, but remember that in an Okta profile, Department is case sensitive.
- The second Lookup card assigns Salesforce feature licenses. You can change the mapping and edit the assignments, but remember that in an Okta profile, Department is case sensitive.
- The Create User card generates a new Salesforce user ID based on the Read User output (First Name, Last Name, Username, and Email) and the Lookup output (Profile and Feature Licenses).
Continue If > Activate User
This branch of the flow is part of the If/Else function. If the User ID is not null in the Search Users card, the user already exists in Salesforce. The flow then determines whether the user is active.
- If the Is Active? field is False, the flow continues to the Activate User card.
- If the Is Active? field is True, the flow generates an output message of User was found active.
Trigger the Flow in Okta
Now that you understand how the flow works, let’s see it in action. In this task, you’re going to manually assign a user to Salesforce, either by individual or group assignment. You’ll need to navigate between your Workflows Console, your Okta Admin Console, and your Salesforce tenant, so be sure that you have completed the steps in Before You Begin.
- In the Workflows Console, toggle the Flow is OFF button to ON. If you haven’t saved your flow yet, you are prompted to name and save it. Note: The registration of the event webhook registration may take up to 60 seconds, so wait a minute before assigning a user.
- In the Admin Console, assign a user to Salesforce individually or through group assignment. The flow is triggered automatically when that assignment occurs.
- Return to the Workflows Console and open Flow History. Select the executed flow to see its results.
- Navigate to your Salesforce tenant and confirm that the user was created.
Customize the Flow
Customizing a flow with your own actions is a core feature of the Okta Workflows platform. Customers tell us that adding notifications is a common use case in identity flows. Using that as an example, here are some operations that will help you understand the customization features of Okta Workflows.
Let’s modify a flow so that a notification is sent after the user is created. We’ll use Gmail for this example, but you can substitute Slack or O365 in the steps that follow.
In your Shared folder, hover over the Date Created column of the Create User in Salesforce flow, and then click Duplicate.
Select the duplicate flow (appended with the word COPY), and change its name to Create User in Salesforce and Send Notification.
After naming and describing your new flow, check the box to retain history for this flow.
Scroll right to the Create User card in the If/Else branch. Click the Add Another menu (inside the If/Else branch), and then select App Action.
In the Applications menu, select Gmail.
In the Gmail Actions menu, select Send Email.
In the New Connection window, verify your Gmail account, and then click Create. If your connection is no longer active, click the Gear icon and select Reauthorize.
Test the new Send Email card. Enter your email address, a subject, and a test message, and then click the card’s Test icon.
Now, let’s add a real message that requires input from a previous field.
- In the Add Another menu, select Function.
In the Functions menu, select Compose.
Drag the Compose card to the left, and position it between the Create User (Salesforce) and Send Email (Gmail) cards.
In the Compose card, enter the following message: The workflow for the user with userName of [input userName] was completed.
Drag the Okta User Alternate ID from the User Assigned to Salesforce event card into the Compose card. When you see it in the message body, drag it into the [input userName] field and remove the brackets.
Drag the output of the Compose card to the Body input field of the Send Email card.
Test Your Custom Flow
Now, let’s save and test the flow.
- Turn on your new flow. Remember to wait 60 seconds for the webhook to register.
- In Okta, assign a user to Salesforce.
- Check your email to see if the flow sent a notification.
- Open Flow History to check the execution. If there was an error, review the details and make changes.
That’s it! You’ve successfully configured and edited a template flow.
Want to provide feedback on this tutorial? Click here to answer a three-question survey.