OKTA – ZPA
Automation for
 User Deactivation 


TABLE OF CONTENT

OKTA Deactivate User Account through Automation3

Adding Automation Rule3

Create an Automation for Deactivating inactive user > 60 days4

Add Condition for the Rule5

Further Define the Condition based on Group6

Define the Perform/ Action to be done7

Add/Enable ZPA Timeout Policy8

Administration > Policy Management > Timeout Policy8

ZPA Re-Authentication Sample/Step to Re-Login11

 

 


 

 

OKTA Deactivate User Account through Automation

Adding Automation Rule

First , Access the Automation Rule through “ Workflow tabs > Automation > [+]Add Automation”

 


 

Create an Automation for Deactivating inactive user > 60 days

Here it required to specify the User, Group or Department for this specific Rule. Also, Define the duration and action for the automation. As based on the request in this guide, we will be adding 60 days of inactive user which did not have any authentication process that reach okta.

  1. Enter the Description/Name for the Rule
  2. Click on Save

Add The Schedule for the Condition

  1. We have the option for run daily/Once. In this case we choose Daily for automation purposes
  2. Define the time for the scan/trigger to start working every days/every manual triggger

Add Condition for the Rule

Here we define the trigger or condition of the rule.


  1. Click on “+ Add Condition” to define the condition or the trigger
  2. Select the Condition type , in this case select “ User inactivity in Okta”
  3. Duration/targeted trigger condition days
  4. Click on Save


 

 

Further Define the Condition based on Group

If the group or filter are not defined it will be applied to generally all user existed in the directory. Therefore, based on the request we will define this to a Group of User in the directory.

  1. Click on the Pen icons “Edit”
  2. Add the group under “Assign to”. The specific group will appear
  3. Click on Save”

 


 

 

Define the Perform/ Action to be done

We will need to add an action for the condition response.

  1. Select “ Add Action”

Over here we can define the action to be taken.

 

  1. Select “Change user lifecycle state in Okta”
  2. Select “Deactivate” in our cases
  3. Click on “Save”

Activate the Rule

Add/Enable ZPA Timeout Policy

In Order for Okta to detect that the user are active or inactive, we need to add another timeout as once user logged in to ZPA they will not require to authenticate Okta again if there is no timeout Policy. So by adding this, the user will go through Okta to authenticate within a period of time that we defined in this ZPA timeout Policy.

Administration > Policy Management > Timeout Policy

  1. Give the Rule a name
  2. Add Rule
  3. Define the Duration for the Timeout for user to re-authenticate. Your Time our must be <60 days (which defined in the Okta). Recommended to leave some period of buffer days for user to have the chance to re-login based on the usage amount.


 

 

Add Criteria for Re-authentication

After Added the timeout duration for the rule we can add the criteria to further define which group to bee applied to.

  1. Select “+Criteria”
  2. Select “SAML & SCIM Attributes”. This will filter the criteria based on the OKTA attribute

  1. Select “+Select Idp”
  2. Select Your IDP name

  1. Select “+ Select SAML and SCIM Criteria”
  2. Select “SAML Attribute


 

 

  1. Select the Attribute to filter
  2. Select Group Attribute in our case
  3. Add the Name to be the group that applied to match with Okta condition
  4. Save

 

 


 

ZPA Re-Authentication Sample/Step to Re-Login

The timeout policy for re-authentication will be trigger if user tried to access an internal application far passed the defined in Timeout policy.

As you can see, If the Application is not accessible user may notice their ZPA is actually signed Off. Therefore, user are required to Re-Authenticate. Also, If the user failed to do so, after 60 days their Okta Account will be Deactivated.