OKTA – ZPA
TABLE OF CONTENT
OKTA Deactivate User Account through Automation
Adding Automation Rule
First , Access the Automation Rule through “ Workflow tabs > Automation > [+]Add Automation”
Create an Automation for Deactivating inactive user > 60 days
Here it required to specify the User, Group or Department for this specific Rule. Also, Define the duration and action for the automation. As based on the request in this guide, we will be adding 60 days of inactive user which did not have any authentication process that reach okta.
- Enter the Description/Name for the Rule
- Click on Save
Add The Schedule for the Condition
- We have the option for run daily/Once. In this case we choose Daily for automation purposes
- Define the time for the scan/trigger to start working every days/every manual triggger
Add Condition for the Rule
Here we define the trigger or condition of the rule.
- Click on “+ Add Condition” to define the condition or the trigger
- Select the Condition type , in this case select “ User inactivity in Okta”
- Duration/targeted trigger condition days
- Click on Save
Further Define the Condition based on Group
If the group or filter are not defined it will be applied to generally all user existed in the directory. Therefore, based on the request we will define this to a Group of User in the directory.
- Click on the Pen icons “Edit”
- Add the group under “Assign to”. The specific group will appear
- Click on Save”
Define the Perform/ Action to be done
We will need to add an action for the condition response.
- Select “ Add Action”
Over here we can define the action to be taken.
- Select “Change user lifecycle state in Okta”
- Select “Deactivate” in our cases
- Click on “Save”
Activate the Rule
Add/Enable ZPA Timeout Policy
In Order for Okta to detect that the user are active or inactive, we need to add another timeout as once user logged in to ZPA they will not require to authenticate Okta again if there is no timeout Policy. So by adding this, the user will go through Okta to authenticate within a period of time that we defined in this ZPA timeout Policy.
Administration > Policy Management > Timeout Policy
- Give the Rule a name
- Add Rule
- Define the Duration for the Timeout for user to re-authenticate. Your Time our must be <60 days (which defined in the Okta). Recommended to leave some period of buffer days for user to have the chance to re-login based on the usage amount.
Add Criteria for Re-authentication
After Added the timeout duration for the rule we can add the criteria to further define which group to bee applied to.
- Select “+Criteria”
- Select “SAML & SCIM Attributes”. This will filter the criteria based on the OKTA attribute
- Select “+Select Idp”
- Select Your IDP name
- Select “+ Select SAML and SCIM Criteria”
- Select “SAML Attribute
- Select the Attribute to filter
- Select Group Attribute in our case
- Add the Name to be the group that applied to match with Okta condition
ZPA Re-Authentication Sample/Step to Re-Login
The timeout policy for re-authentication will be trigger if user tried to access an internal application far passed the defined in Timeout policy.
As you can see, If the Application is not accessible user may notice their ZPA is actually signed Off. Therefore, user are required to Re-Authenticate. Also, If the user failed to do so, after 60 days their Okta Account will be Deactivated.