Okta · Arazzo Workflow

Okta Offboard User and Clear Sessions

Version 1.0.0

Suspend a user and clear all of their active sessions.

1 workflow 1 source API 1 provider
View Spec View on GitHub IdentityWorkforce IdentityCustomer IdentityAuthenticationAuthorizationSingle Sign-OnMulti-Factor AuthenticationIdentity GovernancePrivileged AccessAI AgentsCross-App AccessMCPPlatformArazzoWorkflows

Provider

okta

Workflows

offboard-user-clear-sessions
Suspend a user and clear their active sessions.
Suspends the user and then clears all of their sessions, optionally revoking OAuth tokens too.
2 steps inputs: oauthTokens, oktaApiToken, userId outputs: userId
1
suspendUser
suspendUser
Suspend the user so they can no longer authenticate.
2
clearSessions
clearUserSessions
Clear all of the user's active sessions, signing out every authenticated device.

Source API Descriptions

openapi
oktaApi https://raw.githubusercontent.com/api-evangelist/okta/refs/heads/main/openapi/okta-openapi-original.yml

Arazzo Workflow Specification

okta-offboard-user-clear-sessions-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Okta Offboard User and Clear Sessions
  summary: Suspend a user and clear all of their active sessions.
  description: >-
    Locks a user out immediately during offboarding. The workflow suspends the
    user so they can no longer sign in, then clears all of the user's existing
    sessions so any already authenticated devices are signed out at once. The
    user id is supplied once and reused across both steps. Every step spells out
    its request inline, including the SSWS API token header, so the flow can be
    read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: oktaApi
  url: ../openapi/okta-openapi-original.yml
  type: openapi
workflows:
- workflowId: offboard-user-clear-sessions
  summary: Suspend a user and clear their active sessions.
  description: >-
    Suspends the user and then clears all of their sessions, optionally revoking
    OAuth tokens too.
  inputs:
    type: object
    required:
    - oktaApiToken
    - userId
    properties:
      oktaApiToken:
        type: string
        description: Okta API token used for the SSWS Authorization header.
      userId:
        type: string
        description: The id of the user to suspend and sign out everywhere.
      oauthTokens:
        type: boolean
        description: Whether to also revoke the user's OAuth refresh and access tokens.
  steps:
  - stepId: suspendUser
    description: >-
      Suspend the user so they can no longer authenticate.
    operationId: suspendUser
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: userId
      in: path
      value: $inputs.userId
    successCriteria:
    - condition: $statusCode == 200
  - stepId: clearSessions
    description: >-
      Clear all of the user's active sessions, signing out every authenticated
      device.
    operationId: clearUserSessions
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: userId
      in: path
      value: $inputs.userId
    - name: oauthTokens
      in: query
      value: $inputs.oauthTokens
    successCriteria:
    - condition: $statusCode == 204
  outputs:
    userId: $inputs.userId