Okta · Arazzo Workflow

Okta Onboard User to Group and Application

Version 1.0.0

Create a user, add them to a group, then assign them to an application.

1 workflow 1 source API 1 provider
View Spec View on GitHub IdentityWorkforce IdentityCustomer IdentityAuthenticationAuthorizationSingle Sign-OnMulti-Factor AuthenticationIdentity GovernancePrivileged AccessAI AgentsCross-App AccessMCPPlatformArazzoWorkflows

Provider

okta

Workflows

onboard-user-to-group-and-app
Create an Okta user and grant them group and application access.
Creates and activates a user, adds the user to an existing group, and assigns the user to an application instance, chaining the new user id through each step.
3 steps inputs: appId, email, firstName, groupId, lastName, login, oktaApiToken, password outputs: appUserId, userId
1
createUser
createUser
Create and immediately activate a new user with the supplied profile and optional credentials.
2
addUserToGroup
addUserToGroup
Add the newly created user to the existing group so they inherit the group's assigned applications and roles.
3
assignUserToApp
assignUserToApplication
Assign the user to the target application for SSO and provisioning, seeding the app-specific profile with the user id.

Source API Descriptions

openapi
oktaApi https://raw.githubusercontent.com/api-evangelist/okta/refs/heads/main/openapi/okta-openapi-original.yml

Arazzo Workflow Specification

okta-onboard-user-to-group-and-app-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Okta Onboard User to Group and Application
  summary: Create a user, add them to a group, then assign them to an application.
  description: >-
    The canonical Okta identity onboarding flow. This workflow creates a new
    user in the Okta organization, adds that newly created user to an existing
    group so they inherit the group's access, and finally assigns the user to a
    target application for single sign-on and provisioning. Every step spells
    out its request inline, including the SSWS API token header, so the flow can
    be read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: oktaApi
  url: ../openapi/okta-openapi-original.yml
  type: openapi
workflows:
- workflowId: onboard-user-to-group-and-app
  summary: Create an Okta user and grant them group and application access.
  description: >-
    Creates and activates a user, adds the user to an existing group, and
    assigns the user to an application instance, chaining the new user id
    through each step.
  inputs:
    type: object
    required:
    - oktaApiToken
    - login
    - email
    - firstName
    - lastName
    - groupId
    - appId
    properties:
      oktaApiToken:
        type: string
        description: Okta API token used for the SSWS Authorization header.
      login:
        type: string
        description: The unique login (username) for the new user.
      email:
        type: string
        description: The primary email address for the new user.
      firstName:
        type: string
        description: The given name for the new user.
      lastName:
        type: string
        description: The family name for the new user.
      password:
        type: string
        description: Optional plaintext password to set on the new user.
      groupId:
        type: string
        description: The id of the existing group to add the user to.
      appId:
        type: string
        description: The id of the application to assign the user to.
  steps:
  - stepId: createUser
    description: >-
      Create and immediately activate a new user with the supplied profile and
      optional credentials.
    operationId: createUser
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: activate
      in: query
      value: true
    requestBody:
      contentType: application/json
      payload:
        profile:
          login: $inputs.login
          email: $inputs.email
          firstName: $inputs.firstName
          lastName: $inputs.lastName
        credentials:
          password:
            value: $inputs.password
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      status: $response.body#/status
  - stepId: addUserToGroup
    description: >-
      Add the newly created user to the existing group so they inherit the
      group's assigned applications and roles.
    operationId: addUserToGroup
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: groupId
      in: path
      value: $inputs.groupId
    - name: userId
      in: path
      value: $steps.createUser.outputs.userId
    successCriteria:
    - condition: $statusCode == 204
  - stepId: assignUserToApp
    description: >-
      Assign the user to the target application for SSO and provisioning,
      seeding the app-specific profile with the user id.
    operationId: assignUserToApplication
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: appId
      in: path
      value: $inputs.appId
    requestBody:
      contentType: application/json
      payload:
        id: $steps.createUser.outputs.userId
        scope: USER
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      appUserId: $response.body#/id
      appUserStatus: $response.body#/status
  outputs:
    userId: $steps.createUser.outputs.userId
    appUserId: $steps.assignUserToApp.outputs.appUserId