Oktane19: Automate Onboarding & Offboarding from Any System of Record
Transcript
Details
Arvil Nagpal: My name's Arvil Nagpal. I feel like this is a little bit of a weird juxtaposition after Viola Davis' great speech, which is very inspirational. We're gonna be talkin' about IT automations, so it's a little bit of a different track here. I feel like you guys are all here for this part of the conference though, so, thank you for coming. In case you're lost, this is really about automating onboarding and offboarding from any system of record. We're gonna be talking about HR systems, we're gonna be talking about directories, so, yup.
Arvil Nagpal: I am here actually co-presenting today with Cameron Boote. Cameron is a Senior Applications Administrator with Veterans United Home Loans and he's gonna be talking about the real world applications for all the product marketing I'm gonna be doing here around what it means to implement it, why it could be valu ... He'll be talking about what it means to actually deploy UltiPro as a master, so, super excited for him to be talkin' today.
Arvil Nagpal: This is prob ... I don't know, you know, just don't take, take this with a grain of salt. I think that's what this means.
Arvil Nagpal: I wanna talk a little bit about our, our vision for the product, just to start things off. You know, first through Universal Directory, we really wanna be the single source of truth for your organization, for all identities, right? We want to automate user life cycles as you move, as any user moves through the Joiner, Mover, Leaver life cycle. And then finally we wanna connect to everything. We talked about some big investments we're making related to extensibility of our platform, and really that's all about expanding what we have today within the Okta integration network.
Arvil Nagpal: And this is for any identity within your company. This isn't just employees. This can be contractors, it could be partners, it could be customers. So I'm gonna be talking, this structure is basically, I'm gonna talk for like six or seven minutes, I'm gonna talk about why this product area is important and what the product does today. I'm gonna turn it over to Cameron; he's gonna tell you about, a little bit about his journey, and then we're gonna talk about Roadmap, and then, finally, we're gonna give you a little bit of a demo with our newest investments in Workflow.
Arvil Nagpal: So, how many people have heard about the Joiner, Mover, Leaver life cycle? Show of hands, just real quick. Okay, or, maybe 50%. So for the other 50%, I'll just quickly talk about what we think about when we think about Joiner, Mover, Leaver. Joiner is really about getting people access to everything they need on Day One. In order to do that, we've gotta connect to systems of record, HR systems, traditional IT directories ... It could be a self-service registration portal, and ultimately you need policy in order to assign resources to people, in terms of birthright applications, as well as modules to figure out, "Hey, for things that aren't birthright, how do we get people access to things that they request?"
Arvil Nagpal: Second, we've got Mover flows. These are complicated. You've got job changes, you've got promotions, you've got marriages, you've got leave of absences ... As Okta, as an identity management system and an access management system, we need a way to flexibly determine who should have access to what during these Mover flows, in a R back type model, so a model of kinda leaf, least privilege.
Arvil Nagpal: And then finally with Leaver flows, you know, we kinda think of it in two ways, you know, immediate versus scheduled, but ultimately this is really about security and compliance. So when someone leaves your organization, how do you ensure that all the things that they have access to they no longer do have access to those things? So we're gonna talk about a little bit about kinda how our product works today with all three of these in more details.
Arvil Nagpal: Did anybody go to the session about minimizing your dependency on AD? That was yesterday? Okay, just a few folks. We know that probably 90% of the Okta customer base right now is still AD or LDAP mastered. That's a reality of the situation, but we actually think that HR's master is the architecture of the future. We think that your Okta should connect to your source of truth, and that is your, ultimately your HR system. That's where your employees, your contractors, your customers are based, and, so when we see this for workforce identity, this is more or less the architecture that we see a lotta customers implementing, and then Cameron's actually gonna talk through exactly what they did.
Arvil Nagpal: So, the way it works today is we, you know run scheduled imports from an HR system, and you'll see Active Directory there is now downstream of basically your cloud architecture. And so we, this is not kind of an overnight thing, but we see this is as a architecture that a lot of customers are implementing, to go cloud native. So, cloud HR systems, cloud directory, cloud applications, your on-prem systems that are still dependent on AD as your authentication mechanism, are downstream, and we have a bi-directional syncing mechanism or an enabled app.
Arvil Nagpal: We think that this architecture has benefits across departments. We know probably most of the folks here within IT, for when we talk to IT customers, it's really about reducing total cost of ownership. When we talk to customers, sometimes they have five, six systems that help to manage, kind of, this Joiner, Mover, Leaver life cycle. It's really to improve productivity through automation and reduce the errors involved with manual onboarding, offboarding.
Arvil Nagpal: For HR, it's really: How do you reduce that friction between yourselves and IT? How do you make your employees successful on Day One, and ultimately, you know, employees, they just want access to the things that they should have access to when they start. They don't wanna have a long, lengthy process between finding out, "What should I have access to ... What could I have access to?", and then actually getting access to those things. Automation is really in service of kinda all three of these departments benefiting jointly.
Arvil Nagpal: So I'm gonna go into a little bit of detail on each of these three elements. So when we think about Joiner, we talk to customers, and Cameron will definitely highlight this, what we hear quite often is, "It's email, it's ticketing systems, it's forms that provide the interface between HR and IT, in determining who is new to the organization and what they should have access to." Right? These processes definitely don't scale. It's high-touch, it could lead to errors, and it just, as the company grows, it leads to huge burden as you try to replicate this process, not just for a few hundred users, but for few thousands of users.
Arvil Nagpal: And so the way that our product more or less works today is, is on a scheduled import basis from source systems like SuccessFactors in this case. So, you can set configuration for how frequently you wanna import, those users will be brought into Okta and be created, and ultimately, based on the group that they're in access to, or simply the applications they have access to, we'll either assign the users to those applications, and when we have provisioning enabled, so automated account creation into those systems, we'll go ahead and create those accounts.
Arvil Nagpal: So this is a pretty seamless, automated process that's very configurable throughout different parts of the flow, but this is how we see a lot of customers getting successful in trying to solve, specifically, the Joiner problem.
Arvil Nagpal: In some cases, you know, we do have writeback, what we call "writeback". So, we know that Okta, or your HR system, sometimes isn't the source of truth for every data point on a user. For example, RingCentral can create their phone number, or Active Directory Office 365 could create their email, right? And so, we do have the capability to actually sync all the way back in the other direction, so your HR system is now in sync with some of those downstream systems as well as Okta.
Arvil Nagpal: Second, I'll talk a little bit about the Mover flows. User accounts change, right? People get promoted, people get married, they switch departments, contractor to full-time conversion processes and, you know, there's definitely desire to automate these and reduce the pain of what maybe sometimes feels like one-off changes that you're kinda dealing with on an ad hoc basis. And so the way that we kinda deal with this today, or we recommend folks deal with this with Okta, is through three primary mechanisms. And they really all relate to how do you determine who should have access to something.
Arvil Nagpal: The first is group rules, which is what this screenshot shows, so if a user has certain attributes, then they should be part of a group. You can then assign that group to an application. That's kinda primary number one. If you model groups in a different system, like Active Directory or LDAP, we can also import those group memberships directly. So let's say you have legacy processes around users getting assigned to groups, and then wanting to import those into Okta, we have deep capabilities that some, can support the importing of memberships.
Arvil Nagpal: And then finally, we do see customers wanting to go kind of outside of our base functionality. Sometimes you'll hear about ServiceNow being used for access, or access management, or at least a workflows governing how something can, should get access to something, though then all our APIs to assign users into groups, in order to model that through our API surface area. So you kinda have a few different things in your tool belt in order to manage these Mover processes.
Arvil Nagpal: And then finally on Leaver, we actually think Leaver is like, is very different. You know, when we talk to IT administrators, PowerShell scripts, right? Or, manual offboarding flows. That's what a lot of folks use today, and for especially, for those that are in environments which need to be compliant, or companies that have gone public ... We were just talking to a customer a few days ago, and they failed their SOX Compliance because they found out that people had rogue accounts. And not only did they have rogue accounts, they didn't have the documented paper trail in order to demonstrate that they had the correct process in place for offboarding. Right? So, one of the goals of automation is not just to reduce the manual offboarding flows, but, it's to create that record for what's occurring between systems so that if an auditor asks, then you can, you can show them that, "Hey, I had the correct mechanisms in place", and ...
Arvil Nagpal: More or less, the way that it works today is it kinda depends on the connector, but I'm gonna use Workday as an example here. We kinda have two modes for deactivating a user today. You more or less have scheduled, that's mainly what folks use today, so on a periodic basis configured by you, you will set up scheduling from a source application and that termination date, or last day of work within Workday will trigger the termination of a user in Okta. Once that termination occurs, we will not only cut off SSO access through Okta, but for those applications where provisioning is enabled, we will actually remove their accounts from all those different systems.
Arvil Nagpal: So Box, Tableau, Active Directory for example. Sometimes terminations are sensitive. It's unfortunate, but people get fired and sometimes you need to deactivate someone immediately, and so, for Workday specifically we have functionality called "Real-Time Sync", where you can basically send a one user of call to Okta, and we will terminate that user immediately, so it's not part of a, kinda, batch import process.
Arvil Nagpal: So that's kind of intro, and I'm gonna hand it off to Cameron now to tell you a little bit about his journey with Veterans United.
Cameron Boote: Well good morning. Good morning everyone. Like Arvil said, my name is Cameron Boote. I'm a Senior Applications Administrator at Veterans United Home Loans. We're a full-service, 50 state mortgage lender headquartered in Columbia, Missouri.
Cameron Boote: So, for those of you who haven't heard about us, I'm gonna show you a quick video, so hopefully get a little better feel for what we're all about.
Cameron Boote: Well hopefully you saw by that video, we're a company just driven by our values, and those values are: Be passionate and have fun, Deliver results with integrity, and Enhancing lives everyday. And all of those values fuel our ultimate purpose of proudly serving those who have served our country. So, if we have any veterans here in the audience, I just wanna say, thank you for your service and sacrifice that you've given to this country.
Cameron Boote: So how did we get started with Okta? Well, like many of you here, we started using Okta for single sign-on. We had an ADFS solution that wasn't scaling with our business, and what were in the keynotes this morning, identity and access really isn't our core business. Our core business is providing loans to veterans. So we went live with SSO in 2015. About the same time, we still had a manual Joiner process, like Arvil talked about earlier, it was tickets, emails, you name it; it came from many different sources. And that was not scaling with our business. So at that same time we even onboarded 740 employees in 2016 alone, so something had to change. We couldn't keep doing that manually.
Cameron Boote: So legacy Joiner process looked something like this. HR would still enter that information for the new hire into UltiPro. That would trigger an email off to a distribution list. So how many of you, by a show of hands, is still using distribution lists within your businesses for core onboarding, offboarding, like onboarding at moves at, things like that? Oh, well that was us two years ago.
Cameron Boote: IT was a recipient of one of those emails and then people in IT would take that information, control-C, control-V, copy and paste into various systems that the employee needed, working at the company. So obviously error prone process, errors would happen, sometimes three weeks, even a month later, we'd get a ticket from the employee, "Yup, I can't access the employee directory", or, "I can't access system X", so, not a great first impression for a new employee.
Cameron Boote: So like I said, one of our values is "Enhancing lives", and with our new Joiner process that's something we wanted to do, so we wanted new employee accounts to be ready Day One. We wanted their apps to automatically be assigned based on their roles, their title, their department; things they needed to do their job every day. That was gonna reduce the manual data entry, and then, throughout their life at the company, that was also gonna improve their process when they changed jobs, got promoted or took a different position within a different department.
Cameron Boote: So, moving to HR as a master, we wanted to give HR full control over the data they should own anyways. IT didn't need to be in the business of managing job titles, departments ... We didn't need to have a separate request to us, telling us, "Hey, this employee changed jobs." So another benefit would be, changes are reflected faster, so you get married, you only have to go to one place to, and tell HR, "Hey, I got a new last name." That's gonna get pushed down to everywhere else, through Okta, and to all the other systems that are connected and using Okta for the universal directory.
Cameron Boote: Arvil mentioned the Leaver side ... Immediate deactivation. We deactivate that Okta account? That's gonna trickle down and immediately lock the employee out of email, ServiceNow, if they're using it, all these other systems that are using Okta, for single sign-on.
Cameron Boote: And then on the Mover side, least privilege access. When somebody changes jobs, if we're building groups and roles based on department, we're able to immediately remove permissions that they had in their old job, and give them their permissions that they need for the new.
Cameron Boote: So we ran into a few issues with just the timing of how our process works. We don't move employees into our core UltiPro system until they have actually come on-site and we've verified that they're eligible to work for us. But we were able to quickly get around that leveraging the Okta API. So, UltiPro's still sending that email of a new process, but ServiceNow, our ITSM system is recipient of it. ServiceNow is then leveraging the Okta life life cycle API to immediately create that new account, and then Okta takes care of the rest, pushing that down to other systems, including Active Directory.
Cameron Boote: Now once that employee's on-site, we verify they can work for us, and we see their passport or driver's license, et cetera, they're moved into UltiPro core, and then they're, from then on, they are mastered by UltiPro.
Cameron Boote: So let's talk about delivering results. That was another value I mentioned earlier. So since go live in April of 2017, so about two years ago, this number is actually old. I looked this morning, we're sitting at about 820 employees that we've onboarded automatically, 50ish in the past month ... We're hittin' summer, so we're hiring a lot of interns for our company. We've processed over 1,200 job title changes, and conservatively estimate, that saved 750 hours. So if you do some rough math there, that's 93 8-hour work days that we got back, and we're not even a large company compared to some of you here.
Cameron Boote: So just some takeaways I'll leave you with, partnering with HR was huge for us and in our case, that involved dedicating an analyst in IT to work directly with them in the process, and just be their go-to guy. Second, you need to understand your source of truth. It may not always be your HR system, like Arvil mentions. So for us, email, phone extension, those are things that are mastered in Active Directory pushed back to Okta, and then reflected back into UltiPro. So that data's still all in one place. And then third, security is just a natural outcome. Security is really excited, we were, couldn't tell them, "Hey, we're gonna be removing access from an employee when they change jobs." Our old process, we'd maybe go back and audit some of that stuff, 3, 6 months after they already transitioned so, it's not a good security posture to have.
Cameron Boote: And looking forward, we currently aren't auto-confirming matches when employees import from UltiPro, and I believe Arvil's gonna talk about something that may help us with that. So that's matching person and knowing exactly, "Hey, this person A is exactly person A and not person B." And then on the Mover side, we still have a few, kinda, roadblocks and a little hiccups throughout that process that we think we can smooth out. I think some of the announcements from the keynotes this week definitely will be able to help us, so we're really, really excited to see what Okta can help us do going forward.
Cameron Boote: Back to you, Arvil.
Arvil Nagpal: Thanks man. Oh, got it. Thanks. Appreciate it.
Arvil Nagpal: That was awesome. I think it always makes it real, very real. I feel like I could drone up here all day, but unless you hear about someone going through the process, I think it, it makes it concrete. So let's talk about roadmap. 2018, our investments focused on kind of three core areas. More systems ... So, one issue that we have is that, we have a set of out-of-the-box connectors to different systems. We also have toolkits for you to connect to any system that's not supported today.
Arvil Nagpal: One thing we constantly heard was around the need for a least common denominator, which is the CSV. So we'll be talking a little bit more about that feature. More flexibility. You know, people love our product because it's easy to use, it's a single, consolidated pipeline for how you're bringing users into other, from other systems, but as customers get larger, we need more flexibility within that pipeline. So we're gonna be talking about a couple features there, and then depth of customization. I think, as part of Todd's keynote yesterday, he really talked about some of our platform investments around opening up our platform and providing more customization to customers and I think we've gotta awesome feature, specifically related to imports.
Arvil Nagpal: So, to start us off, CSV Directory. This is exactly what the UI looks like. You can now ingest any CSV into Okta and enjoy all the functionality that you've seen with Workday or UltiPro or AD, and exactly how those users are being brought in. So you've got out-of-the-box matching logic, you've got configurable profile editor, you've got configurable mappings in order to transform that data as it comes in, you've got recurring imports. And so, for those systems, we hear a lot of times, "Hey, I've got contractors and they're not in my HR system", or, "Hey, we just acquired a company. How do I connect them to Okta?" Or, "Hey, I'm not quite ready yet to go with Workday as a master? I need a stepping stone in order to get there." And we think this is a really flexible solution in order for you to bring those users into Okta.
Arvil Nagpal: So, you simply drop that CSV into a file folder, you install a lightweight agent, and that'll pick it up every hour, every three hours, however, however long you would like to ingest that data for. So this is gonna be generally available in May. Currently it supports what we call a "full import", so that file needs to have all users within your organization, but we're currently working on what we call "incremental imports" so, the ability to only import those users that have changed. So you'll kind of have both models that you'll be able to utilize.
Arvil Nagpal: Second feature is kind of what Cameron hinted on. Within our matching logic today, or prior to this feature, you can match on a few, kinda, core attributes, like username, or email, but what we found was that often organizations will vary in terms of what you guys use as the GUID, right? The globally unique identifier within your organization. That could be something like their employee ID, or it could be something else, and so now we're just providing you the flexibility that it, if that value exists on a user being brought in, we will match effectively in determining, "Is this someone new? Or is this someone that should be linked to an existing user?"
Arvil Nagpal: If you want to concatenate attributes in that profile to be really sure that this matching logic is correct? You can also do that here. So, basically, any attribute that's on a profile that's configured within profile editor, and is appropriately mapped between two systems, you can now use this feature for ... To really improve the fidelity of that matching process. And again, this will be generally available in May as well.
Arvil Nagpal: Third feature is, is really around, how does Okta become more flexible in complying with your business process for when an import should occur from a source system. Sometimes we hear things like, "You know what, I don't wanna, I don't wanna run an import like at any time. I wanna do it after hours so I don't interrupt my users." Or, "I wanna run a full import on a different schedule from an incremental import." For example, in this case, you know, we've configured here where you can now schedule an incremental import every day, at 9:00 Eastern, but a full import, where maybe you just wanna clean up records and make sure these systems are in sync, I wanna do Monday, Wednesday, Friday at midnight Pacific. So now we're providing a lot more flexibility into when these imports can be scheduled from any system that you wanna ingest user data from.
Arvil Nagpal: And so this is currently in early access, so you can contact support and get the feature flag turned on for your org. We'd love your feedback. And finally, this one is, is a, I think a pretty transformational change and ties nicely to a lot of the messaging that we've had at Okta about workflow. Who kind of heard the session, the keynote session, heard about inline hooks? Have you guys heard this session? Yeah, so, basically, in the course of an import, Okta will now pause, right? Usually it was like, we're rammin' every user through, we're gonna pause for you, to execute code within your own server. We have a request response pattern that will now allow you to customize, if you see fit, advanced use cases in the course of a user being brought in.
Arvil Nagpal: And currently this is supporting for new users being brought in and we're currently working on user updates. But let me give you a few examples for how this could be valuable to you. The first one is enriching a user's profile. Sometimes we hear, "Hey I need to grab an attribute from this old legacy database, like an employee ID, or something, some other attribute, and I wanna stamp it on the profile as a user's being brought in, and it turns out I can't, I'm HR mastered okay? I, for some reason, can't get HR to do it because this is an IT process, so let me just do it in the course of a user being brought in so that I can use that for all my, kind of, access management policies." So you can add an attribute, you can update an attribute with your own custom logic.
Arvil Nagpal: Another one is defining someone's username. So, I don't know if folks are aware, but username in Okta is kind of this unique thing, right? It's what they log in with, and we enforce it to be unique. We're working, actually, on functionality to enforce other attributes like, email, to be unique, but what happens in the event of a conflict, right? Let's say John Doe comes in, your username mappings are first name dot last name, and turns out, there are already someone there. How do you resolve that?
Arvil Nagpal: As part of this request to your server, we'll basically send the conflict in the request, and so that you can simply update username with your own logic, like first name dot middle name dot last name, in order to resolve that conflict. And finally, the last one is around matching, right? I talked about how we've extended our configuration to be able to match on any attribute on the profile, but sometimes I hear things like, "Hey, you know what? I wanna match first on username. But if there's no match, I wanna also match on this other attribute, almost like as a secondary backup process, right?" And so now you can execute that kinda logic based on the data in the profile to kind of, any type of matching rules that you wanna implement, and all you're trying to pass back to Okta is, "Do you wanna create a new user? Or would you like to link to an existing user?"
Arvil Nagpal: So this is currently early access, it just went yay just a few weeks ago, and like I mentioned, we're actually working currently on, this is only for new users, we're working on updating users, kinda inline to an import, right now. So that should be released in just a few months here.
Arvil Nagpal: So, that was a little bit of what we shipped in 2018. I'll just talk a little bit about roadmap, in terms of big investment areas. Number one, speed and scale. Anybody feel like their imports take too long here? Show of hands? Okay, all right, yeah, we're, we're working on it. That's my, that's my message here. We are not only working on supporting larger and larger organizations, but we're working on speeding up, just the overall time that it takes to get users in from a source system. Like, we know that it's critical for some of these changes to be as close to real time as possible, and so, we're not only working on speeding up what we have today, but we're working on supporting incremental imports, so only detecting diffs, so more connectors, like SCIM.
Arvil Nagpal: We wanna provide better monitoring and control over all the large-scale jobs that occur within Okta today. We wanna make sure that you as admins are aware for where you are in a process, how long something's been running, and eventually provide you more control to pause, cancel, things like that. And then finally, the last one is, is really, just a continued large, large investment in customization. So I talked about inline hooks, and we're continuing to invest there. Super excited about webhooks. You know, the ability to take notifications from Okta, in order to trigger your own process, is really gonna open up the degree to which you can customize what you wanna do in other systems.
Arvil Nagpal: And then finally, I wanna talk a little bit about workflow. I know that in the keynote we kinda gave a demo for workflow for a security incident response case, right? You guys all texted Nick ... We are going to ship a product this year on top of workflow for life cycle management, and we think that this is really the platform that we're gonna be building on top of moving forward. And so I built, this weekend, just a really short demo that I just wanted to show you guys.
Arvil Nagpal: So, this is the, this is what, our kind of workflow designer ... Can you guys see this in the back? Yeah? Cool. So, what I did was, if anybody has kinda connected to an HR system, we have this concept of a card, or a connector, and what this is is actually me building a really basic, onboarding flow with BambooHR. Anybody use Bamboo here? Yeah? Few folks? Okay, it's, it's really popular, especially within our, kind of, mid-market customers. What this does is it basically builds that API call in a really easy-to-use connector interface and what this says is, it pulls Bamboo for a newer updated employee, on a periodic basis, and it takes that data that we get back from that response in a really easy-to-use way, meaning we format each of the the attributes, in a way that's, that's simple.
Arvil Nagpal: So, you have things like employee ID, you have things like their marital status, employee number. And for this use case, it's really work email that we're really interested in. And then, correspondingly, you have the ability to implement logic, right? So, we have logic that's baked into our connectors today, so, for example, if a user, you know, has a username that is the same as someone that exists in Okta today, then link, right? It's baked-in logic. But, the real power of this platform is allowing this logic to be surfaced, to be easy to consume, and to be configurable, right?
Arvil Nagpal: So what I've done is I've rigged up a really simple example which is, from my organization, I'm assuming that if their employee ID is less than 1,000, that they're an employee. If their employee ID is over 1,000, then I'm assuming they're a contractor. So, what I want this, want this thing to do, is basically say, if their employee ID is less than 1,000, then I'll use this Okta card to create a user, and you can see, it's kinda configurable based on what options are within our API today. In this case, I happened to want to create it without a credential ... And what I can do is I can just simply drag and drop some of these attributes directly into here. And what I've done on this Okta card is map first name, last name, and their work email to both their email and their log in.
Arvil Nagpal: So all this is saying is when a user is brought in, or, from Bamboo, I wanna create them an Okta, right? Super simple flow, but turns out, I want different logic for contractors, right? And what I've done here is, if the employee ID is over 1,000, I wanna use this compose card to put Khan hyphen in front of their work email, okay? This transfers to an output, and then I map that output directly to another Okta card to create the user. So you can see, this is a really simple example of what we call a branch, in order to just, modify, kinda, how you wanna bring users in from a source system. And I'll show you kinda what it looks like in what we call our "flow history", which is basically our debug pane.
Arvil Nagpal: So, in this first example, I created a dummy user, their employee ID was 234, it's my name and my email is [email protected], okay? And what happened here was I successfully created a user with Arvil Nagpal, Arvil, [email protected], all right? And then you can see here in that a user, 7890, with a name Bob Murphy, with the email [email protected], you can kinda see how it works in this data getting transformed across steps. So, the output of this first compose card was [email protected], and then the user was created in Okta with a corresponding values. It's pretty cool, right?
Arvil Nagpal: It shows you guys the foundation for what we're gonna be able to provide you guys with templates, with a starting point for more configuration, because we realized that for some, you know, our out-of-the-box connectors and the way it works today is great. Like, hey, it works, it's easy to set up, but for others, "Hey I just want a little bit more customization. Maybe I wanna add a notification at the end of a ServiceNow ticket." We're now gonna be able to support, kinda, generic logic, generic API calls within the Okta product. So we're super excited about this.
Arvil Nagpal: What I would say is that we're gonna start with lifecycle management, all right? And we will ship product this year that will be focused on provisioning. That product will most likely be oriented at getting feedback from all of you, but it's really to automate some of these downstream provisioning use cases like I mentioned for Joiner, Mover, Leaver. But, you know, this platform is really the foundation for other use cases. You saw security orchestration within the keynote demo, customer identity is another big element that we wanna, we know that workflow is equally important, Joiner, Mover, Leaver is equally important there, so we wanna be supporting that.
Arvil Nagpal: I'll just wrap up with just our future vision real quickly. We wanna easily connect to any user store, whether that's cloud or on-premise. We wanna provide users an amazing Day One experience. We wanna securely and quickly terminate all users to prevent rogue access. And finally through workflow, we wanna provide you the flexibility to accommodate your organization's business process in managing all of this. So that's all I've got, thank you so much for coming, and now we've got like seven and a half minutes for questions, so if we don't get to them, there's my email. You know? I'm unfortunately not support, so if you want product roadmap questions, that's probably where I can be the most helpful.
Arvil Nagpal: Do we have a mic or something?
Audience 1: Hi, thanks. This question's actually for Cameron. Yeah, I wondered if, in your journey, you found that your current organizational structure was a barrier, and if so, did you make any changes to drive this automation initiative?
Cameron Boote: I don't think it was necessarily a barrier, but it was something that HR and IT weren't talking as much as we probably should have been, or earlier on, so, moving to UltiPro in master just involved a lot of educating HR as, like, you have control of this data. If you term this person in UltiPro, their accounts are gonna be deactivated, so, please don't make any mistakes or it's gonna have some detrimental effects on the employee.
Audience 2: Hi. Back here.
Arvil Nagpal: I can't see anything. I'm just talking to the abyss.
Audience 2: So some of the features you were showing for the roadmap made it seem, to me, like, when you're provisioning an email account, during the onboarding process, from an email service, that pausing on the import to make sure that their email address is available, through the service, is that something that that process is designed to accommodate?
Arvil Nagpal: Yup, yup, so you can do something like, we'll pause, you could call out to Office 365, verify that email or email does not exist, it could be Active Directory, and then, based on that validation, then you can then update their email during that process. That's a good use case.
Audience 3: Hi, so, I have a question over here on the side. Right here.
Arvil Nagpal: Okay. Hi.
Audience 3: So, in a onboarding multiple acquisitions, about one a week, and so with that, I'm wondering, are we gonna have the capability to dynamically assign groups to tabs?
Arvil Nagpal: Sorry, dynamically assign groups to ...
Audience 3: To tabs. So for instance, when you have your ta ... your homepage ...
Arvil Nagpal: Ah, I see.
Audience 3: ... can I assign a particular group of applications to a particular tab and only have that group be able to see that tab?
Arvil Nagpal: Ah, then so, kind of fixing the visibility for a given set of users.
Audience 3: Correct, that way only we have one acquisition seeing their specific apps.
Arvil Nagpal: I honestly, I don't know of anything like that on the roadmap right now, but I could connect you with our end user experience team, I think they might have more insights, or at least they could get your feedback, you know, so maybe we could talk after ...
Audience 3: Okay.
Arvil Nagpal: ... so I can connect you with them.
Audience 3: All right, thank you.
Audience 4: Hi my question was specifically around group management. You made a comment earlier that you can import groups from Active Directory into Okta. Are you able to, once you import them, is Okta able to take over the management of groups and Dals? Is that capability available today?
Arvil Nagpal: So, import a group from Active Directory with memberships, and then you wanna kill that group in Active Directory? Or you still, you wanna manage users -
Audience 4: Yeah, I wanna take over ownership in management of those groups in Okta once they get ported. Or does that still have to occur in Active Directory?
Arvil Nagpal: No, yeah, exactly. Yup, so we have the ability to, of like profile masters, and prioritization, as well as the ability to disconnect from a profile master, so, the way this works is that you have the ability to both import groups and group memberships, as well as push groups and group memberships. With Active Directory, you can actually do both, and so, yes, it is, it is possible, but we can talk more detail.
Audience 5: Hi, this is Sunny right here. Hi, over here.
Arvil Nagpal: Oh yeah, okay, This is like, the most blinding light in the world.
Audience 5: Yeah, so, with the life cycle hooks, that's really fantastics, makes life lot easier for us.
Arvil Nagpal: Yup.
Audience 5: Today we are all doing our external customer publishing use cases through SCIM, so when the lifecycle hooks come in, what does it mean for SCIM? Would it be there or from roadmap standpoint, where does that leave us, for people who are all using SCIM today?
Arvil Nagpal: Sorry I didn't, quite, get the question. So you're using SCIM, to push to, to do provisioning to certain applications?
Audience 5: Correct. Correct. So if we have these life cycle hooks, so for example, an external lie identity comes in and registers in Okta, we do one that publishing to happen to real time and our downstream systems. And also, you know, when, if a change happens, we can also push it back. Now with life cycle hooks, it makes it easier -
Arvil Nagpal: Yes.
Audience 5: ... all APIs. I'm just asking, what does it mean for SCIM because many of us would be using SCIM today. So...
Arvil Nagpal: Yeah, yeah, so I think, I think I get your question. Like, at the end of the day, hooks are gonna be an extension for a product. If you don't wanna, if you have a, let's say, an application that's not SCIM compliant, right? Or you don't wanna stand up a SCIM façade in front of that application, then you can use hooks for a very similar use case, meaning ... Every time a user is assigned to an application, I want to call out to my server and that server will make a set of API calls to the underlying application. So I think it will be basically a parallel process that won't necessarily require the SCIM standard. Does that make sense? Yup? Cool. Yup.
Audience 6: Can you clarify one point for me? I've, I've heard a lot of discussion about HRIS is your master and seemingly that enables two-way communication between Okta and Active Directory. Is, is that the only scenario with which you can actually have bidirectional communication between Okta and Active Directory? Or has that functionality been added? 'Cause our environment right now does not tie into an HRIS ...
Arvil Nagpal: Okay.
Audience 6: ... we're AD mastered, but we would like the ability to push information from Okta down into AD.
Arvil Nagpal: Yup. So, yeah, so, the AD, the AD integration between Okta and Active Directory is bidirectional, so you can import from and you can push to the same system. That does not require being HR mastered at all, so we have many, many customers are using provisioning down to AD, independent of what their source system is.
Cameron Boote: I can kinda speak into that too. So we're, systems that we can't, that aren't connected with that two-way, we're leveraging the API if we have an attribute we need to update in Okta, we'll use the API to push that in and then that's available in Okta to all the other systems.
Audience 7: Yeah, so, as you have UltiPro as the, this question is for Cameron, so UltiPro has a master, so currently in your environment, are the usernames and emails manually entered and created in UltiPro?
Cameron Boote: Yeah, so, our, so we got UltiPro onboarding, and then all the core UltiPro applications, so we worked with UltiPro to set up that email with the new hire's information to push, push out. So it's a standard formatted email, first name, last name, like, in a format that a system can read and parse through and ...
Audience 7: So yeah, that's what, like for conflict resolutions and all those scenarios, it is like, if somebody is doing a manual insert for the username and email, as you said, that next year you're rolling out the -
Arvil Nagpal: Yeah.
Audience 7: ... the Bamboo integration, so is it going to be a particularly with Bamboo, or will it be with the other HR systems?
Arvil Nagpal: No, it's a, these are generic capabilities for any system. I mean it could be Active Directory for all we care. I think what Cameron's hinting is that, you know, at different parts of your process, some of their identifiers, like an email or a username, can be created at different spots. We hear customers that don't wanna create that, and they want it to be the burden of IT, or to model that data. Cameron's happened to put it more upstream, but if it's kind of more downstream, and you're simply ingesting profile data, like their first name and last name, then we have existing functionality for you to create that username, create that email, and then we have that inline hook capability for you to do more advanced customization in the creation of those things. So.
Audience 7: So right now, the inline hooks can be utilized to custom create those logics.
Arvil Nagpal: Exactly. Yup. So I know we're, we're up on time, but I will hang out in the back for any other questions or, like I mentioned, if we don't get there, shoot me an email. But thank you, thanks for all for coming.
As IT organizations seek to stitch together human resource systems such as Workday with directories such as Active Directory and LDAP, they face a challenge of unifying user records. This problem is exacerbated as users change roles over time, as they update their own information, and as they leave the organization