Identity Platform Okta Provisioning

Pipeline Overview

CI/CD Job Workflows for Okta

graph TB

subgraph Identity GitLab Repositories
subgraph accessctl-inventory Repo
direction TB
REPO_INV_MANIFESTS_USERS[("manifests/users/<br />users.yml/json/csv")]:::sky
REPO_INV_MANIFESTS_ROLES[("manifests/roles/<br />{role}.yml/json/csv")]:::sky
REPO_INV_MANIFESTS_OU[("manifests/ou/<br />{ou}.yml/json/csv")]:::sky
end
end

subgraph Identity Platform CI/CD Provisioning State Scripts
direction LR

CI_USER_JOB["Stage 3.1<br />Okta Users Job<br />provision:okta-users"]:::orange
CI_GROUP_JOB["Stage 3.2<br />Okta Groups Job<br />provision:okta-groups"]:::orange

CI_USER_PARSE_API[(Get All Users<br/>from Okta API)]
CI_USER_CHECK_ROLE{{Compare user manifest<br />with API results to check for<br />rbac_role differences}}
CI_USER_UPDATE_API[[Update Okta users with<br />updated rbac_role attribute]]:::violet
CI_USER_JOB --> CI_USER_PARSE_API
CI_USER_PARSE_API --> CI_USER_CHECK_ROLE
CI_USER_CHECK_ROLE --> CI_USER_UPDATE_API

CI_GROUP_JOB --> CI_GROUP_PARSE_MANIFEST
CI_GROUP_PARSE_MANIFEST[(Parse Manifest)]
CI_GROUP_PARSE_API[(Get rbac_* groups from Okta API)]

CI_GROUP_CHECK_EXISTS{{Check if group exists}}
CI_GROUP_CREATE_GROUP[[Create group]]:::violet
CI_GROUP_DELETE_GROUP[[Delete group]]:::violet
CI_GROUP_CHECK_USERS{{Check if manifest users exist in Okta Group Users API}}
CI_GROUP_CREATE_USER[[Attach user to group<br />if does not exist]]:::violet
CI_GROUP_DELETE_USER[[Detach user from group<br />if no longer in policy]]:::violet
CI_GROUP_LOG_S3{{Create Audit Log entry in S3 bucket}}:::red
CI_GROUP_AUDIT{{Audit Transaction<br />REST API Call to accessctl<br />for automation workflows}}:::red
end


subgraph Identity SaaS Vendor Services
direction LR
subgraph Okta GitLab Tenant
IDENTITY_VENDOR_OKTA_API_USERS[("Okta Users")]
IDENTITY_VENDOR_OKTA_API_GROUPS[("Okta Groups")]
IDENTITY_VENDOR_OKTA_API_GROUP_USERS[("Okta Group Users")]
IDENTITY_VENDOR_OKTA_API_ENDPOINT[("Okta API<br />https://gitlab.okta.com/api/v1")]
IDENTITY_VENDOR_OKTA_API_ENDPOINT --> IDENTITY_VENDOR_OKTA_API_USERS
IDENTITY_VENDOR_OKTA_API_ENDPOINT --> IDENTITY_VENDOR_OKTA_API_GROUP_USERS
IDENTITY_VENDOR_OKTA_API_ENDPOINT --> IDENTITY_VENDOR_OKTA_API_GROUPS
IDENTITY_VENDOR_OKTA_API_USERS -.- IDENTITY_VENDOR_OKTA_API_GROUP_USERS
IDENTITY_VENDOR_OKTA_API_GROUPS -.- IDENTITY_VENDOR_OKTA_API_GROUP_USERS
end
end

CI_GROUP_PARSE_MANIFEST --> CI_GROUP_PARSE_API
CI_GROUP_PARSE_API --> CI_GROUP_CHECK_EXISTS
CI_GROUP_CHECK_EXISTS --> CI_GROUP_CREATE_GROUP
CI_GROUP_CREATE_GROUP ---> IDENTITY_VENDOR_OKTA_API_ENDPOINT
CI_GROUP_CHECK_EXISTS --> CI_GROUP_CHECK_USERS
CI_GROUP_CHECK_EXISTS --> CI_GROUP_DELETE_GROUP
CI_GROUP_CREATE_GROUP --> CI_GROUP_CHECK_USERS
CI_GROUP_DELETE_GROUP --> CI_GROUP_CHECK_USERS
CI_GROUP_CREATE_USER ----> IDENTITY_VENDOR_OKTA_API_ENDPOINT
CI_GROUP_CHECK_USERS --> CI_GROUP_CREATE_USER
CI_GROUP_CHECK_USERS --> CI_GROUP_DELETE_USER
CI_GROUP_CREATE_USER --> CI_GROUP_LOG_S3
CI_GROUP_DELETE_USER --> CI_GROUP_LOG_S3
CI_GROUP_LOG_S3 --> CI_GROUP_AUDIT
CI_USER_UPDATE_API ----> IDENTITY_VENDOR_OKTA_API_ENDPOINT
CI_GROUP_DELETE_GROUP ---> IDENTITY_VENDOR_OKTA_API_ENDPOINT
CI_GROUP_DELETE_USER ---> IDENTITY_VENDOR_OKTA_API_ENDPOINT
REPO_INV_MANIFESTS_USERS --> CI_USER_JOB
REPO_INV_MANIFESTS_ROLES --> CI_GROUP_JOB
REPO_INV_MANIFESTS_OU --> CI_GROUP_JOB

classDef slate fill:#cbd5e1,stroke:#475569,stroke-width:1px;
classDef red fill:#fca5a5,stroke:#dc2626,stroke-width:1px;
classDef orange fill:#fdba74,stroke:#ea580c,stroke-width:1px;
classDef yellow fill:#fcd34d,stroke:#ca8a04,stroke-width:1px;
classDef emerald fill:#6ee7b7,stroke:#059669,stroke-width:1px;
classDef cyan fill:#67e8f9,stroke:#0891b2,stroke-width:1px;
classDef sky fill:#7dd3fc,stroke:#0284c7,stroke-width:1px;
classDef violet fill:#c4b5fd,stroke:#7c3aed,stroke-width:1px;
classDef fuchsia fill:#f0abfc,stroke:#c026d3,stroke-width:1px;
Last modified November 14, 2024: Fix broken external links (ac0e3d5e)
View page source - Edit this page - please contribute. Creative Commons License