dye4h (dye4h) asked a question.
Okta Workflow - "User Account Locked" Event question
I have configured Okta Workflow where I have added "User Account Locked" Event.
When any user tries to attempt an invalid password 5 times (configured in the policy) User is automatically locked in Okta.
And then the Okta Workflow was triggered but the locked User information is coming under Output > "Admin" and "Okta User" details are empty.
I have attached the screenshot of the "Okta Workflow - Execution History" below for your reference. So Is this the expected behavior or I missed something?
Image is not available
Okta Workflows (Event) cards received payloads from Okta Event Hooks that contain the System Log data. When the data is received the flow invokes an execution. The Event Cards themselves have pre-mapped basic categories. These categories are part of the schema of all System Log events. The actual data that is received is going to be dependent on the System Log entry for a specific eventType. The Locked out event (user.account.lock) doesn't have "Target" information so the target data is empty meaning the pre-mapped "Okta User" is empty.
The Actor is the individual performing the action (This is usually an Admin for most event types) which is why it is placed in the pre-mapped Admin location.
For the user.account.lock the Actor is actually the individual specifying invalid credentials which may or may not be an actual System administrator.
To reiterate: This is not a Workflows issue. As indicated above Workflows is just pre-mapping the System Log schema. Workflows has no control over the actual payload being sent to it.