Schrodyr (Freeman) asked a question.
Background:
I'm setting up a system where if a user is added to one of many groups that allows "Privileged Access" (assigned an admin role in an application, allowed to request an elevated role, etc), then they are added to a "master" Privileged Access Group and have a new Password Policy applied to their account, as well as more stringent login policies. That part works fine.
Problem:
The new password policy doesn't apply until they change their password. I setup another Workflow that calls the User API and expires their password whenever they are added to the Master Privileged Group. But as part of this process, we're also requiring these users to login with FastPass. This means they will rarely be typing their password in, and Okta doesn't prompt the user to change their password unless they've authenticated with their password.
So the potential is there for a user with Privileged Access to have a weak password, waiting for a bad actor to exploit it and set their new strong password for them.
Solution:
The only solution I've been able to come up with requires multiple workflows:
- Scheduled workflow to look up users with "PASSWORD_EXPIRED" Status. Stream them to...
- Helper Workflow to lookup members of "Expired Password User" group. Steam members to...
- Helper Workflow to see if members contain the Expired User. If not, add users to group.
- Stream members to another workflow to remove users who are not Expired.
This Expired Password User group would then have a different sign-on policy that would require a Password so that they would be prompted to change it.
I feel like there's gotta be a better way. Unfortunately, Group Rules don't work with Status and there's not a built in Event for Status Change. Anyone have any ideas, or do I just need to burn 3 or 4 Workflows on this process?
Hi @Schrodyr (Freeman) , Thank you for reaching out to the Okta Community!
For design recommendations for this type of use case we recommend signing up for office hours (Workflows console home page > Resources > Office hours) to discuss the matter with our available resources, or reach out to your Okta Account Executive to discuss possible alternatives.
We'll leave this question open for possible community input as well.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Level up your Identity security superpowers with Okta Learning.
Join the Online Discussion for Ask me Anything on March 25, 2025: Identity Threat Protection with Okta AI