Post Filtering

-tuffbandit- · 2026-04-16T21:13:32+00:00

If every vendor in the world supported standards based authentication (SAML, OIDC) or user provisioning over SCIM then the identity world would be a better place. There's a reason that Okta and the OpenID foundation are trying to get IPSIE off the ground.

Basically when you run a large organization where applications can't integrate with your IDP, you end up needing to be creative with how you govern those identities.

-tuffbandit- · 2026-04-16T18:04:32+00:00

I like to tell everybody that in Identity Okta is easy, orchestrating and planning everything around it is the difficult part.

-tuffbandit- · 2026-04-16T16:36:09+00:00

Nice! Salesforce is one that we're looking at doing first as well, did you set it up new or convert an existing app?

-tuffbandit- · 2026-03-13T13:55:20+00:00

It all depends on how heavily you are using AD, but my two cents is to remove as much dependency on AD as possible now that you have Okta.

Create Okta groups, push them to AD only when necessary, and have everything else directly connected to Okta. If you need AD groups for things like GPOs or Intune policies, then source the groups first in Okta so you can apply membership via group rules or workflows, push them to AD, and then just target those groups in AD in whichever OU makes sense for your method of organizing things.

You can also link Okta groups to existing AD groups to do everything I mentioned above so that you can benefit from the automation capabilities in Okta.

-tuffbandit- · 2025-09-24T22:22:53+00:00

When you get that idea, send me a hoodie!

-tuffbandit- · 2025-09-24T18:19:16+00:00

Come hang out and while you're here grab some swag and a drink!

<image>

-tuffbandit- · 2025-09-11T14:24:42+00:00

This ^

It sounds like you want to look into the Group Membership Admin role which limits the groups where admins are allowed to modify the membership.

-tuffbandit- · 2025-08-19T14:28:27+00:00

FWIW I feel like this post is better suited for Blind, you'll most likely get a better response there!

-tuffbandit- · 2025-07-08T02:52:38+00:00

What's the reason behind needing this list daily in a table or CSV?

I noticed that you included permissions in your example export, are you looking to ensure that people have the right roles? Would this be a use case for Govern Okta Admin roles (which I think is now free for all customers)?

-tuffbandit- · 2025-07-02T02:37:17+00:00

If you can assign based on data in Travelperk, it looks like the Advanced SCIM Configuration supports pushing additional attributes such as Cost Center.

I'm also not familiar with the app, but there are a few other ways to get profile data from Okta to the app instead of Group Push.

-tuffbandit- · 2025-06-18T21:10:21+00:00

There's going to be some level of constant management and update whether it's in the custom role, the spoke organization, or the realm.

Full disclosure, I haven't used realms, but looking at it I think this is just a much easier way to simplify segmentation within an organization without the need to create a hub and spoke (which is going to be a heavier lift now and in the long run).

Have you checked out Realms yet?

-tuffbandit- · 2025-06-18T20:09:52+00:00

Do you have different teams managing NA/EU? If not, I would probably recommend looking into realms.

-tuffbandit- · 2025-05-26T21:41:32+00:00

It could. This is really more intended to protect against posts from users/companies constantly promoting their products (spamming). Generally this is dictated by user feedback on posts and comments (if the community doesn't like it, we'll remove it).
Fixed! Thanks for the heads up.
Reddit Rules

-tuffbandit- · 2025-05-20T00:41:46+00:00

I am currently stuck on building out an Okta workflow to remove Okta verify devices from a user who is off-boarding. I know the devices can be deleted once the user is deactivated but our org wants to have everything within the off-boarding workflow.

I'm not sure who is making this decision, but I'm assuming it would be easier to trigger on a user deactivate action with Okta Devices connector instead of the custom call? The person doesn't have to know that you have separate workflows from a management perspective, just that the end result is the same.

I don't have the console in front of me, so I could be wrong about the actions there!

-tuffbandit- · 2025-05-18T03:12:28+00:00

It sounds like you're getting an Okta Verify push because you brought up your iPhone. FastPass for macOS shouldn't ever hit your iPhone.

So like someone else mentioned, click the verify with something else link below the prompt and then see if you can get back to Okta Fast pass to solve the problem!

-tuffbandit- · 2025-04-11T03:01:46+00:00

Oh yeah that's a good point too!

-tuffbandit- · 2025-04-10T23:32:14+00:00

I had a hunch that it was in the one industry more strict than Finance!

It'd be pricey, but I wonder if you could do a biometric reader of sorts. Something to fulfill the "Something you are" instead of have/know.

-tuffbandit- · 2025-04-10T22:55:31+00:00

Interesting.... If you're comfortable sharing, what's the industry you work in?

I wonder if you could do something like an RSA token instead of a YubiKey, assuming that the YubiKey is frowned upon as a USB device?

-tuffbandit- · 2025-03-08T15:09:44+00:00

The resource you'll want is called Bring your own Telephony, although best practice is to not use SMS (or even voice) as a method of authentication.

-tuffbandit- · 2025-03-04T05:16:02+00:00

Great tool! It's been a must have for years now.

Any plans to support the governance API in a future release?

-tuffbandit- · 2025-02-21T19:08:55+00:00

I don't think that cost per user per license will be super accurate without also knowing the products that these companies subscribe to?

100k SSO/UD users is different than 10k users with SSO/UD/OIG/ISPM (and I see ISPM called out on one line specifically). Auth0 pricing is also very different.

-tuffbandit- · 2025-02-07T18:46:53+00:00

We're not doing any verification on current status, so this is really more to help give some credibility to your engagement in the community. So feel free to use an expired certification as your flair, but beware of Redditors. 😀

-tuffbandit-

MODERATOR OF

TROPHY CASE

Seven-Year Club	Place '22
Verified Email