Home / Blog / Automating Expensify using Okta Workflows
Published: May 8, 2022 / Last updated: May 9, 2022 / By Andrew DoeringExpensify unfortunately does not support lifecycle management using their provisioning integration. However there are ways around that, for example, using the Advanced Employee Updated API that Expensify provides.
However, their API is finicky at times. In an effort to help get you started, I am going to go over our Okta Workflow that helps us keep our employees up to date, including:
Which are missing from the Provisioning Tab. This will not cover:
You should be using SAML in Expensify in this example.
You should have one of the following:
You can find the Okta Workflow that we use at this link.
Update: I have updated the flow to instead use a Call Flow card, rather than a For Each Object card to reduce the amount of API spam. Thanks to Michael P for the heads up.
Going over our workflow, we have three specific entries here:
The three event flows are quite self-contained and self-explanatory. Either the User Removed from Application or User Deactivated cards could potentially work well in this scenario, depending on your needs. While the API Helper Flow is slightly more complex (but also still very much straight forward).
We start by reading the user, and erroring out if the Okta ID, Cost Center, Manager, or Office Country Code does not exist.
Because of the issues with the Google Connections, we will then proceed to wrap our flow in a Try error.
We also want to create a If/Else card to validate that the account is deactivated, and provide a proper output based on the account for the API.
From here then we construct the cards we need for the API:
This pulls the data from the Read User cards and dynamically puts it into the Compose card to then finally send to the API:
There you have it. From here, the API should respond by either creating the employees credentials in Expensify, where they can login via SSO and be ready on the employees first day.
The SVG of the flow can be seen below:
User Profile Updated
Update: Uses a call flow card, rather than for each.
User Assigned Application
Update: Uses a call flow card, rather than for each.
API Helper
When deploying this specific workflow (if you don’t alter it), here is what I would recommend:
When doing it this way, you avoid: