Note. This feature is available for customers on the OneLogin Unlimited Plan.
Task Lists are workflows that prompt administrators to perform the OneLogin tasks required to bring a new user onboard your organization or remove users' access to applications when they leave the organization.
Specifically, the Task Lists feature:
Notifies admins of new users that need access to apps and users who are leaving the organization
- Lists all tasks that are required to onboard and offboard a user, including both manual tasks and automatic tasks that OneLogin takes care of without manual intervention
This article discusses the following topics:
- Enabling Task Lists
- Receiving notifications
- Viewing tasks
- Onboarding workflows
- Offboarding workflows
Enabling Task Lists
Onboarding and offboarding task lists are predefined. You cannot edit them, but you can enable and disable them.
Log into OneLogin as an admin and go to the Task Lists settings page by doing one of the following:
- Go to https://yourdomain.onelogin.com/workflow_definitions
- Click the Notifications bell in the menu bar to open the All Tasks page, where you can click Settings or Enable Task Lists.
On the Task Lists settings page, click a task list row to enable the task list and view its default settings.
Currently there are two default task lists available, Onboarding and Offboarding.
On the task list edit page, enable the task list, view the conditions that trigger the task list, and view the workflow order of the predefined tasks.
- Click Done.
Once you have enabled task lists for onboarding or offboarding, Super Admins will be notified of pending tasks. The notifications (bell) icon in the menu bar will display a red dot:
Click the notifications icon to view the pending tasks. Each will be listed by the name of the user whose account requires action.
Click a task row to view the task list.
To view pending and completed tasks, you can do any of the following:
- Click the Notifications bell in the menu bar and then click a task row on the Tasks notification drop-down.
- Click See All Tasks in the banner on the Task Lists configuration page.
Each of these opens the All Tasks page, which functions as your task list dashboard.
Navigating the All Tasks page
Search and filter: You can search for tasks by username and email, and filter by task creation date and status (Open or Completed).
View details: Click the down arrow () above the task number indicator () to the right of the user name to expand a task list to view details. Click again () to collapse.
Tasks completed indicator: to the right of the user name, you can see the number of tasks completed over the total number of tasks in the list ().
Viewing Task List Details
When you expand a task list using the down arrow (), you will see a detailed list of tasks. These include Automatic tasks, that are performed by OneLogin and require no input from you, and manual tasks, which require your input.
To see details about Automatic Tasks, click the up and down expansion arrows () next to Automatic Tasks Initiated.
The following icons indicate task status:
In progress and cannot manually be marked complete
Incomplete manual task requiring action
Task in error state
When you add a new user to OneLogin, whether manually (created in OneLogin or imported from CSV) or by importing from a third-party user store like Active Directory or Workday, an Onboarding task list will be created automatically to help you onboard that user.
Two types of tasks are listed:
Automatic tasks that require no admin intervention:
Some of those applications allow OneLogin to provision users to them automatically; others require manual intervention to add user accounts to those applications.
- Mappings assign new users to groups, which automatically places users in the security policies associated with those groups.
Manual tasks that require your intervention:
- Provisioning users to applications that aren't enabled for automatic provisioning.
- Providing authentication credentials for apps that use form-based authentication, or for SAML apps that require user attributes to be entered manually in the user login record.
- Approving provisioning for applications that require admin approval before the user is provisioned to the app.
Automatic tasks are initiated when the task list is generated. Unless there is an error, you don't have to do anything with automatic tasks. If an automatic task generates an error, you should troubleshoot the error and restart the task that caused the error.
As you complete each manual task, click the status icon to switch it to Completed: When all tasks are completed, the task list will auto-complete. Its status on the All Tasks page will show as completed, and it will be removed from the Notifications drop-down.
Every task that you initiate or complete will be logged as an event, viewable from Activity > Events:
user Enabled workflow_name
user Disabled workflow_name
user Initiated task_name for subject user
Manual task_name for subject user was completed by user
Manual task_name for subject user was marked incomplete by user
Workflow task_name for subject user was marked completed by user
When a OneLogin user is leaving your organization, you can initiate the Offboarding Task List for that user by doing the following:
- Go to the user's details page (Users > All Users, select the user).
Click More Actions and select Initiate Offboarding from the drop-down menu.
This option is displayed only if the Offboarding Task list has been enabled.
- On the confirmation dialog that appears, you can view the applications that will be deactivated automatically. Click Continue to initiate offboarding.
When you initiate offboarding, OneLogin does the following automatically:
Deactivates the user in OneLogin, preventing them from accessing the OneLogin portal.
The user is put in a Deleting state. Users in this state do not display by default on the All Users page, but you can view them on that page using the filter Status = Deleting.
Deactivates the user's app logins, disabling their ability to log in to SSO-enabled apps using OneLogin.
The user will continue to display as provisioned to those apps that are enabled for provisioning, but their app status will be set to a Suspended state. Because users' app accounts are suspended, not deleted, the user is locked out of the app, but you as an admin can continue to access and recover data from those accounts before finally deleting them.
On the All Tasks page, you see automatic Deactivate User and Deactivate applications tasks, as well as a list of apps that you must manually deprovision.
After you deprovision each app, click the status icon to switch it to Completed:
When you are satisfied that you have removed the user's access to all of their work apps, you can delete the user and set the status icon for Delete User to Completed: . When all tasks are completed, the task list will auto-complete. Its status on the All Tasks page will show as completed, and it will be removed from the Notifications drop-down.
Note. When you delete the user, the user will be automatically deprovisioned from their provisioning-enabled apps, and their accounts set to the status (deleted, suspended, do nothing) that is configured for deleted users on the Provisioning tab of the app connector. These post-user-deletion deprovisioning events may require admin approval, and the Offboarding task list will not remind you to approve deprovisioning.