arazzo: 1.0.1
info:
  title: Okta Find User and Suspend
  summary: Look up a user by login and suspend them if an active match exists.
  description: >-
    A find-then-act offboarding flow. The workflow searches for a user by their
    login or email, branches on whether a match was found, and when found
    suspends that user so they can no longer sign in while their account is
    retained. The resolved user id is chained from the search into the suspend
    lifecycle call. Every step spells out its request inline, including the SSWS
    API token header, so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: oktaApi
  url: ../openapi/okta-openapi-original.yml
  type: openapi
workflows:
- workflowId: find-user-and-suspend
  summary: Resolve a user by login and suspend them.
  description: >-
    Searches for a user matching firstName, lastName, and email and, when found,
    suspends the active user.
  inputs:
    type: object
    required:
    - oktaApiToken
    - query
    properties:
      oktaApiToken:
        type: string
        description: Okta API token used for the SSWS Authorization header.
      query:
        type: string
        description: Search term matching the user's firstName, lastName, or email.
  steps:
  - stepId: findUser
    description: >-
      Search for a user matching the supplied query, returning at most one
      result.
    operationId: listUsers
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: q
      in: query
      value: $inputs.query
    - name: limit
      in: query
      value: 1
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/0/id
      userStatus: $response.body#/0/status
    onSuccess:
    - name: userFound
      type: goto
      stepId: suspendUser
      criteria:
      - context: $response.body
        condition: $.length > 0
        type: jsonpath
    - name: userMissing
      type: end
      criteria:
      - context: $response.body
        condition: $.length == 0
        type: jsonpath
  - stepId: suspendUser
    description: >-
      Suspend the matched user so they can no longer authenticate.
    operationId: suspendUser
    parameters:
    - name: Authorization
      in: header
      value: SSWS $inputs.oktaApiToken
    - name: userId
      in: path
      value: $steps.findUser.outputs.userId
    successCriteria:
    - condition: $statusCode == 200
  outputs:
    userId: $steps.findUser.outputs.userId