# Article Name Automate Okta Provisioning in Just Minutes # Article Summary Extend Okta with Torii to discover unsanctioned apps, automate SaaS operations, improve security, and optimize software spend # Original HTML URL on Toriihq.com https://www.toriihq.com/articles/okta-provisioning # Details How do teams uncover 3 to 4 times more apps outside their IdP and slash waste hidden in unused licenses? Discover how 497 employees racked up 310 apps, including 249 not in SSO, and set alerts when actual spend exceeds contracts by 10 percent. Uncover methods to centralize shadow IT, streamline renewals, and eliminate offboarding gaps across 200-plus non-SSO apps with Okta. In this video, John Baker and Rajiv Menon share how Torii discovers apps across SSO, MDM, OAuth, and browsers, then automates control. Learn to map owners, route Slack approvals, reclaim unused E3 and E5 licenses, and trigger alerts when actuals exceed contracts by 10 percent. See AI-powered renewals tracking with auto-renew deadlines, a requests catalog feeding Okta assignments, and real-time offboarding for 200-plus non-SSO apps. A must-watch for IT, security, and procurement teams battling shadow IT, license waste, and looming renewals before the next cycle hits. This article was originally a video (YouTube link here [https://www.youtube.com/watch?v=kfA1WGgUzCk]). Below is the full transcript: Before we begin, a quick announcement about the Oktane raffle and how we'll include our online audience. Some of you attended Oktane, and we raffled several popular LEGO sets, including the Infinity Gauntlet, Darth Vader helmet, and Chewbacca. To include our online audience, we will draw one winner from today’s attendees after the webinar and notify the winner by email. Today we will discuss how to get Okta’s full potential with the help of Torii. My name is John Baker, and I’m here with Rajiv Menon. We cannot see or hear attendees, and microphones and cameras are disabled. Please submit questions using the webinar questions feature, and we will address them at the end. I'll hand things off to Rajiv Menon so he can start the demo, walkthrough, and live Q&A examples. Thanks John, I'll begin on the insights page and give a quick Torii overview. I’ll start on the insights page and introduce Torii, a leading SaaS management platform that helps teams manage apps, automate operations, and control costs. Torii helps you manage every SaaS app in your stack, automates SaaS operations, tightens security, and reduces software costs. An effective SaaS management strategy requires knowing all the apps in use across your stack, not just the apps in SSO. We need to know what is in SSO, how those apps are used, and what is outside SSO that you could bring in. We also track apps purchased through procurement, and those purchased outside procurement, often appearing as expense items. Torii uses a layered discovery process with more than seven methods to find applications both inside and outside your identity provider, so nothing slips through the cracks. We support direct integrations, IdP-based integrations, and marketplace discovery via OAuth methods such as login with Google, Slack, or Teams. Torii can also discover apps from MDM inventories, including Jamf, Intune, and Kandji, and we offer a browser extension to capture apps accessed with corporate credentials. In many customer environments, organizations find three to four times as many apps outside their IdP as inside. For example, in this environment we have 497 employees and 310 applications. If I apply a filter for apps not in SSO and not sanctioned, I see 249 results. These include apps added by business owners, imported from expense or finance feeds, or discovered through OAuth methods. Torii identifies the relevant stakeholders for each app and provides workflows to increase the number of apps under SSO control. Looking at MDM-sourced apps that are not in Okta, some are sanctioned through MDM but not yet integrated into Okta. Torii makes it easy to see popular apps, identify owners, and initiate the process to bring apps into SSO. We wrap these actions in workflows to notify Okta and security teams and to streamline onboarding into SSO. Drilling into an application, I sort by most expensive apps and open Salesforce. This consolidated view shows usage, contract spend, expense spend, and license types. I can see a lot of inactive licenses, which indicates waste. Torii aggregates data from all sources, shows extension usage, and displays vendor security certifications, such as SOC 2, ISO, and GDPR. The app page includes owners, contracts, and expenses for a complete view. I'll go deeper into license management and open Office 365 to show license details and savings. For integrations that expose license data, Torii imports license tiers, total quantities, active and inactive counts, and assigned licenses. Here we have many unused E3 and E5 licenses, so projected savings are significant. Torii curates recommendations to highlight easy reclaim opportunities and reallocation options. The Renewals page visualizes all contracts you import into Torii. Contracts can be pushed from a contract management system, imported from a spreadsheet, or extracted by Torii's AI. You can email contracts and invoices to contracts@toriihq.com, and Torii will extract relevant data automatically for tracking and renewals. The renewals calendar shows upcoming renewals, auto-renewal flags, cancellation deadlines, and lets you create automations to support procurement processes. The renewal summary gives a timeline view of contract performance, renewal outcomes, and trends you can act on. You can see applications not renewing, renewals coming up, cost decreases, and cost increases. In one example, after implementing Torii, the organization reduced non-renewals and realized substantial savings. All views can be exported to CSV for further analysis. The contracts view functions as a searchable, dynamic database to track every agreement, term, and amendment in one place. You can create custom views, filter contracts in review or recently closed contracts, and export data. There are many fields to build visualizations that match your process. Next I’ll walk through workflows and how they automate cost and entitlement decisions. I created an application-centric workflow that triggers when actual spend exceeds contract spend by a threshold, for example, 10 percent. The workflow sends a Slack approval to the application owner and includes a two-step approval. If approved, it escalates to another reviewer. You can add conditional branches, additional steps, and integrations to proactively manage application costs. For shadow IT, we flip the model from reactive to proactive. When Torii discovers a new app across any connected source, the workflow checks whether the source is Okta. If not, Torii notifies stakeholders asking whether to review feasibility for Okta integration. If the approver says yes, the app state changes to in SSO review and a human task is assigned to the SSO team. If SSO integration is possible, the app is sanctioned into Okta. If not, the app can be sanctioned as non-SSO but monitored. For license reclamation, I set a workflow that triggers on licenses detected as not in use for Office E3 and E5. The workflow exempts leadership roles and reaches out to users before revoking licenses. If the user consents, Torii calls Okta to remove the user from the Okta group that grants the license, thereby reclaiming the license. This uses the Okta integration for enforcement. Torii also provides an access request catalog to centralize app requests and approvals for users, and to track request history and SLA status. You can expose discovered apps in the catalog and map requests to workflows. When a user requests an app, the workflow can trigger email or Slack approvals. For approved requests, Torii sends a webhook to Okta so Okta can perform the app assignment through its API. We document common Okta API examples in our developer community. I'll cover common questions starting with benefits for basic Okta SSO customers. If you only have Okta SSO on a basic tier, what benefits does Torii provide? Torii extends user lifecycle management beyond basic SCIM for a limited number of connected apps and adapts to HR attributes and complex entitlements. You can build sophisticated, criteria-based workflows tied to HR attributes to automate onboarding and offboarding. Torii can trigger on attribute changes, such as department or job title changes, and apply entitlement changes accordingly. You can also use Torii to proactively discover and push more apps into Okta, block unsanctioned OAuth apps, manage license reclamation, and automate procurement and contract workflows. We also provide real-time app events to further improve automation. Real-time app events currently support Okta and Google via subscriptions. For example, when a user is deactivated in Okta, Torii can trigger an offboarding process for 200-plus non-SSO apps in real time. This allows you to start the offboarding workflow the moment Okta deactivates the user, improving auditability and compliance. Regarding blocking unsanctioned apps, Torii can set an application state to closed and automatically block OAuth apps when integrated with Google. You can implement this as part of a gated workflow, so apps are blocked only after review, or you can automate blocking based on risk level. If you want to learn more, Torii runs a weekly platform demo on Tuesday mornings, and we offer personalized demos. For license data in apps without native integrations, you can download a CSV or Excel export from the vendor, convert it to CSV, and import it into Torii. Torii's AI analyzes the file, maps users and license assignments, and presents the data in the licenses view exactly as if we had an API integration. Torii supports role-based access control with four standard roles out of the box and the ability to define custom roles and permissions. You can control left navigation visibility, grant read or read-write access, and map provisioning with SCIM from Okta to automatically assign users to roles in Torii. Torii integrates with ITSM tools such as Jira, ServiceNow, Freshservice, and Zendesk. Workflows can create tickets, update issues, and include Torii context in tickets. You can also call Torii APIs from ITSM systems to pull app usage data or other artifacts for auditing and reporting. That wraps up the main content and key takeaways from today's session. Thank you for joining, and please submit any additional questions through the webinar platform or request a personalized demo.