← Back to projects
IAM & Security

Okta Lifecycle Lab

HRIS-driven identity lifecycle automation — Joiner/Mover/Leaver workflows you can actually run

PythonReactOkta APISCIM 2.0FlaskDocker
▶ View Live Demo View on GitHub

What it does

Most identity lifecycle implementations break because they were built for a company's size two years ago. This lab lets you run the full Joiner/Mover/Leaver pipeline locally — from HRIS events through RBAC resolution and SCIM provisioning to downstream SaaS apps — with zero credentials needed.

It has two modes: simulation (default, fully local with mock SCIM endpoints) and live (connects to a real Okta developer tenant). The simulation mode is the demo path — anyone can clone it and see the full pipeline in action.

The mover workflow is the star: when an employee changes roles, the engine diffs their current access against the new role's RBAC rules, revokes what's no longer needed, provisions what's new, and logs the entire diff for audit. It also includes error scenarios — a SCIM conflict with automatic retry and a partial deprovision that flags for manual review — because real systems fail, and handling failure is what separates production automation from a demo.

Architecture

HRIS Feed (Sapling)
    ↓
Event EngineRBAC ResolverOkta ClientMock SCIM Server
         Slack · GitHub · Zoom · GWS
         Figma · Salesforce · HubSpot
         Rippling · NetSuite
                         ↓
              React Dashboard
         Real-time event timeline
         Access diff visualization
         Post-deprovision audit

Key features

  • HRIS-driven event processing (joiner, mover, leaver)
  • YAML-based RBAC rules with department + title resolution
  • Access diff engine for mover workflows
  • Mock SCIM 2.0 server (9 downstream apps)
  • Post-deprovision audit checker (15-minute verification)
  • Error handling with automatic retry and manual review flags
  • Real-time React dashboard with expandable event detail
  • Docker Compose one-command startup

Quick start

# Clone and run
git clone https://github.com/adavenport-ops/okta-lifecycle-lab.git
cd okta-lifecycle-lab
docker compose up

# Open the dashboard
open http://localhost:5173

Related

Read the full writeup on the engineering decisions behind this project:

Building Bulletproof Joiner/Mover/Leaver Automation with Okta Workflows →