SMP Automation Tips & Tricks

Struggling to rein in SaaS sprawl and reclaim idle licenses after 90 days? Discover how Torii uncovers shadow IT, schedules hourly onboarding, and automates license reclamation with 90-day inactivity rules, Slack approvals, and manager escalations. See how stop workflows, history restore, and usage insights cut rework and speed decisions.

In this video, Caitlin DeBalak, Head of Customer Success, and Steve, Solutions Engineer, share advanced Torii automation techniques. Learn to trigger workflows from Workday hires, app discoveries, or contracts near expiration, branch by department, build custom actions with client-credentials OAuth, and integrate webhooks that pass any JSON to provision accounts and update systems. It is a must-watch for IT, procurement, and security teams that need to streamline offboarding, tighten renewals, eliminate blind spots, and prove savings this quarter.

This article was originally a video (YouTube link here). Below is the full transcript:

Today we will direct open questions to the Q&A section of the webinar. We encourage chat for feedback, commentary, and emojis, and we recommend using computer audio for an optimal connection.

My name is Caitlin DeBalak, head of customer success at Torii, and I am located in Columbus, Ohio, in the United States. I’m here with Steve to discuss advanced techniques with our automations, focusing on hidden gems and extensibility.

For those new to Torii, we provide a single solution for managing your entire SaaS ecosystem. Torii constantly discovers SaaS applications, including shadow IT, and consolidates data around contracts and license use so you can reduce blind spots, identify cost savings, and automate manual tasks.

Torii surfaces every application used inside and outside your IdP. That visibility shows which apps have paid licenses, where unused seats offer savings, duplicate tools, renewal schedules and terms, and opportunities to automate onboarding and offboarding.

I will hand off to Steve to walk through workflow automation capabilities. He will give a brief review of triggers and actions, then dive into advanced workflow topics.

I am Steve, a solutions engineer at Torii, based in Toronto, Canada. Workflows in Torii run based on triggers, which can be user lifecycle events, application events, license events, contract events, real-time events, or custom triggers like webhooks.

User lifecycle triggers are based on attributes such as user identity, department, or lifecycle events like hire or termination. Application triggers include new apps discovered in your organization, apps not in your IdP, or apps with specific expense or contract characteristics. License triggers act on license usage patterns, such as users with licenses who have not used them, and contract triggers support renewal management when contracts approach expiration.

An onboarding workflow can be triggered by Workday data for new hires. Workflows run hourly, so you can schedule actions relative to start dates, such as creating Google or Azure accounts, provisioning birthright access, and creating accounts for Slack, Zoom, and Salesforce.

Branching lets workflows use attributes from the trigger, for example department, to provision different access for sales, marketing, or finance. If an action is not available out of the box, you can build custom actions to expand capability.

Offboarding workflows can be scheduled to run at the end of the day to avoid prematurely deprovisioning users. Typical offboarding actions include updating Google Workspace email, suspending accounts, signing users out of sessions, and running default offboarding actions configured per application, such as deactivating Salesforce or disabling Zoom.

Offboarding can also include advanced steps like transferring Drive documents, migrating calendar data, and adding wait conditions to delay processes or tasks for hours or days.

License management workflows can be configured to remove licenses after defined inactivity periods, such as 90 days. You can select specific license types and build branches for exemptions, interactive reclamation, manager approvals, or automatic removal.

Interactive branches can send Slack messages prompting users to relinquish licenses, with options to reclaim immediately, keep the license, or escalate to a manager for approval. Reclaimed licenses can be removed directly or via your provisioning system, and the catalog can allow users to request access back.

These foundational workflows are common starting points, and your CSM can help build or refine them if you need assistance.

Advanced workflows extend Torii by using custom triggers and webhooks to integrate with external systems or nonstandard onboarding sources. Webhooks provide a URL to accept incoming JSON, and Torii does not require a predefined schema, so you can send arbitrary attributes such as first name, last name, email, department, or job title.

When you send test JSON to the webhook URL, Torii exposes personalization tokens for any received attributes, which you can then use in subsequent actions. Postman or similar tools can be used to simulate webhook payloads.

Webhooks are designed for user workflows rather than license or application workflows, and authentication for webhooks is built into the URL. Any system that can post JSON, including Jira, Zendesk, Zoho, or Okta, can call Torii webhooks to trigger user provisioning workflows.

The Torii API can also be used to run workflows programmatically. The primary difference between calling the API to run a workflow and using a webhook is that the API run-workflow call expects the user to already exist in Torii. Use webhooks when the external system is the source of truth and may create the user in Torii during the workflow.

Custom actions enable outgoing API calls to systems Torii does not natively support or when you need more control. You can configure the URL, method, headers, and request body, and store static tokens in the secret vault. Custom actions can handle JSON or GraphQL payloads.

Responses from custom actions can be mapped to variables and used in subsequent API calls, enabling multi-step integrations. For example, you can query an API to retrieve a value, store it as a variable, and then use that value in a follow-up call to update groups or create records.

OAuth authorization and token handling need careful setup to avoid failed calls or expired credentials. The authorization code grant is interactive and is not recommended for custom actions, unless a long-lived token is available. Client credentials flow is supported: you can request a token in one action, store the token in a variable, and use it in the authorization header for subsequent calls, as with a Zoho Desk example where you obtain a token and then create a ticket.

Custom actions and API calls can integrate with external systems for reporting or process continuity. One example is populating a Notion database with contract metadata, mapping contract fields such as contract name, emails, auto-renewal status, start date, end date, and a link back to the contract in Torii.

Another example is pushing license reclamation outcomes to a Google Sheet. A workflow that prompts a user for approval via Slack can call a custom action to append a row to a Google Sheet with application name, license, user, outcome, and timestamp, preserving existing processes or providing a bridge for stakeholders who are not yet using Torii.

Three recent features that improve workflow management are stop workflows, restore workflow history, and last viewed sources. Stop workflows allows you to halt a workflow mid-process to make adjustments. Restore workflow history lets you revert to any prior version from the history list. Last viewed sources provide details about usage data, including who accessed what and how, to support better business decisions.

We captured these Q&A highlights from the webinar for quick reference. Exporting or importing workflows is not currently supported; please submit feedback if this capability matters to you. There is no limit on the number of workflows or actions for customers licensed for workflows in the Professional or Enterprise tiers.

Torii was built with performance and scalability in mind, so heavy workflow usage should not cause scalability concerns. You can use SSO groups as part of triggers, and the Users tab now includes a details view showing SSO group membership and change history.

API rate limits do exist, and details are available in the developer community documentation. Rate limits may vary by endpoint or application, so please consult the developer docs for specifics.

Please reach out to your CSM for help implementing these techniques or for assistance with questions that were not covered here. Thank you for joining, and have a great week.