Okta Classic Engine release notes (2023)

January 2023

2023.01.0: Monthly Production release began deployment on January 17

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Revoke user sessions

Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

New System Log events

New events are added to the System Log when custom sign-in or error pages are deleted or reset.

System Log

Policy details added to sign-on events

The System Log now displays policy details for user.authentication.auth_via_mfa events.

System Log

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.

Internet Explorer 11 no longer supported

A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.

Corrected timezone on API Tokens page

The date and time on the API Tokens page used an incorrect timezone. It now uses the same timezone as the users' device.

Early Access Features

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-511057

Push Group to Azure Active Directory failed when the group description property was empty.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561119

Some users were redirected to the End-User Dashboard when they clicked an app embed link. This occurred in orgs that enabled State Token All Flows and used a custom sign-in page.

OKTA-561259

On the Edit role page, the previously selected permission types weren’t retained.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-527705

When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-545664

URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-557873

Enrollment emails weren't sent to users who enrolled in the DUO Security factor.

OKTA-557976

For some users, the profile page didn't display all of their enrolled MFA factors.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

Generally Available

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-545622

AD-sourced users received an error when resetting passwords during their Okta account activation.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the Google Authenticator factor.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) factor and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Better Stack (OKTA-566261)

  • Mist Cloud (OKTA-559122)

  • Tower (OKTA-567818)

OIDC for the following Okta Verified application:

February 2023

2023.02.0: Monthly Production release began deployment on February 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 7.3.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.13

This version of the Okta Provisioning agent contains the migration of the Windows installer from Internet Explorer to Edge. The installer now requires Edge WebView2. If your machine is connected to the internet, WebView2 is downloaded automatically during the agent installation. If not, you must manually install it before installing the new agent version. See Okta Provisioning agent and SDK version history.

Agents page removed from the navigation panel

The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.

Splunk edition support for Log Streaming integrations

The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.

Custom links for personal information and password management on End-User Dashboard

If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.

This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.

You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.

User Accounts

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

Full Featured Code Editor for error pages

Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.

Custom app login deprecated

The custom app login feature is deprecated. This functionality is unchanged for orgs that actively use custom app login. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Enhancements

iFrame option for OAuth sign-out URI

OAuth sign-out URI can now be embedded inside iFrame.

Log Streaming status messages

Log streaming status messages now include a prefix related to the log streaming operation.

Updated AWS EventBridge supported regions for Log Stream integrations

The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.

OIN Manager enhancements

The OIN Manager now orders the app protocol tabs by best practice.

Informative error messages for SAML sign-in

Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.

Early Access Features

New Features

Fixes

General Fixes

OKTA-501372

The People page used an incorrect field name as the sorting key.

OKTA-540894

Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.

OKTA-544814

Clicking Show More in the API Trusted Origins tab resulted in an Invalid search criteria error.

OKTA-554006

Clicking Save and Add another to add new attributes on the Profile Editor page didn’t consistently function as expected.

OKTA-555768

Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.

OKTA-566469

The Coupa integration URL displayed under the application Sign On tab was incorrect.

OKTA-567511

Users weren’t assigned to applications through group assignments following an import from AD into Okta.

OKTA-567991

Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.

OKTA-568319

In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.

OKTA-572600

Sometimes, custom email domain configurations didn’t appear on the Domains page in the Admin Console.

OKTA-573320

The max_age and login_hint parameters in the authorize request were sometimes ignored when a client used the private_key_jwt client authentication method.

OKTA-573738

Some field widths rendered improperly.

OKTA-468178

In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Paychex Online (OKTA-573082)

Applications

Application Update

The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Sign-In Widget, version 7.3.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-508580

When the Okta profile mapping was pushed to AD, the event didn’t appear in the System Log and the manager attribute wasn’t pushed.

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn’t generated when certain report filters were applied.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Adobe Stock (OKTA-564445)

  • Adyen (OKTA-561677)

  • Airbnb (OKTA-559114)

  • AlertLogic (OKTA-560876)

  • American Express @ Work (OKTA-565294)

  • BlueCross BlueShield of Texas (OKTA-564224)

  • Drilling Info (OKTA-558048)

  • Empower (OKTA-552346)

  • Endicia (OKTA-557826)

  • Glassdoor (OKTA-564363)

  • hoovers_level3 (OKTA-562717)

  • MailChimp (OKTA-554384)

  • MY.MYOB (OKTA-553331)

  • myFonts (OKTA-566037)

  • OpenAir (OKTA-545505)

  • Paychex (OKTA-561268)

  • Paychex Online (OKTA-564325)

  • Regions OnePass (OKTA-568163)

  • Truckstop (OKTA-552741)

  • VitaFlex Participan (OKTA-562503)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Articulate 360 (OKTA-544737)

  • Kakao Work (OKTA-556713)

  • Pleo (OKTA-564884)

  • Tower (OKTA-567818)

Generally Available

Fixes

General Fixes

OKTA-431900

The People > Enroll FIDO2 Security Key button was visible to admins who didn’t have permission to enroll authentication factors.

OKTA-452990

When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.

OKTA-495146

The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.

OKTA-503419

App catalog search results didn't include SCIM functionality labels.

OKTA-566637

The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.

OKTA-572089

Browsing the Provisioning tab for an app triggered a System Log update.

OKTA-574711

The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.

OKTA-574890

When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.

OKTA-576067

Custom domains couldn't be validated if there were uppercase characters in a subdomain.

OKTA-578439

Some event hook requests failed to send in Preview orgs.

OKTA-579157

For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe Creative (OKTA-555215)

  • Asana (OKTA-566187)

  • ManageEngine Support Center Plus (OKTA-529921)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Scalr.io (OKTA-552065)

  • Trusaic (OKTA-559106)

OIDC for the following Okta Verified applications: