Okta Classic Engine release notes (2023)

January 2023
2023.01.0: Monthly Production release began deployment on January 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Revoke user sessions
Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.
Non-associated RADIUS agents deprecated
Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.
Unusual telephony requests blocked by machine-learning measures
SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.
Enhancements
New System Log events
New events are added to the System Log when custom sign-in or error pages are deleted or reset.
Policy details added to sign-on events
The System Log now displays policy details for user.authentication.auth_via_mfa events.
View last update info for app integrations and AD/LDAP directories
Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.
Internet Explorer 11 no longer supported
A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.
Corrected timezone on API Tokens page
The date and time on the API Tokens page used an incorrect timezone. It now uses the same timezone as the users' device.
Early Access Features
Enhancements
AWS region support for EventBridge Log Streaming
EventBridge Log Streaming now supports all commercial AWS regions.
Fixes
General Fixes
OKTA-437264
The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.
OKTA-511057
Push Group to Azure Active Directory failed when the group description property was empty.
OKTA-519198
Groups and apps counts displayed on the Admin Dashboard weren't always correct.
OKTA-543969
Accented characters were replaced with question marks in log streams to Splunk Cloud.
OKTA-548780
Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.
OKTA-559571
The Help link on the Administrators page directed users to the wrong URL.
OKTA-561119
Some users were redirected to the End-User Dashboard when they clicked an app embed link. This occurred in orgs that enabled State Token All Flows and used a custom sign-in page.
OKTA-561259
On the Edit role page, the previously selected permission types weren’t retained.
OKTA-564264
Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.
Applications
Application Update
New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.
New Integrations
OIDC for the following Okta Verified applications:
-
Infra: For configuration information, see Infra Configuration Guide.
-
Kanbina AI: For configuration information, see the Kanbina AI Documentation.
-
Riot Single Sign-on: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tracxn: For configuration information, see Configure SSO between Tracxn and Okta.
Weekly Updates

Fixes
General Fixes
OKTA-394045
The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.
OKTA-460054
Office 365 nested security groups sometimes failed to synchronize correctly from Okta.
OKTA-522922
Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.
OKTA-527705
When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.
OKTA-534291
Samanage/SolarWinds schema discovery didn't display custom attributes.
OKTA-544943
When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.
OKTA-545664
URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.
OKTA-547756
An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.
OKTA-548390
Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.
OKTA-550739
Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.
OKTA-556056
Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.
OKTA-557873
Enrollment emails weren't sent to users who enrolled in the DUO Security factor.
OKTA-557976
For some users, the profile page didn't display all of their enrolled MFA factors.
OKTA-565041
Group filtering failed when more than 100 groups appeared in the list of results.
OKTA-565899
An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.
OKTA-566372
Users were sometimes unable to sign in to several Office 365 apps from Okta.
OKTA-567711
In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Verona: For configuration information, see Configuring Provisioning for Verona.
SAML for the following Okta Verified applications:
-
Alibaba Cloud CloudSSO (OKTA-531834)
-
DoControl (OKTA-556624)
-
EasyLlama (OKTA-547466)
-
Extracker (OKTA-555971)
-
Saleo (OKTA-552314)
-
Verona (OKTA-551188)
-
Viewst (OKTA-555217)
-
WOVN.io (OKTA-551752)
OIDC for the following Okta Verified application:
- Sharry: For configuration information, see the Sharry OKTA CONFIGURATION GUIDE.

Generally Available
Content Security Policy enhancements
Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.
Fixes
General Fixes
OKTA-545622
AD-sourced users received an error when resetting passwords during their Okta account activation.
OKTA-545918
Admin roles that were granted to a user through group membership sometimes didn't appear on the user's
tab.OKTA-551921
When a large number of profile mappings were associated with a user type, updates to the user type could time out.
OKTA-553201
Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the Google Authenticator factor.
OKTA-554013
Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.
OKTA-566285
A threading issue caused directory imports to fail intermittently.
OKTA-566682
When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.
OKTA-566824
Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.
OKTA-567707
A security issue is fixed, which requires RADIUS agent version 2.18.0.
OKTA-567972
An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).
OKTA-567979
Last update information was displayed for API Service Apps and OIDC clients.
OKTA-571393
Users couldn’t enroll YubiKeys with the FIDO2 (WebAuthn) factor and received an error message on Firefox and Embedded Edge browsers.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- BizLibrary: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Better Stack (OKTA-566261)
-
Mist Cloud (OKTA-559122)
-
Tower (OKTA-567818)
OIDC for the following Okta Verified application:
- Oyster HR: For configuration information, see Okta configuration guide | Oyster.

February 2023
2023.02.0: Monthly Production release began deployment on February 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 7.3.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta Provisioning agent, version 2.0.13
This version of the Okta Provisioning agent contains the migration of the Windows installer from Internet Explorer to Edge. The installer now requires Edge WebView2. If your machine is connected to the internet, WebView2 is downloaded automatically during the agent installation. If not, you must manually install it before installing the new agent version. See Okta Provisioning agent and SDK version history.
Agents page removed from the navigation panel
The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.
Splunk edition support for Log Streaming integrations
The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.
Custom links for personal information and password management on End-User Dashboard
If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.
This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.
You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.
Run delegated flows from the Admin Console
With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.
Full Featured Code Editor for error pages
Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.
Custom app login deprecated
The custom app login feature is deprecated. This functionality is unchanged for orgs that actively use custom app login. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in.
Application Entitlement Policy
Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Enhancements
iFrame option for OAuth sign-out URI
OAuth sign-out URI can now be embedded inside iFrame.
Log Streaming status messages
Log streaming status messages now include a prefix related to the log streaming operation.
Updated AWS EventBridge supported regions for Log Stream integrations
The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.
OIN Manager enhancements
The OIN Manager now orders the app protocol tabs by best practice.
Informative error messages for SAML sign-in
Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.
Early Access Features
New Features
Fixes
General Fixes
OKTA-501372
The People page used an incorrect field name as the sorting key.
OKTA-540894
Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.
OKTA-544814
Clicking Show More in the tab resulted in an Invalid search criteria error.
OKTA-554006
Clicking Save and Add another to add new attributes on the Profile Editor page didn’t consistently function as expected.
OKTA-555768
Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.
OKTA-566469
The Coupa integration URL displayed under the application Sign On tab was incorrect.
OKTA-567511
Users weren’t assigned to applications through group assignments following an import from AD into Okta.
OKTA-567991
Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.
OKTA-568319
In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.
OKTA-572600
Sometimes, custom email domain configurations didn’t appear on the Domains page in the Admin Console.
OKTA-573320
The max_age and login_hint parameters in the authorize request were sometimes ignored when a client used the private_key_jwt client authentication method.
OKTA-573738
Some field widths rendered improperly.
OKTA-468178
In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
Paychex Online (OKTA-573082)
Applications
Application Update
The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Better Stack: For configuration information, see Integrate Okta SSO & SCIM with Better Stack.
- Cafe: For configuration information, see Okta SCIM Configuration Guide.
- Kakao Work: For configuration information, see Kakao Work SCIM Setup.
- Torii: For configuration information, see Torii's SCIM Setup with Okta.
OIDC for the following Okta Verified applications:
-
Craftable: For configuration information, see Single Sign On with Okta.
-
LeadLander: For configuration information, see the LeadLander Okta configuration guide.
-
Loxo: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Mobius Conveyor: For configuration information, see Okta SSO Configuration Guide.
-
MyInterskill LMS: For configuration information, see SSO – Okta Configuration Guide.
-
ngrok: For configuration information, see Okta SSO (OpenID Connect).
-
Paramify: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
Weekly Updates

Generally Available
Sign-In Widget, version 7.3.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-508580
When the Okta profile mapping was pushed to AD, the event didn’t appear in the System Log and the manager attribute wasn’t pushed.
OKTA-537710
Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.
OKTA-556133
End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.
OKTA-561269
The YubiKey Report wasn’t generated when certain report filters were applied.
OKTA-565300
Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.
OKTA-565984
Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.
OKTA-566892
Sometimes MFA prompts overlapped portions of the browser sign-in pages.
OKTA-572416
The Help Center link on the Resources menu directed users to the wrong URL.
OKTA-574624
In Org Admin description was incorrect.
, the
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
-
Adobe Stock (OKTA-564445)
-
Adyen (OKTA-561677)
-
Airbnb (OKTA-559114)
-
AlertLogic (OKTA-560876)
-
American Express @ Work (OKTA-565294)
-
BlueCross BlueShield of Texas (OKTA-564224)
-
Drilling Info (OKTA-558048)
-
Empower (OKTA-552346)
-
Endicia (OKTA-557826)
-
Glassdoor (OKTA-564363)
-
hoovers_level3 (OKTA-562717)
-
MailChimp (OKTA-554384)
-
MY.MYOB (OKTA-553331)
-
myFonts (OKTA-566037)
-
OpenAir (OKTA-545505)
-
Paychex (OKTA-561268)
-
Paychex Online (OKTA-564325)
-
Regions OnePass (OKTA-568163)
-
Truckstop (OKTA-552741)
-
VitaFlex Participan (OKTA-562503)
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Akamai Enterprise Application Access: For configuration information, see SCIM provisioning with Okta.
- ArmorCode: For configuration information, see SCIM Configuration Guide Instructions.
SAML for the following Okta Verified applications:
-
Articulate 360 (OKTA-544737)
-
Kakao Work (OKTA-556713)
-
Pleo (OKTA-564884)
-
Tower (OKTA-567818)

Generally Available
Fixes
General Fixes
OKTA-431900
The People > Enroll FIDO2 Security Key button was visible to admins who didn’t have permission to enroll authentication factors.
OKTA-452990
When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.
OKTA-495146
The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.
OKTA-503419
App catalog search results didn't include SCIM functionality labels.
OKTA-566637
The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.
OKTA-572089
Browsing the Provisioning tab for an app triggered a System Log update.
OKTA-574711
The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.
OKTA-574890
When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.
OKTA-576067
Custom domains couldn't be validated if there were uppercase characters in a subdomain.
OKTA-578439
Some event hook requests failed to send in Preview orgs.
OKTA-579157
For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Adobe Creative (OKTA-555215)
-
Asana (OKTA-566187)
-
ManageEngine Support Center Plus (OKTA-529921)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Samsung Knox Manage: For configuration information, see Configure Knox Manage SCIM Connector and Okta for automatic user provisioning.
-
Shortcut: For configuration information, see Configuring Okta to Manage Shortcut Users with SCIM.
-
Ziflow: For configuration information, see SCIM provisioning with Okta.
SAML for the following Okta Verified applications:
-
Scalr.io (OKTA-552065)
-
Trusaic (OKTA-559106)
OIDC for the following Okta Verified applications:
-
Activaire Curator: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Arrivy: For configuration information, see How to set up OIDC Okta Single sign-on with Arrivy.
-
ConductorOne: For configuration information, see Set up ConductorOne using Okta,
-
HacWare: For configuration information, see SSO Login via Okta and HacWare.
-
Jatheon Cloud: For configuration information, see How to Set Up Okta SSO Integration.
-
Kadence: For configuration information, see Okta Single Sign-On (SSO) Setup Guide.
-
Oort Identity Security: For configuration information, see Okta Integration Network SSO Instructions.
-
Skye: For configuration information, see Single Sign-On (SSO) - Okta.
-
Solarq: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tabled: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tackle.io: For configuration information, see Okta SSO Setup Guide.
-
TaskCall: For configuration information, see Okta Integration Guide.
-
TestMonitor: For configuration information, see How to set up Okta Single Sign-on in TestMonitor.