Okta Classic Engine release notes (Early Access)
Early Access Features
OAuth 2.0 provisioning for Org2Org with Autorotation
Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.
Manage Active Directory accounts in Okta Privileged Access
This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts
Bypass ASN binding with the Default Exempt IP Zone
The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.
App Switcher for Okta first-party apps
The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.
New look and feel in the End-User Dashboard
The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.
New System Log event
The policy.evaluate_sign_on event has a new DebugData item: IdpVerifiedFactorMode. This new item indicates whether a user authenticated with one or two factors with their identity provider when they signed in through a service provider. See System Log.
Enhancement to a System Log event
The IdpVerifiedFactorMode item has been added to the policy.evaluate_sign_on event. It appears when claims sharing is enabled in the org and indicates whether the identity provider verified the user's authentication factors. See System Log.
New look and feel in the Admin Console
The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.
On-prem Connector for SAP Netweaver ABAP
On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management.
New attributes in Universal Sync
The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.
Block syncable passkeys
You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices.
Self-service toggle for Deactivate App Users
Admins can now use the self-service toggle to change what happens to an Okta user's individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.
Entitlement support for disconnected apps
Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta.
Force rematching of imported users
This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.
New skipping of entitlement sync during import of a user Systems Log event
The following System Log event has been added: Sync skipping of entitlement during import of a user
Okta-to-Okta claims sharing enhancement
Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org.
On-prem Connector for SAP Netweaver ABAP supports more attributes
Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.
Secure Partner Access for external partners
Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.
Authentication claims sharing between Okta orgs
Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.
Require MFA for accessing Identity Governance admin apps
If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps: Okta Access Certifications, Okta Entitlement Management, Okta Access Requests Admin. If you have auto-enabled EA features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.
OAuth 2.0 security for invoking API endpoints
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.
Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support
This agent supports Entitlement Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.
Skip the verify page and redirect to the IdP authenticator
This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.
Restrict access to the Admin Console
By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.
Workspace ONE Device Trust orgs using Classic Engine can now migrate to Identity Engine
Admins can now migrate their existing Workspace ONE Device Trust configurations to Identity Engine. This feature unblocks Classic Engine tenant migrations by allowing both the existing admin configuration and the end-user authentication flows to be migrated when previously integrated with our Workspace ONE Device Trust feature. See migrate ws1.
Support case management for admins
Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they've opened.
New Hyperspace agent version
This version includes bug fixes and an upgrade of the .NET Framework to version 4.8.
IdP selection for admin resources
This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.
Google Workspace 1-click federation
Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.
IP binding for Admin Console setting
The page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.