Okta Classic Engine release notes (Preview)

Version: 2024.11.0

November 2024

Generally Available

Okta LDAP Agent, version 5.22.0

This version of the agent includes the following:

  • Agent now uses OAuth 2.0 and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta.
  • New agents are registered through the OAuth 2.0 device registration flow.
  • Agents now operate independently from the accounts used to register them.
  • Agents can now be installed by super admins and admins with a custom role that includes agent registration permissions. See LDAP integration prerequisites.
  • Linux LDAP agents are now managed using systemd instead of sysvinit. See Manage the Okta LDAP Agent.

See Okta LDAP Agent version history.

Improved user experience for group member counts

Groups now use async counts to determine user membership for groups that exceed 10,000 users. This improves the performance of both the Groups page and the group selector on the Sign-on policy page.

Give access to Okta Support

Admins can now control how members of the Okta Support team access their org. To support this, the Account page provides the following two options:

  • Impersonation Grants for Cases: Allows the Okta Support team to sign in to your org as a read-only admin to troubleshoot issues.
  • Support User Grants for Self-Assigned Cases: Allows an Okta Support representative to access your org settings after they've opened a case. Using these settings, admins can select the right level of Support access for their org.

See Give access to Okta Support.

Improved password reset process for Active Directory-sourced users

The password reset process sends the password update and verification requests to the same Active Directory agent to avoid replication delay.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Workday.

New column in Application Usage report

The Application Usage report now provides an Instance Name column. The new column helps users identity which apps the report was generated for.

Improved Access Requests error message

When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.

Updates to User Accounts report

The maximum number of rows in a CSV export has been increased from 1 million to 5 million.

Early Access

IP Exempt Zone

Use this feature to always allow traffic from specific gateway IPs irrespective of any Okta ThreatInsight configurations or network zones that are configured as blocklists. See IP Exempt zone.

OpenID Connect Identity Providers now support group sync

OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.

Secure SaaS service accounts

This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.

Fixes

  • The user count on the Groups page wasn't displayed correctly. (OKTA-603239)

  • The group picker in the Okta Browser Plugin showed an inaccurate user count. (OKTA-603587)

  • When the Settings page prompted an end user for reauthentication, the Sign-In Widget sometimes wasn't displayed correctly. (OKTA-793598)

  • Admins couldn't retry failed provisioning tasks. (OKTA-795934)

  • SUSPENDED app users weren't supported during a group push. (OKTA-803747)

  • The authenticator enrollment and email notifications for new Okta Verify enrollments on custom domains weren't correctly branded. (OKTA-805671)

  • The text overflowed the Application notes for admins field in the General Settings section of the OIDC app page. (OKTA-813866)

  • When an admin clicked Show more tasks on the Tasks page after a Profile Push error occurred, the list of affected users appeared twice. (OKTA-814527)

  • When an app sign-on policy wasn't found, or the policy evaluation didn't match the policy rules but the catch-all rule granted access to the org, no System Log event was recorded. (OKTA-815982)

  • The Okta account management policy didn't prompt unknown users for an authenticator when they attempted to unlock their accounts or reset their passwords. (OKTA-820167)

  • Sometimes when an admin tried to view the Salesforce app integration, they were prompted to sign in. (OKTA-820465)

  • Sometimes an error occurred when pushing groups without a group description. (OKTA-820782)

  • The page title on the Sign On Policy page didn't appear in the correct place. (OKTA-821751)

  • On the Okta Admin Dashboard, the information in the Tasks widget wasn't aligned correctly. (OKTA-822294)

  • On the Edit role page, some role permissions weren't in the correct order. (OKTA-823779)

Okta Integration Network

  • Datadog (SAML) is now available. Learn more.
  • Diminish (OIDC) is now available. Learn more.
  • Docusign by Aquera (SCIM) is now available. Learn more.
  • EveryKey SSO (SAML) is now available. Learn more.
  • Five9 Identity Service based SSO (SAML) is now available. Learn more.
  • Fullstory (SAML) is now available. Learn more.
  • getregistered (SCIM) is now available. Learn more.
  • GitHub by Tech Prescient (SAML) is now available. Learn more.
  • LenelS2 Elements (SCIM) is now available. Learn more.
  • Lumos (SCIM) is now available. Learn more.
  • Metaphor (SCIM) has a new integration guide.
  • Ninth Brain Suite (SAML) is now available. Learn more.
  • Poggio (SAML) is now available. Learn more.
  • Schoox (SWA) has a new icon.
  • SecureTrustZone (SCIM) is now available. Learn more.
  • Seesaw (OIDC) is now available. Learn more.
  • Spherexx (SAML) has a new icon, description, and integration guide.
  • Upaknee Cloud Messaging Stack (OIDC) is now available. Learn more.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an integration with the OIN Wizard guide.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. See Manage Federation Broker Mode.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature. See Edit app provisioning settings.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Null values for SCIM provisioning

Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management. See Manage profiles.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See Enforce Okta Device Trust for managed Windows computers and Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.