Production release notes

Current Upcoming
Production 2023.01.1 2023.01.2 Production release is scheduled to begin deployment on February 6
Preview 2023.01.1

2023.01.2 Preview release is scheduled to begin deployment on February 2

January 2023

2023.01.0: Monthly Production release began deployment on January 17

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Revoke user sessions

Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

New System Log events

New events are added to the System Log when custom sign-in or error pages are deleted or reset.

System Log

Policy details added to sign-on events

The System Log now displays policy details for user.authentication.auth_via_mfa events.

System Log

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to Applications > Applications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to Directory > Directory Integrations and selecting the integration.

Internet Explorer 11 no longer supported

A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.

Corrected timezone on API Tokens page

The date and time on the API Tokens page used an incorrect timezone. It now uses the same timezone as the users' device.

Early Access Features

New Features

Enhanced Admin Console search

The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you’re looking for. See Admin Console search.

Optional consent settings for OAuth 2.0 scopes

OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-511057

Push Group to Azure Active Directory failed when the group description property was empty.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561119

Some users were redirected to the End-User Dashboard when they clicked an app embed link. This occurred in orgs that enabled State Token All Flows and used a custom sign-in page.

OKTA-561259

On the Edit role page, the previously selected permission types weren’t retained.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-527705

When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-545664

URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-557873

Enrollment emails weren't sent to users who enrolled in the DUO Security factor.

OKTA-557976

For some users, the profile page didn't display all of their enrolled MFA factors.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

OKTA-567970

When users were created using the API (/users/${userId}/factors/questions), a null custom security question and answer were included in the response.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

December 2022

2022.12.0: Monthly Production release began deployment on December 12

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Sign-In Widget, version 7.1.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Credential Provider for Windows, version 1.3.8

This version of the agent contains bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

Okta Provisioning agent, version 2.0.11

This version of the Okta Provisioning agent contains a fix to the incorrect hash values in the agents on the Download page. See Okta Provisioning agent and SDK version history.

Identity Governance

Okta Identity Governance is a SaaS-delivered, converged, and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.

Use Okta Identity Governance solutions, such as Access Certifications, Access Requests, and Reports to:

  • Efficiently create, protect, and audit access to critical resources.

  • Improve your company’s security. Increase employee productivity.

  • Improve IT efficiency by automating tasks to reduce the time taken and errors associated with manual data entry and provisioning tasks.

See Identity Governance.

Note that Okta Identity Governance is available to customers on a subscription basis. For more information, contact your Account Executive or Customer Success Manager.

Preview the token inline hook

Before implementing a token inline hook, you can now preview the hook request and the external-service response in the Admin Console. This feature aids in the development and testing of inline hooks before releasing to a production environment. See Preview an inline hook and Preview and test the token inline hook.

IE and Edge Legacy plugins

You can no longer download the Internet Explorer (IE) and Edge Legacy browser plugins from the Downloads page. These plugins aren't supported.

Rate limit parameter matching

The Rate Limit dashboard in the Admin Console now supports parameter matching for API endpoints. This update provides more granular rate limit information for endpoints that include a query of the form ?{parameter}=*. See Rate limit dashboard.

Security enhancement of Okta Verify push notifications

To help users recognize and prevent phishing attacks, Okta Verify push notifications on mobile devices and Apple Watch include the name of the app to be accessed and the org URL.

Certificate chain builder for Smart Card IdP

Admins can now upload individual certificate files to build a certificate chain for a Smart Card IdP. This eliminates the requirement to manually create a file that contains the certificate chain. See Add a Smart Card Identity Provider.

Telephony usage report

The Telephony usage report displays data about an org’s telephony events over time. The report can be filtered by voice or SMS events and helps admins quickly understand usage trends and troubleshoot deliverability or request issues. See Telephony usage report.

Email deliverability events in the System Log

Admins can now view the following email deliverability event types in the System Log:

  • Delivered
  • Deferred
  • Dropped
  • Bounce

This helps admins better monitor the email deliverability activity in their org. See System Log.

Enhancements

Single sign-out changes for custom domains

If an admin signs out from a custom domain, their Admin domain and subdomain sessions now remain active. If they sign out from the Admin domain or subdomain, their custom domain session is ended.

People page improvements

People page filter results are improved as follows:

  • Status > Password reset filter results now include users with both Password expired and Password reset status.

  • Status > Active filter results return only users with an active status.

New System Log event

The policy.evaluate_sign_on event has been added to the System Log. This event is triggered whenever the Okta Sign-On Policy and/or App Sign-On Policy are evaluated. It shows whether the user satisfied the requirements of the policy, whether they were required to pass an additional MFA challenge, and which authenticators were used to satisfy that policy.

Early Access Features

New Features

Fixes

General Fixes

OKTA-522077

Okta Provisioning agent version 2.0.10 didn't use the correct Java version.

OKTA-527215

Routing rules incorrectly redirected some users to an IdP before they could enter their username.

OKTA-532256

Linked objects didn’t show up in logs after they were created or deleted.

OKTA-534260

AD-sourced users could continue to use ADSSO or IWA to sign in to Okta after being moved to an out-of-scope OU.

OKTA-534595

Admins with a custom role couldn’t edit the users in a group if the group was assigned to an app with profile sourcing enabled.

OKTA-536037

When a DELETE request to the /api/v1/authorizationServers/<authServerID>/clients/<clientID>/tokens endpoint was called for large scale operations, an HTTP 500 error was returned.

OKTA-537535

The Remind me later button on the factor enrollment page didn’t redirect to the End-User Dashboard.

OKTA-540825

Changing the Username on the Assignment page for the Box app failed with an HTTP 500 error.

OKTA-542472

The authn_request_id information was missing from the user.authentication.auth_via_mfa System Log event for Okta Verify Push verifications.

OKTA-544783

The Norwegian translation of the end-user settings and preferences menu was incorrect.

OKTA-546310

Admin roles that were constrained to a group with group rules couldn't be assigned to a user or group.

OKTA-547525

The Welcome page, SMS reminder prompt, and security image prompt weren’t displayed for users accessing Okta using AD SSO in incognito mode.

OKTA-549537

The Box integration provisioning menu didn’t display the correct settings.

OKTA-549770

When the Admin Global Search UI Enhancement Early Access feature was enabled, admins couldn’t select groups on the App Sign On Rule screen.

OKTA-549886

Using an Agentless DSSO test endpoint without any routing rules configured to use ADSSO resulted in a 404 error.

OKTA-550789

Provisioning new users from Okta to Office 365 failed.

OKTA-551022

The Forgot Password windows on the End User Settings page displayed Calling now… and Sending code… messages before users entered their phone number.

OKTA-552440

The Done button wasn't displayed after YubiKey was successfully deleted.

OKTA-552810

Customized sign-in pages for orgs using a custom domain didn’t render properly.

OKTA-553284

When the full-featured code editor was enabled, updates to email customizations, custom error pages, and the sign-in page didn't trigger System Log events.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Chase (OKTA-549904)

  • iAuditor (OKTA-549658)

  • MeridianLink Consumer (OKTA-541626)

  • Office 365 Dynamics (OKTA-549978)

  • Quickbooks (OKTA-549905)

Applications

Application Update

The Update user attributes feature is added to the Lucca Provisioning integration.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Brex (OKTA-540264)

  • Loom (OKTA-551214)

  • NeuralLegion (OKTA-545950)

  • RudderStack (OKTA-552363)

  • ZoomInfo (OKTA-543975)

OIDC for the following Okta Verified applications:

Weekly Updates

Generally Available

Sign-In Widget, version 7.1.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-433941

When Agentless Desktop SSO was enabled, deprovisioned users were directed to the incorrect sign-in page.

OKTA-508227

Admins could save a routing rule with an inactive IdP.

OKTA-537600

Email notifications were sent to users' secondary email address.

OKTA-537805

Deactivated users weren't displayed on the People page if their Username started with their user ID.

OKTA-540795

An error occurred when an admin searched for an ineligible group on the Edit resources to a standard role page.

OKTA-549212

When a custom app used the /sso/idps/{idpId} endpoint for IdP routing with a login_hint parameter, the login_hint was ignored.

OKTA-549434

Admins couldn't update the username for an app.

OKTA-549687

Reimporting a CSV directory failed if the Deactivation field and Deactivation value were removed after the initial import.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Inclusivv (OKTA-534561)

  • Remote.It (OKTA-550812)

  • Silo (OKTA-543573)

OIDC for the following Okta Verified applications:

Fixes

General Fixes

OKTA-382711

In the code editor for custom sign-in and error pages, apostrophes contained in code comments broke the comment-syntax highlighting.

OKTA-419837

Warning text in the custom code editor for error and sign-in pages was incorrect.

OKTA-476668

Sign-in redirect URIs couldn’t be edited when their character limit was reached.

OKTA-529947

Enrolling the email factor resulted in duplicate System Log events.

OKTA-534847

When users edited their sign-in methods from the User Settings page in a custom domain, the Back to settings link didn't appear.

OKTA-539174

The image icon for groups sourced from Slack was displayed as a broken link.

OKTA-539424

After an update was pushed from Okta, the Phone Number attribute wasn’t removed from Workplace by Facebook as expected.

OKTA-548256

Groups assigned by group rules couldn’t be removed from deactivated users.

OKTA-551632

In Preview orgs, attempts to save sign-in page edits sometimes failed when using the full-feature code editor.

OKTA-553024

The Edit resources to a standard role page didn’t indicate that only the first 5 groups or 10 apps appear when you search for a resource.

OKTA-555812

Super admins couldn’t open the Edit resource set page for admin roles that were constrained to a deleted workflow or authorization server.

OKTA-558878

Incremental imports for Jabil didn’t switch to full imports when there were large number of changes.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Flow of Work Co (OKTA-542871)

  • Quortex I/O (OKTA-542825)

Fixes

General Fixes

OKTA-554308

Selecting Sign out from all other devices/sessions on the End-User Dashboard didn’t work for AD/LDAP users.

OKTA-558187

Some phone numbers couldn’t be enrolled as SMS authenticators.

OKTA-561660

The email MFA factor wasn't updated when an email attribute was updated from an LDAP import.

Applications

New Integrations

SAML for the following Okta Verified application:

  • Please Share (OKTA-557897)

OIDC for the following Okta Verified applications:

November 2022

2022.11.0: Monthly Production release began deployment on November 14

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

New Features

Okta AD Agent, version 3.13.0

This version of the agent contains the following changes:

  • Health check of auto update service before auto update process is started
  • Web proxy support for agent auto update feature
  • Updated log category for existing logs from DEBUG to INFO
  • Security fixes

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.7

This version of the agent contains security fixes and resolves a memory leak that occurred when agents were configured for EAP-TTLS. See Okta RADIUS Server Agent Version History.

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

  • Manage authorization server
  • View authorization server
  • Manage customizations
  • View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See About role permissions.

Smart Card authentication

When initially accessing applications using a custom sign-in widget, users have the option to use a PIV/CAC card for authentication. See Identity Providers.

New HealthInsight tasks

Two new HealthInsight tasks help admins improve the security of their Okta sign-on policies. HealthInsight now provides guidance for increasing the required authentication frequency for specific resources, and for requiring high-risk users to provide MFA every time they sign in. See Change the authentication frequency and Evaluate a risk score for each request.

Group rule execution

Group rule execution is enabled even when authentication/JIT flows fail during policy execution.

Admin Experience Redesign

All Okta admins now benefit from our restyled Okta Admin Dashboard, responsive navigation side bar, and modern look and feel.

Event hooks for consent revocation

Consent revocation events are now selectable for use with event hooks. See Add an event hook . See Event Types for a list of events that can be used with event hooks.

Agentless Desktop Single Sign-on

With Agentless Desktop Single Sign-on (DSSO), you don't need to deploy IWA agents in your Active Directory domains to implement DSSO functionality. This reduces or eliminates the maintenance overhead and provides high availability as Okta assumes responsibility for Kerberos validation. See Active Directory Desktop Single Sign-on.

Polling support for Agentless Desktop Single Sign-on and Integrated Windows Authentication sessions

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions during periods of high bandwidth use. For users authenticating with ADSSO or IWA during peak periods, this change increases the likelihood that a server will be available to process their authentication request. See Active Directory Desktop Single Sign-on.

Agentless Desktop Single Sign-on authentication progress updates

Agentless Desktop Single Sign-on (ADSSO) authentication progress pages have been updated to make authorization and verification progress more visible and improve the user experience. See Configure agentless Desktop Single Sign-on.

Password expiration settings for Active Directory

You can specify the password expiration policies for Active Directory for all preview organizations to set the maximum password age in days and the number of days before password expiration when the user receives a warning.

JIT users from Active Directory

Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active Directory (AD) delegated authentication, Lightweight Directory Access Protocol (LDAP) delegated authentication, or Desktop SSO. JIT account creation and activation only works for users who aren't already Okta users. This means that users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails. See Add and update users with Active Directory Just-In-Time provisioning and Add and update users with LDAP Just-In-Time provisioning.

Service Principal Name functionality improvement

New Service Principal Name (SPN) functionality allows Agentless Desktop Single Sign-on (ADSSO) authentication to continue without interruption when an SPN is updated. A service account and an SPN are required for ADSSO Kerberos authentication. With this change, you can now update the SPN frequently as an additional security precaution. See Create a service account and configure a Service Principal Name.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See Configuring Your LDAP Settings.

New rate limits dashboard filter

You can now filter the APIs listed on the rate limits dashboard by their rate limit multiplier eligibility status. See Rate limit monitoring.

Enhancements

ISV Portal email address updated

The email address for ISV Portal communications is now oanapp@okta.com.

Early Access Features

New Features

API Service Integrations

Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.

Enhancements

Log Stream event structure update

For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:

  • Under devices, osPlatform is now platform.

  • The ipChain array is now correctly nested under request instead of client.

  • The extraneous field insertionTimestamp is removed.

Fixes

General Fixes

OKTA-476449

Admins could create resource sets that contained duplicate resources.

OKTA-512927

Two different Okta users could be linked to the same AD user through provisioning.

OKTA-523330

Okta Provisioning Agent (x64 RPM) and Okta Provisioning Agent (Windows x64) were incorrectly swapped.

OKTA-526726

When admins deleted a property in an implicit app user schema, a property with the same name couldn't be recreated after the deletion.

OKTA-529966

Users couldn’t enroll a Voice Call Authentication (MFA) factor if Twilio was used as the provider and the phone number had a comma in its extension.

OKTA-530843

Parallel JIT requests for the same username created duplicate users.

OKTA-532898

A long text string was displayed outside of the General Settings page in OIN Manager.

OKTA-532900

The Enter your Post Logout Redirect URI field for OIDC settings in OIN Manager didn’t accept all valid URLs.

OKTA-533309

When signing in to a RADIUS app, users were sometimes shown the incorrect operating system in Okta Verify push messages.

OKTA-533753

Admins couldn’t add more than 10 translations of a customized email template.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Legl (OKTA-525334)

  • WorkOS (OKTA-527211)

OIDC for the following Okta Verified applications:

Weekly Updates

Fixes

General Fixes

OKTA-513763

The Groups page showed an error when sorted with an invalid cursor.

OKTA-513767

Groups pagination incorrectly displayed a Next link when the remaining groups weren’t visible due to permissions.

OKTA-521116

The End-User Dashboard Preferences didn't include appropriate accessibility values for the heading and subheading sections.

OKTA-522269

Delegated authentication was automatically checked after reenabling AD integration.

OKTA-528841

System log events for dropped emails didn’t include the AppContextName.

OKTA-529450

Super admins could revoke their own admin role membership by removing a role from a group.

OKTA-538350

The Agentless Desktop Single Sign-on (DSSO) feature was incorrectly unavailable for some Okta SKUs.

OKTA-539418

Okta sign-in page didn't detect the locale correctly for Traditional Chinese (Hong Kong).

OKTA-541483

The authn_request_id field was missing from some System Log events for various authentication flows.

OKTA-542666

Admins could select an unsupported version of the Sign-In Widget on the Settings tab of Branding > Sign-in page.

OKTA-543716

Admins couldn’t view the authorization server public clients that they had permission to view.

OKTA-545162

When an end user sent an email request from the End-User Dashboard to add an app integration, the email template contained a link to a deprecated Okta Support email (support@okta.com).

OKTA-545242

For reports and the System Log, a field was improperly labeled Country rather than Country/Region.

OKTA-554344

iFrame elements were visible on some custom sign-in pages.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Blue Shield CA (OKTA-544492)

  • Calendly (OKTA-542578)

  • Certify (OKTA-544699)

  • EmployeeNavigator (OKTA-541613)

  • OpenAir (OKTA-545505)

  • Zoom (OKTA-543469)

Applications

Application Update

The GitHub Enterprise Managed User Provisioning integration is updated:

  • The SCIM roles attribute has a new Restricted User value.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SWA for the following Okta Verified application:

  • ManageEngine SupportCenter Plus (OKTA-538460)

OIDC for the following Okta Verified applications: