Okta Classic Engine release notes (Production)

Help us improve our release notes by filling out this short survey.

Current release status

Current Upcoming
Production 2023.11.0 2023.11.1 Production release is scheduled to begin deployment on December 4
Preview 2023.11.1 2023.12.0 Preview release is scheduled to begin deployment on December 6

November 2023

2023.11.0: Monthly Production release began deployment on November 13

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Sign-In Widget, version 7.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Lockout Prevention

This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they’ve used before aren’t locked out when unknown devices cause lockouts.

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.

See About FIPS-mode encryption.

Self-Service Okta Identity Engine Upgrades for all orgs

The self-service upgrade widget now appears on the Admin Dashboard for all Classic Engine orgs. The widget allows super admins to schedule their upgrade to Identity Engine. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine.

Custom email domain updates

The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.

Improved LDAP provisioning settings error message

During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.

Additional data to support debugging user authentication

When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.

Modified System Log event for Autonomous System Number (ASN) changes

When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.

OIN Manager notice

The integration estimated-verification-time notice has been updated in the OIN Manager.

Early Access Features

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

Fixes

  • OKTA-538785

    Sometimes users encountered an error when the Self-Service Registration flow made a request to the /tokens endpoint.

  • OKTA-566962

    Some text strings on the Okta Sign-on Policy page weren't translated.

  • OKTA-633313

    A user with a custom admin role couldn't create federated users due to misplaced permissions.

  • OKTA-633789

    When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.

  • OKTA-649095

    Some AD-sourced users received prompts to reset their password even when the AD password policy restricted password changes.

  • OKTA-649810

    The Add Resource dialog box sometimes displayed duplicate group names.

  • OKTA-653756

    When many apps were added to routing rules through the API, system performance was degraded.

  • OKTA-653873

    In some orgs, on-premises imports performed using the Okta Provisioning Agent ignored safeguard thresholds.

  • OKTA-664830

    Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.

  • OKTA-666396

    When the display language was set to Japanese, the Okta Sign-on Policy page displayed a translation error instead of the Everyone group name.

Okta Integration Network

App updates

  • The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
  • The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.

New Okta Verified app integrations

October 2023

2023.10.0: Monthly Production release began deployment on October 16

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Sign-In Widget, version 7.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

SharePoint People Picker, version 2.4.0.0

SharePoint People Picker 2.4.0.0 is now available for download. See Configure Okta SharePoint People Picker agent.

Custom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.

New custom admin role permission

Super admins can now assign View delegated flow permission to their custom admin roles. See About role permissions.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.
  • User App Access report: Lists which users can access an application and how access was granted.
  • User accounts report: Lists users with accounts in Okta and their profile information.

See Entitlements and Access Reports.

Sign-in requirements for new devices

Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.

IdP lifecycle event hooks

IdP lifecycle events are now eligible for use as event hooks. See Event Types.

Early Access Features

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

Fixes

  • OKTA-398711

    Text on the Administrator assignment by admin page was misaligned.

  • OKTA-575513

    Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.

  • OKTA-619175

    UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.

  • OKTA-619223

    Content was displayed incorrectly on the Change User Type page.

  • OKTA-620144

    For some users, logos for imported app groups didn't appear in the Admin Console.

  • OKTA-620771

    When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.

  • OKTA-621526

    The MFA Usage Report didn't display the correct PIV/Smart Card label.

  • OKTA-636864

    Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.

  • OKTA-639089

    When a user was moved from one AD domain to another, their original group app assignments were retained.

  • OKTA-642630

    Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.

  • OKTA-643148

    The Tasks page didn’t indicate when each task was assigned.

  • OKTA-643598

    The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.

  • OKTA-649240

    Super admins couldn’t edit the scoped resources that were assigned to an Application admin.

  • OKTA-650511

    Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.

  • OKTA-653189

    Admins couldn't reschedule their org's Identity Engine upgrade to 30 days from the current date.

  • OKTA-654506

    The writeback enhancement failed to push profile information to Workday when a user's profile was empty.

  • OKTA-655148

    The SAMLResponse field in the HTML response couldn't be retrieved for some clients.

Okta Integration Network

New Okta Verified app integrations

App integration fixes

  • 1Password Business (SWA) (OKTA-646676)
  • Canva (SWA) (OKTA-642049)
  • concur-solutions (SWA) (OKTA-649651)
  • Dice (SWA) (OKTA-645005)
  • mySE: My Schneider Electric (SWA) (OKTA-644927)
  • PagerDuty (SWA) (OKTA-643598)

Weekly Updates

Generally Available

Sign-In Widget, version 7.11.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

  • OKTA-632174

    The Edit User Assignment page showed roles that had already been removed by an admin.

  • OKTA-636990

    If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.

  • OKTA-638649

    Field validation didn't work for Trusted Origins URLs.

  • OKTA-642760

    Double-clicking the Save button on an app sign-on policy rule caused duplicate migrations when orgs upgraded to Identity Engine.

  • OKTA-644143

    Users who were added to a group through group assignments were displayed as manually assigned.

  • OKTA-648338

    The Zendesk app integration made API requests using the GET command instead of the POST command.

  • OKTA-653489

    Admins couldn’t add custom default Salesforce attributes that had been deleted from the Profile Editor.

  • OKTA-655852

    The Okta sign-in flow returned an error for certain URLs.

Okta Integration Network

App updates

  • The Extracker app integration has been rebranded as Clearstory.
  • The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
  • The Mapiq app integration has a new logo.

  • The People Experience Hub app integration no longer has an Encryption Certificate field.

  • The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
  • The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.

New Okta Verified app integrations

App integration fixes

  • Tableau Cloud (SCIM) (OKTA-625933)

Generally Available

Sign-In Widget, version 7.11.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

  • OKTA-457923

    The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.

  • OKTA-559609

    Email notifications for report downloads sometimes didn't refer to the report name correctly.

  • OKTA-568355

    When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.

  • OKTA-578997

    Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.

  • OKTA-586764

    On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.

  • OKTA-597530

    Admins couldn't delete authorization server clients on the Access Policies page.

  • OKTA-599823

    An answer to a security question could include parts of the question.

  • OKTA-612507

    Some errors weren't translated.

  • OKTA-626459

    When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.

  • OKTA-627678

    An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.

  • OKTA-639311

    When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.

  • OKTA-643533

    The Default application for the Sign-In Widget setting was visible to orgs that hadn't enabled the feature.

  • OKTA-647442

    Sometimes, a search request would fail if it included a recently created user.

  • OKTA-651722

    Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.

  • OKTA-653019

    Base attributes of new Slack integrations weren't visible.

  • OKTA-654857

    Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.

  • OKTA-658729

    Admins sometimes couldn’t reschedule their upgrade to Identity Engine if they had already rescheduled it to more than 30 days into the future.

Okta Integration Network

App updates

  • The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
  • The Fullview app integration has a new direct URI and a new initiate login URI.
  • The YesWeHack app intergration has a new icon.

New Okta Verified app integrations

App integration fixes

  • Adobe (SWA) (OKTA-647811)
  • Algolia (SWA) (OKTA-654566)
  • American Express (Business) (SWA) (OKTA-649753)
  • Application Bank of America CashPro (SWA) (OKTA-648836)
  • i-Ready (SWA) (OKTA-644769)
  • IMDB Pro (SWA) (OKTA-653918)
  • MIT Technology Review (SWA) (OKTA-656622)
  • SuccessFactors (SWA) (OKTA-568355)
  • Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
  • Twilio (SWA) (OKTA-655486)

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Content

Generally Available Features

Sign-In Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 1.16.0

This release includes:

  • Migration of the Windows installer from Internet Explorer to Edge.
  • Security enhancements.
  • Internal updates.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

This release doesn't have any Early Access features.

Fixes

  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org’s app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-629774

    Some user import jobs failed to restart after interruption.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn’t save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Uplimit.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

Weekly Updates

Generally Available

Sign-In Widget, version 7.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement extended for custom domains

Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.

Fixes

  • OKTA-595549

    IdP users were redirected to an unbranded sign-in page after SSO failure.

  • OKTA-614488

    Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.

  • OKTA-619163

    When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.

  • OKTA-627660

    Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.

  • OKTA-628227

    Some SAML-linked accounts in DocuSign couldn't use SWA.

  • OKTA-629263

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-637801

    Admins without permission to manage apps saw an Edit button for the app’s VPN Notification settings.

  • OKTA-638911

    The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.

  • OKTA-639465

    The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.

  • OKTA-647842

    Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.

Okta Integration Network

App updates

  • The Amazon Business SAML app now has a configurable SAML issuer.
  • The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
  • Application profile and mapping has been updated for the Jostle SCIM app.
  • The mobile.dev SAML app has been rebranded as Maestro Cloud.

New Okta Verified app integrations

App integration fixes

  • American Express Online by Concur (OKTA-642832)

Fixes

  • OKTA-619723

    When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn’t access the GroupsGroup page.

  • OKTA-623635

    Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.

  • OKTA-627862

    Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.

  • OKTA-633507

    The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.

  • OKTA-641112

    System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.

  • OKTA-643155

    If an org had configured Duo Security as an MFA factor and also a custom IdP factor named Duo Security, then the org couldn't be upgraded to Identity Engine.

  • OKTA-643204

    Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.

  • OKTA-643499

    Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.

Okta Integration Network

App updates

  • The Experience.com OIDC app now has additional redirect URIs.

  • The Planview Admin SAML app now has the Audience ID variable.

New Okta Verified app integrations

App integration fixes

  • Bloomberg (SWA) (OKTA-642380)
  • BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
  • Citi Velocity (SWA) (OKTA-637196)
  • SAP Concur Solutions (SWA) (OKTA-643965)