Okta Classic Engine release notes (Production)

Version: 2025.02.0

February 2025

Generally Available

Request expiration and enhanced notifications for Access Requests

To prevent accumulation of stale requests and improve the notification experience, Okta is making the following changes:

  • New requests now automatically expire after 60 consecutive days of inactivity. Completing a task, answering a question, or leaving a message on a request resets the 60-day expiration period. Any requests created before the general availability of this feature expire after 60 days of inactivity (on or around April 7, 2025).

  • Notifications about expiring requests are sent at 30 days, 5 days, and 1 day before the request expires.

  • The user setting to receive daily reminders about overdue tasks and requests is no longer available. It is replaced by the new request expiration notifications.

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Updated Features page description

The Features page now provides updated information about Okta's Privacy Policy and Free Trial Services.

Delete users with granular deprovisioning in Microsoft Office 365

You can now delete users as part of the deprovisioning process in Office 365. See Deprovisioning options for Office 365.

RADIUS push notifications

The operating system is no longer included in RADIUS push notifications. Customers can contact Okta Support if they need to display this information.

Support for importing Active Directory group descriptions

The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

New Hyperdrive agent version

This version includes the Microsoft Edge WebView2 control. See Okta Hyperdrive agent version history.

Polling for Agentless Desktop Single Sign-on and Integrated Windows Authentication

Agentless Desktop Single Sign-on (ADSSO) and Integrated Windows Authentication (IWA) authentication sessions now include polling to reduce the likelihood of service disruptions when bandwidth use peaks. For users authenticating with ADSSO or IWA during peak use periods, this change increases the likelihood that a server will be available to process their authentication request.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Improved password reset process for Active Directory-sourced users

The password reset process now sends the password update and verification requests to the same Active Directory agent to avoid replication delay.

Role-based access control now available

As Okta Workflows can make comprehensive changes both inside Okta and out to other connected SaaS apps, access to Workflows was previously restricted to Okta super admins. While this regulation enhanced the security of Okta Workflows, it limited the number of users, restricted the scalability of Okta Workflows, and reduced overall value to customers.

With role-based access control (RBAC), you can now assign Workflows privileges to more users without granting unnecessary access.

To support this feature, three new roles are available:

  • Workflows Administrator: For full-access administration within Okta Workflows only
  • Workflows Auditor: For compliance management with read-only access
  • Connection Manager: For securely handling accounts and credentials

RBAC allows customers to expand the use of Okta Workflows beyond super admins, enabling more team members to build, run, and manage Workflows securely and efficiently.

See Access Control.

There are four new event types that record the RBAC feature activity in the Okta System Log:

  • workflows.user.role.user.add
  • workflows.user.role.user.remove
  • workflows.user.role.group.add
  • workflows.user.role.group.remove

See the Event Types API.

Early Access

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Custom admin role for Okta Device Access

You can now configure custom admin roles to view and manage Okta Device Access functionality. This enhancement enables IT teams to designate admins who can effectively manage Okta Device Access capabilities without requiring them to have the most elevated security permissions. See Desktop MFA Recovery.

On-prem Connector for SAP Netweaver ABAP

On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management. See SAP Netweaver ABAP.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Granular account linking for certain Identity Providers

When admins link users from SAML and OIDC Identity Providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios.

OIDC IdPs now support group sync

OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Global token revocation for wizard SAML and OIDC apps

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

Fixes

  • A warning banner was incorrectly displayed during the WS-Federation setup, even though the setup was completed successfully. (OKTA-807313)

  • In Org2Org configurations where Okta is the source org, passwords weren't synced after the user signed in using a newly reset password. (OKTA-833862)

  • When employees were imported into SuccessFactors, past employment records were imported instead of current records. (OKTA-844570)

  • When a custom domain was deleted or its enrollment was reset, the resulting email confirmation had a broken link and no branding. (OKTA-848261)

  • Users couldn't sign in to their org after certain policies were deleted. (OKTA-856596)

  • Microsoft's MSOL deprecation testing triggered the last remaining MSOL call in Okta's Office 365 provisioning, resulting in a failure to synchronize user attributes. (OKTA-870164)

Okta Integration Network

  • Calendly by Aquera (SCIM) is now available. Learn more.
  • Payflows has an additional SAML attribute.
  • SAP ERP by Aquera (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera has a new display name.

Version: 2025.01.0

January 2025

Generally Available

Okta Provisioning agent, version 2.2.0

This release contains bug fixes and minor improvements. The RPM installer is now signed. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.19.0

This release of the Okta Active Directory agent includes an additional layer of end-to-end encryption for payloads that are exchanged between Okta and the agent. Support for monitoring the Active Directory agent configuration file has been added, where a System Log event is emitted when the agent configuration has been changed on premises. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.

Granular deprovisioning in Microsoft Office 365

You can now deprovision users in Office 365 using multiple methods. See Deprovisioning options for Office 365.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See FIDO2 (WebAuthn).

Additional use case selection in the OIN Wizard

Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

  • Automation

  • Centralized Logging

  • Directory and HR Sync

  • Multifactor Authentication (MFA)

See Use case selection in the OIN Wizard.

Early Access

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Block syncable passkeys

You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices. See FIDO2 (WebAuthn).

Fixes

  • Incremental imports on a custom SCIM server sometimes removed user group memberships. (OKTA-736111)

  • In some orgs, users were unlocked based on the settings of the default AD password policy rather than a higher priority password policy. (OKTA-755979)

  • Leaving the Custom character restriction field empty in the Profile Editor resulted in an error. (OKTA-811861)

  • The Manage Applications permission for Custom Admin roles unnecessarily allowed admins to mange the client credentials section for OAuth 2.0 Service apps. (OKTA-821119)

  • Long group names were truncated on the Edit resources to a standard role page. (OKTA-839491)

  • Viewing group members in the Admin Console sometimes displayed an error. (OKTA-844568)

Weekly Updates

2025.1.1: Update 1 started deployment on January 21

Generally Available

New IP service categories

The NORDLAYER_VPN and PIA_VPN proxy services are now supported as IP service categories in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • The Slack start date wasn't imported through schema discovery. (OKTA-826971)

  • User movement logs for Realm assignment jobs didn't display correctly. (OKTA-844398)

  • When an Okta group was deleted while an app group reconciliation job was in progress, the job to delete the downstream app group wasn't scheduled. (OKTA-826938)

Okta Integration Network

  • Airflow by Tech Prescient (SCIM) is now available. Learn more.
  • Asana by Aquera (SCIM) is now available. Learn more.
  • Avigilon Alta (SCIM) now supports user deactivation.
  • Corma (API Service) is now available. Learn more.
  • Dovetail (OIDC) has a new icon and integration guide.
  • ELMO (SCIM) is now available. Learn more.
  • FCTR Identity Support Portal (SAML) is now available. Learn more.
  • Jotform (SAML) is now available. Learn more.
  • Island (SAML) has updated endpoints.
  • Natoma (SAML) is now available. Learn more.
  • Posit Workbench (SAML) is now available. Learn more.
  • Posit Workbench (OIDC) is now available. Learn more.
  • PrimeDrive (SAML) is now available. Learn more.
  • Rocketlane (SCIM) is now available. Learn more.
  • SAP HANA Provisioning Connector by Aquera (SCIM) is now available. Learn more.
  • Udemy Business (SCIM) is now available. Learn more.
  • UKG Pro Workforce Management by Aquera (SCIM) is now available. Learn more.
  • VASTOnline (SCIM) is now available. Learn more.
  • Vbrick Rev Cloud (SCIM) is now available. Learn more.

2025.1.2: Update 1 started deployment on February 3

Generally Available

RADIUS Server Agent version 2.24.2

This version fixes a bug in the Password Authentication Protocol, where in some instances the authentication failed if the user password was greater than 16 characters. It also includes security enhancements.

Sign-In Widget, version 7.27.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget.

Fixes

  • When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)

  • Searching a name with special characters in Realms failed. (OKTA-801220)

  • If an error occurred while an admin performed a protected action, the resulting error message was sometimes unclear. (OKTA-808668)

  • Some users with the application administrator role weren't able to manage the apps they were assigned. (OKTA-814563)

  • The Manage Applications permission for custom admin roles unnecessarily allowed admins to manage the client credentials section of OAuth Service applications. (OKTA-821119)

  • The System Log sometimes displayed the org authorization server even though the error and the call were related to the custom authorization server. (OKTA-821988)

  • Users couldn't sign in to Okta after an app was deactivated and deleted. (OKTA-828955)

  • Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)

  • Custom app instance icons weren't displayed in Profile Editor in the Admin Console. (OKTA-837626)

  • Some service account users received an error message despite successfully changing their passwords. (OKTA-841078)

  • Some admins received an error message when they clicked Admin on the End-User Dashboard. (OKTA-842573)

  • The Atlassian Jira Cloud app didn't inject credentials when using SWA. (OKTA-843781)

  • Some users weren't prompted for multifactor authentication if another user was signed in to Okta with a different session on the same browser. (OKTA-846381)

  • Users received an error message when they enrolled a Personal Identity Verification card even though the System Log indicated that the enrollment was successful. (OKTA-846423)

  • Some users could enroll authenticators with self-attested passkeys even though the admin only allowed certificate-based attestation in their org. (OKTA-851468)

  • On the Admin Dashboard, the Tasks widget sometimes didn't load. (OKTA-851807)

  • When admins tried to customize the signing options of the SAML 1.1 app, their changes didn't appear. (OKTA-852911)

  • In orgs with Multiple Identifiers enabled, some users couldn't perform self-service registration. (OKTA-853911)

  • The Administrator assignment by role page displayed an error if an admin had duplicate assignments. (OKTA-854906)

  • The email notification for protected actions indicated that actions were taken instead of attempted. (OKTA-854973)

  • Users with passwords greater than 16 characters couldn't sign in when the Password Authentication Protocol with Message-Authenticator feature was enabled. (OKTA-856260)

Okta Integration Network

  • ADP Link by Aquera (SCIM) is now available. Learn more.
  • Cirro (OIDC) is now available. Learn more.
  • Concentric AI (SAML) is now available. Learn more.
  • Cyble Vision (SAML) is now available. Learn more.
  • Dayforce by Aquera (SCIM) is now available. Learn more.
  • Deel HR (SCIM) now supports profile sourcing.
  • FCTR Identity Support Portal (API Service) is now available. Learn more.
  • Gumband (OIDC) is now available. Learn more.
  • Island Management Console (SAML) has updated endpoints.
  • Microsoft SQL Server by Aquera (SCIM) is now available. Learn more.
  • Opensense (SAML) is now available. Learn more.
  • QuickBooks Online by Aquera (SCIM) is now available. Learn more.
  • Payflows (SAML) is now available. Learn more.
  • Redshift by Aquera (SCIM) is now available. Learn more.
  • Resonance by spiderSilk (SAML) is now available. Learn more.
  • SmartSite (OIDC) is now available. Learn more.
  • Speeda Sales Insights (OIDC) is now available. Learn more.
  • TrustWorks (SAML) is now available. Learn more.
  • XplicitTrust Network Access (API Service) is now available. Learn more.

Version: 2024.12.0

December 2024

Generally Available

Sign-In Widget, version 7.26.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Provider for ADFS, version 1.8.2

This version includes bug fixes and security hardening.

Okta On-Prem MFA agent, version 1.8.0

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Automatically assign the Okta Access Certifications app

When you assign the super admin role to a user, the Okta Access Certifications app is automatically assigned.

Industry term update in the OIN catalog

The NGO industry term has been updated to Nonprofit Organizations in the Okta Integration Network (OIN) catalog. All published integrations with the NGO designation now have the Nonprofit Organizations designation.

System Log event for emails added to the bounced email list

A System Log system.email.bounce.removal event is now triggered when an API request is made to remove bounced emails (POST /org/email/bounces/remove-list). This request sends a list of emails to a third-party email service to remove the emails from the bounce list. The event is triggered when the API request is made. The event doesn't indicate when the emails are actually removed by the third-party email service.

Haitian Creole translation for end users

On the End-User Settings page, users can now set their display language to Haitian Creole. See Supported display languages.

Filters for network zones

New filters in the network zones table help admins quickly distinguish between system-defined zones and those they have created. See Manage network zones.

Request access on behalf of another user

You can now allow users to request admin access for other users from their own dashboard. After you enable the option in the access requests conditions that manage admin role bundles, you can grant this permission to all users or limit it to managers only. See Create an access request condition.

Use case selection in the OIN Wizard

Independent software vendors (ISVs) can now select the following use case categories when they submit their integration to the Okta Integration Network (OIN):

  • Zero Trust
  • Identity Verification
  • Identity Governance and Administration (IGA)

See Use case guidelines for the OIN Wizard.

New task for orgs with one super admin

The Tasks dashboard widget and the HealthInsight page now indicate when an org has fewer than two super admins. This helps prevent orgs from losing access to the Admin Console.

Download links for Okta Jira and Confluence Authenticators in Admin Console

The download links for Okta Jira and Confluence Authenticators are no longer available in the Admin Console.

Early Access

New skipping of entitlement sync during import of a user Systems Log event

The following System Log event has been added: Sync skipping of entitlement during import of a user.

Force rematching of imported users

This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin’s access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Resource set conditions.

Granular account linking for certain Identity Providers

When admins link users from SAML and OIDC Identity Providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios.

Self-service toggle for Deactivate App Users

Admins can now use the self-service toggle to change what happens to an Okta user’s individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Fixes

  • When an admin clicked the Next button multiple times in succession while the table was loading, the number of Realm Assignments erroneously increased. (OKTA-725359)

  • Okta MFA for Active Directory Federation Services (ADFS) code wasn't signed. (OKTA-802958)

  • When an API Service integration was assigned a custom admin role, it couldn't access certain OIDC apps. (OKTA-814731)

  • Some users couldn't sign in to Okta after an OIDC client was added to a new custom access policy. (OKTA-815668)

  • The Tasks dashboard widget had extra white space next to the Type column. (OKTA-818109)

  • System Log entries were created without information about changes made to Identity Provider discovery policy rules. (OKTA-824865)

  • When an admin transitioned a user to a federated provider during password reset, it failed to fix the user's API status, the fields for the user, or the login states. (OKTA-827583)

  • The Symantec Web Security Services app was timing out too quickly when doing a group push. (OKTA-829357)

  • Super admins who were assigned the role through a group couldn't view all support cases. (OKTA-831270)

  • The Edit resource set page sometimes indicated that an unconditioned resource had conditions. (OKTA-838265)

  • The Create a resource set page was sometimes blank after an admin added an additional resource to a resource set. (OKTA-838266)

Okta Integration Network

  • Arxspan (SAML) has an updated ACS URL and Audience URI.
  • Avigilon Alta (SCIM) is now available. Learn more.
  • Brevity (SAML) is now available. Learn more.
  • Cisco User Management Connector (SCIM) has a new dynamic base URL.
  • DeepInfra (OIDC) is now available. Learn more.
  • Dext (OIDC) is now available. Learn more.
  • Kibana by Tech Prescient (SCIM) is now available. Learn more.
  • Smartsheet by Tech Prescient (SCIM) is now available. Learn more.
  • Speeda Customer Analytics (OIDC) is now available. Learn more.
  • XFA Discovery (API Service) is now available. Learn more.

Weekly Updates

2024.12.1: Update 1 started deployment on January 7

Fixes

  • Users couldn't sign in because AD SSO didn't support the prompt=login parameter for OIDC apps. (OKTA-798545)

  • On the Tasks page, if an app assignment model contained an array type with CVD properties and the user clicked Retry selected, the properties were sent in the wrong format. (OKTA-802994)

  • Updating the label of an OIDC app sometimes resulted in an incorrect label appearing in System Log events. (OKTA-816204)

  • Importing between apps created duplicate groups, even if Import Groups was disabled. (OKTA-819677)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-820615)

  • If a user's phone authenticator enrollment had an extension, the telephony inline hook payload to the external web service didn't include it. (OKTA-835398)

  • When navigating to resource catalog items using direct links, requesters were redirected to the Request Access page instead. (OKTA-841323)

  • An Invalid Phone Number error sometimes appeared during SMS factor enrollment. (OKTA-842270)

  • The Admin Created filter for network zones only showed a single page of results, and the Show More link didn't work. (OKTA-842468)

  • Admins couldn't click Edit for the Give Access to Okta Support option to control Okta Support team access to their org. (OKTA-843678)

  • New device notification emails were sent if a request had an X-Device-Fingerprint header with an empty value. (OKTA-845617)

  • The Administrator assignment by role page for the super admin role displayed the internal first-party apps that were assigned to the role. (OKTA-846207)

Okta Integration Network

  • DeleteMe (SCIM) has a new DOB attribute and integration guide.
  • Dext (SAML) has a new logo.
  • dscout (SCIM) now supports group push.
  • Hyperproof (SAML) has a new logo.
  • Revolut People (SAML) is now available. Learn more.