Production release notes

September 2022

2022.09.0: Monthly Production release began deployment on September 6

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 6.7.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Okta ADFS plugin, version 1.7.11

This version of the plugin contains bug fixes, security enhancements, and support for an additional top-level domain. See Okta ADFS Plugin Version History.

Okta MFA Credential Provider for Windows, version 1.3.7

This version of the agent contains fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

PKCE validation for OIDC app integrations

You can now require Proof Key for Code Exchange (PKCE) as an additional verification step for any OIDC app integration except service apps. The OAuth Security Best Current Practice recommendation is to use PKCE for all uses of the authorization code flow, regardless of the client type. See Create OIDC app integrations using AIW.

Validation and verification of signed SAML requests

Using signed SAML requests ensures that incoming requests are from genuine applications. When this is configured, Okta only accepts SAML requests signed using the certificate associated with the app integration. Having signed SAML requests also resolves scenarios where the Assertion Consumer Service (ACS) URL requested after authentication can be one of several domains or URLs. When a Service Provider sends a signed authentication request, Okta can accept dynamic ACS values as part of the SAML request and posts the SAML assertion response to the ACS value specified in the request. See the Advanced Settings section of Create SAML app integrations using AIW.

Shared SWA app accounts, password restriction

For SWA apps with an account sign in option set to Users share a single username and password set by administrator, only Super admins or App admins with permissions for that app can view the password.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration.

Improved status updates for AD-sourced users

The status of AD-sourced users is now automatically changed from staged to activated following successful Desktop Single Sign-on (DSSO) authentication. This change reduces the time admins need to spend manually activating users and speeds user access to applications. See Active Directory Desktop Single Sign-on.

New Recent Activity page on the new Okta end-user dashboard

The Recent Activity page provides end users with a summary of recent sign-in and security events for their Okta account. End users can also report suspicious activity to their Okta admin by clicking I don’t recognize this. See Recent Activity.

Enhancements

Custom domain status

On Customizations > Domain, a new Status field indicates whether the Custom URL Domain configuration is active, pending, or certificate expired. See Customize the Okta URL Domain.

Visual improvements on the Admin Dashboard

The Updated at timestamp now appears at the top right of the Overview widget. The Overview and Status widgets now take up less space. See Dashboard.

OIN Manager user interface changes

The OIN Manager includes the following updates:

  • The UI has been updated to match the current Okta style.
  • The Okta logo has been updated.
  • A note that lists the time required to process new submissions is displayed.

403 error for rate limit violations

When an org reaches its operational rate limit for SMS requests, a 403 Forbidden error is now displayed instead of a 429 Too many requests error. See Configure client-based rate limiting

Early Access Features

New Features

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your SSO apps.

Fixes

General Fixes

OKTA-489391

Some apps couldn't be assigned using the Assign button if the organization had too many custom object values.

OKTA-496347

The password field in the Add Person widget was incorrectly truncated.

OKTA-499408

The help link for Automatically update Okta Active Directory (AD) agents on the Early Access page pointed to an outdated help topic.

OKTA-504008

The Workflows section of the app details page failed to load when an invalid link was encountered.

OKTA-506480

AD agent emails incorrectly indicated that agents already running the latest version had recently been auto-updated.

OKTA-518347

Some Org2Org users had the same ExternalID on the target org.

OKTA-522043

Users could sign in with the Okta IWA Web agent after delegated authentication was disabled.

OKTA-523140

When Salesforce provisioning was configured using OAuth, Salesforce Community Profiles weren’t displayed.

OKTA-523199

Group app assignments failed due to SQL grammar.

OKTA-523607

Users could sign in with ADSSO after delegated authentication was disabled.

OKTA-524632

Searching for users on the Assign People page returned an Invalid Search Criteria error if the secondary email was marked as a sensitive attribute.

OKTA-529187

Groups that were deleted recently after adding or removing users from it sometimes remained in search results.

App Integration Fixes

The following SAML app was not working correctly and is now fixed

  • Salesforce (OKTA-516730)

Applications

Application Updates

Due to company re-branding we have deprecated the ParkOffice app and replaced it with the Wayleadr app.

New Integrations

SAML for the following Okta Verified applications

  • Grayscale (OKTA-508602)

  • ParkOffice (OKTA-522526)

  • Wayleadr (OKTA-522520)

Weekly Updates

August 2022

2022.08.0: Monthly Production release began deployment on August 8

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Configurable API token rate limits

Admins can now configure a percentage rate-limit capacity for individual API tokens. Previously, when a token rate limit violation occurred, it wasn’t clear which token consumed the limit. Setting a maximum capacity for each token solves this problem and gives admins a new tool to investigate rate-limit violations and plan for future deployments. See API token management.

Salesforce REST OAuth

Admins can now upgrade to the latest version of our Salesforce integration. OAuth authentication will be now used for Provisioning and Imports. See Configure OAuth and REST integration. This feature is made available to all orgs.

Custom Administrator Roles

The standard admin roles available today don’t always meet all the granular delegated administration requirements, which may result in admins having either more or less permissions than they need.

The Custom Administrator Roles feature allows super admins to:

  • Create admin assignments with granular roles, which include specific user, group, and application permissions.

  • Constrain these admin assignments to resource sets.

Use Custom Administrators Roles to:

  • Increase admin productivity.

  • Decentralize the span of access that any one admin has.

  • Grant autonomy to different business units for self-management.

Some important things to note:

  • The Administrators page has been updated with a new, more intuitive interface for managing roles and permissions. See About the Administrators page.

  • Your pre-existing roles are referred to as “standard roles”. The standard role functionality is the same as earlier but the UI is different. See Use standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

See Custom administrator roles and Best practices for creating a custom role assignment.

Bulk assign users to groups

Admins can now use bulk import functionality to assign multiple users to specific Okta groups. Bulk user import significantly reduces the time admins spend managing user group assignments. In addition, this functionality makes it easier for large enterprise orgs to adopt Okta as their access management provider. See Bulk assign people to a group. This feature will be gradually made available to all orgs.

Okta Admin Console Groups page enhancements

The Okta Admin Console Groups page has been updated to simplify the addition of large numbers of users to groups and reduce the likelihood that all users can be accidentally removed from a group. In addition, search functionality has been significantly improved to make adding and removing users from groups quicker and easier. See Manage groups. This feature will be gradually made available to all orgs.

Advanced search for users and groups

To make it easier for admins to quickly locate and manage users and groups, enhanced people and group search functionality is now available. Admins can limit search results to specific criteria using the SCIM protocol to query. They can also use Created On and Last Updated On in their queries to identify when users or groups were created or last modified, and search for groups and users using both base and custom attributes. These advanced search options optimize search results and help reduce the time spent searching for specific information. See View group members. This feature will be gradually made available to all orgs.

Trusted Origins for iFrame embedding

You can now choose which origins can embed Okta sign-in pages and the Okta End-User Dashboard using Trusted Origins for iFrame embedding. This feature offers a granular control over iFrame embedding compared to the existing embedding option in Customization, which doesn't let you distinguish between secure and non-secure origins. Trusted Origins under Security > API allows you to selectively configure the origins you trust. It also provides enhanced security as it uses a more secure frame-ancestors directive in Content Security Policy that protects your data from web attacks such as clickjacking. You can also migrate your existing iFrames to Trusted Origins. See Trusted Origins for iFrame embedding.

Okta Sign-in Widget, version 6.6

Upgrades to visual assets have been made to reflect latest branding requirements for common 3rd party identity providers (Google, Facebook, and others). This changes the appearance of social login buttons in the Sign-In Widget. Customers who may have self-styled these buttons with CSS overrides may have to adjust overrides to adopt the new defaults, which comply with 3rd party branding requirements.

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 3.12.0

This version of the agent contains the following changes:

  • Improved group membership information logging

  • Security enhancements

See Okta Active Directory agent version history.

Okta RADIUS Server agent, version 2.17.5

This version of the agent contains security fixes and resolves a memory leak that occurred when agents were configured for EAP-TTLS. See Okta RADIUS Server Agent Version History.

Okta On-Prem MFA agent, version 1.5.1

This version of the agent contains security fixes. See Okta Okta On-Prem MFA Agent Version History.

Event hooks for log streaming

To provide better visibility into changes in the state of Okta log streams, event logs pertaining to log stream management, such as stream deactivation, are now eligible for event hooks. Event hooks allow you to automate detection and responses to changes in the state of a log stream. See Log Streaming.

Self-service registration deprecation

The Self-service registration feature is being deprecated from Classic Engine. See End-user registration for information about this expanded feature in Identity Engine. For any questions or concerns, contact your Customer Success Manager (CSM) or Okta Support.

Rate Limits dashboard includes API Token data

The Rate Limits dashboard now includes API Token data on the Rate limit usage over time graph. You can view bar graph data from API tokens or by IP address to review any spike in traffic. See bar graph and API rate limits by token.

Enhancements

System Log events for Report CSV actions

For enhanced security and auditing, the System Log now records new events when CSVs of reports are requested, generated, and downloaded.

System Log events for customer support

To enhance security, System Log events are now generated for every customer support activity, including viewing configurations or data and performing impersonation. Each event includes the user ID of the support person.

System Log update for app sign-on policy

App sign-on policy update events include a new DebugData field with details about how the rule was changed.

System Log update for telephony operations

The system.operation.rate_limit.violation event is no longer fired when SMS or Voice messages are blocked due to telephony operational rate limit violations. Instead, telephony system.sms.send.* and system.voice.send.* events are issued as a DENY System Log message.

Microsoft Azure Join documentation

Help documentation is now available for users integrating Azure Join and Okta. See Typical workflow for integrating Hybrid Azure AD Join.

Customization name change

The Disable the Okta interstitial page feature is renamed Disable the Okta loading page. See Configure general customization settings.

AD Agent auto-updates only when operational

The AD agent auto-update scheduler no longer automatically updates non-operational agents. See Schedule agent auto-updates.

OIN Manager enhancements

The contents of the automated email sent when an integration has been moved to Draft after a period of inactivity have been updated.

Dynamic issuer mode for identity providers

You can configure the dynamic issuer mode for an identity provider using the Identity Provider API. When you set issuerMode to DYNAMIC, Okta uses the domain from the authorizeURI as the domain for the redirect URI when returning the authentication response.

Clock skew requirement removed

Users can now access the End-User Dashboard without syncing their device clock to the server time. See The new Okta end-user experience.

Early Access Features

New Features

This release doesn't have any Early Access features.

Fixes

General Fixes

OKTA-454135

The pending user action status was unclear on the new group membership page.

OKTA-466964

The Edit icons on the Application > Provisioning tab were visible to admins who didn’t have the Manage applications permission.

OKTA-494505

Okta Expression Language worked incorrectly in app pages after the page was saved and reloaded.

OKTA-502692

When the Disable Security Question for Recovery feature was enabled and an admin used the Users API to create a user with a pre-assigned password, the magic link sent in the activation email didn't expire after the first use.

OKTA-505852

AD agents running versions prior to 3.8.0 were displayed in existing auto-update schedules.

OKTA-508762

Workday incremental imports with a pre-hire level set prematurely picked up some updates from within the pre-hire interval.

OKTA-509671

When a custom admin role was deleted, users with no other assigned admin roles could still see the Admin button on the Okta End-User Dashboard.

OKTA-510346

Imports failed when the same object was deleted twice.

OKTA-511933

LDAP agents failed to parse queries when group names had special characters.

OKTA-512433

On the Admin Dashboard, the Items count for the Applications can be updated to use SAML task wasn’t correct.

OKTA-515783

Sometimes, in the Groups page Description column, an equals sign (=) replaced the forward slash ( / ) in LDAP-sourced group names.

OKTA-517100, OKTA-517101

VoiceOver screen readers didn’t read the text for country names or the values in the Set up Options list of the Sign-In Widget during Okta Verify registration.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed

  • Accredible (OKTA-511942)

  • SurveyMonkey (OKTA-509109)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

July 2022

2022.07.0: Monthly Production release began deployment on July 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Okta LDAP agent, version 5.14.0

This version of the agent contains security fixes. See Okta LDAP Agent version history.

Server-generated secret keys lengthened

Server-generated secret keys have been lengthened to enhance security. These keys are used to generate one-time passwords for multifactor authentication in FIPS-enabled environments and orgs.

See Configure Okta Verify

Password synchronization for LDAP-sourced users

When the passwords of LDAP-sourced users are reset in Okta and LDAP delegated authentication is enabled, the new password is now immediately synchronized to the user's assigned applications that are configured for password synchronization. This change makes sure that user passwords remain current and reduces the likelihood that users will be unable to access their applications. See Application password synchronization.

Configure sign-on policies based on identity providers

Admins now have the option to configure a sign-on policy based on a specific identity provider. This allows admins more flexibility to dictate which IDP can be used to obtain an Okta session. See Configure an Okta sign-on policy.

SSO capability to OIN apps

Customers who subscribe to the MFA-only package of services now have basic single sign-on functionality to Okta Integration Network apps.

Legacy user group ID support

Validation rules have been relaxed to support user group entity legacy ID formats created prior to 2012.

OIN Manager developer terms

OIN Manager pages now include links to developer terms and conditions. See Developer Terms.

Enhancements

Session management section for adding an Okta sign-on policy rule

A new Session management section is available when adding a new Okta sign-on policy rule or editing an existing one.

The section includes two new options:

  • Maximum Okta session lifetime: Set time limit for user sessions.

  • Persist session cookies across browser sessions: Allow the user to continue a session after reopening a closed browser.

These options were previously only available through the Okta API, but now they can be configured from the Admin Console also.

Session Expires After is now renamed Expire session after user has been idle on Okta for.

Additional warnings and descriptions clarify the functionality of the fields and how to better configure them.

See Configure an Okta sign-on policy.

User.session.start System Log events

A user.session.start System Log event is fired after successful app-specific DelAuth sign-in events.

Default policy new conditions

The default authentication now allows access with any two factor types and requires re-authentication after 12 hours. See Add an authentication policy rule.

OIN App Catalog user interface changes

The Languages Supported section of the app details page has been removed.

Improvements to API authorization server interface

Administrators working with OIDC client applications can now see a preview of the information contained in the refresh token and the device secret returned by the authorization server. See API Access Management.

New HealthInsight security task

A new MFA Requirements task appears if admins set up an Okta sign-on policy with New Device behavior but don't select At every sign-in.

The purpose of this security task is to ensure that the MFA requirements configured by the admin aren’t in conflict with Okta Behavior Detection functionality, and that the MFA policy rule isn’t bypassed unintentionally. When admins select the security task, recommendations appear for correcting the configuration. See MFA requirements.

Organization settings name change

The Organization section of the Security > General page is renamed Organization Security. See General Security.

Early Access Features

New Features

This release doesn't have any Early Access features.

Fixes

General Fixes

OKTA-449159

In the Add Identity Provider - Microsoft UI, the Microsoft Scopes help link pointed to an incorrect URL.

OKTA-480772

AD-sourced users who reset their passwords in AD had to reset their passwords again when using IWA or ADSSO to sign in to Okta.

OKTA-481136

When users were provisioned to AD from Okta, mappings from AD to Okta weren't applied for appuser.externalId.

OKTA-498957

When configuring SAML signing certificates for a SAML 2.0 app, admins were unable to right-click and copy the Identity Provider metadata link in the Admin Console.

OKTA-500367

Unique properties associated with non-existent users weren't cleared when user validation failed during user creation.

OKTA-506002

Since uniqueness requires exact value matches, making schema properties of type Number unique was an issue and is no longer supported. Use Integer or String properties instead.

OKTA-506333

Warning messages appeared on the Okta Sign-On Policy - Add Rule and Edit Rule page even though the relevant fields weren’t visible.

OKTA-507888

On the Pages panel of Customizations > Branding, the Okta defaults appeared instead of an org’s selected theme.

OKTA-509079

The Welcome page, SMS reminder prompt, and security image prompt weren’t shown for users who accessed Okta using AD SSO in Incognito mode.

OKTA-510483

Sometimes an error occurred when an admin attempted to edit a resource set that included a deleted app.

OKTA-515057H

Clicking the Force Sync button resulted in a 404 error with an incorrect message.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • GetFeedback (OKTA-505764)

  • GoToWebinar (OKTA-502955)

  • NordLayer (OKTA-505977)

Applications

Application Updates

The existing Balsamiq integration has been removed and renamed to Balsamiq (deprecated).

Customers should use the Balsamiq Wireframes (SAML) integration in our OIN Catalog moving forward.

Weekly Updates