Okta Classic Engine release notes (Production)

Version: 2024.12.0

December 2024

Generally Available

Sign-In Widget, version 7.26.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Provider for ADFS, version 1.8.2

This version includes bug fixes and security hardening.

Okta On-Prem MFA agent, version 1.8.0

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Automatically assign the Okta Access Certifications app

When you assign the super admin role to a user, the Okta Access Certifications app is automatically assigned.

Industry term update in the OIN catalog

The NGO industry term has been updated to Nonprofit Organizations in the Okta Integration Network (OIN) catalog. All published integrations with the NGO designation now have the Nonprofit Organizations designation.

System Log event for emails added to the bounced email list

A System Log system.email.bounce.removal event is now triggered when an API request is made to remove bounced emails (POST /org/email/bounces/remove-list). This request sends a list of emails to a third-party email service to remove the emails from the bounce list. The event is triggered when the API request is made. The event doesn’t indicate when the emails are actually removed by the third-party email service.

Haitian Creole translation for end users

On the End-User Settings page, users can now set their display language to Haitian Creole. See Supported display languages.

Filters for network zones

New filters in the network zones table help admins quickly distinguish between system-defined zones and those they have created. See Manage network zones.

Request access on behalf of another user

You can now allow users to request admin access for other users from their own dashboard. After you enable the option in the access requests conditions that manage admin role bundles, you can grant this permission to all users or limit it to managers only. See Create an access request condition.

Use case selection in the OIN Wizard

Independent software vendors (ISVs) can now select the following use case categories when they submit their integration to the Okta Integration Network (OIN):

  • Zero Trust
  • Identity Verification
  • Identity Governance and Administration (IGA)

See Use case guidelines for the OIN Wizard.

New task for orgs with one super admin

The Tasks dashboard widget and the HealthInsight page now indicate when an org has fewer than two super admins. This helps prevent orgs from losing access to the Admin Console.

Download links for Okta Jira and Confluence Authenticators in Admin Console

The download links for Okta Jira and Confluence Authenticators are no longer available in the Admin Console.

Early Access

New skipping of entitlement sync during import of a user Systems Log event

The following System Log event has been added: Sync skipping of entitlement during import of a user.

Force rematching of imported users

This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin’s access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Resource set conditions.

Granular account linking for certain Identity Providers

When admins link users from SAML and OIDC Identity Providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios.

Self-service toggle for Deactivate App Users

Admins can now use the self-service toggle to change what happens to an Okta user’s individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Fixes

  • When an admin clicked the Next button multiple times in succession while the table was loading, the number of Realm Assignments erroneously increased. (OKTA-725359)

  • Okta MFA for Active Directory Federation Services (ADFS) code wasn't signed. (OKTA-802958)

  • When an API Service integration was assigned a custom admin role, it couldn't access certain OIDC apps. (OKTA-814731)

  • Some users couldn't sign in to Okta after an OIDC client was added to a new custom access policy. (OKTA-815668)

  • The Tasks dashboard widget had extra white space next to the Type column. (OKTA-818109)

  • System Log entries were created without information about changes made to Identity Provider discovery policy rules. (OKTA-824865)

  • When an admin transitioned a user to a federated provider during password reset, it failed to fix the user's API status, the fields for the user, or the login states. (OKTA-827583)

  • The Symantec Web Security Services app was timing out too quickly when doing a group push. (OKTA-829357)

  • Super admins who were assigned the role through a group couldn't view all support cases. (OKTA-831270)

  • The Edit resource set page sometimes indicated that an unconditioned resource had conditions. (OKTA-838265)

  • The Create a resource set page was sometimes blank after an admin added an additional resource to a resource set. (OKTA-838266)

Okta Integration Network

  • Arxspan (SAML) has an updated ACS URL and Audience URI.
  • Avigilon Alta (SCIM) is now available. Learn more.
  • Brevity (SAML) is now available. Learn more.
  • Cisco User Management Connector (SCIM) has a new dynamic base URL.
  • DeepInfra (OIDC) is now available. Learn more.
  • Dext (OIDC) is now available. Learn more.
  • Kibana by Tech Prescient (SCIM) is now available. Learn more.
  • Smartsheet by Tech Prescient (SCIM) is now available. Learn more.
  • Speeda Customer Analytics (OIDC) is now available. Learn more.
  • XFA Discovery (API Service) is now available. Learn more.

Version: 2024.11.0

November 2024

Generally Available

Okta LDAP Agent, version 5.22.0

This version of the agent includes the following:

  • Agent now uses OAuth 2.0 and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta.
  • New agents are registered through the OAuth 2.0 device registration flow.
  • Agents now operate independently from the accounts used to register them.
  • Agents can now be installed by super admins and admins with a custom role that includes agent registration permissions. See LDAP integration prerequisites.
  • Linux LDAP agents are now managed using systemd instead of sysvinit. See Manage the Okta LDAP Agent.

See Okta LDAP Agent version history.

Improved user experience for group member counts

Groups now use async counts to determine user membership for groups that exceed 10,000 users. This improves the performance of both the Groups page and the group selector on the Sign-on policy page.

Give access to Okta Support

Admins can now control how members of the Okta Support team access their org. To support this, the Account page provides the following two options:

  • Impersonation Grants for Cases: Allows the Okta Support team to sign in to your org as a read-only admin to troubleshoot issues.
  • Support User Grants for Self-Assigned Cases: Allows an Okta Support representative to access your org settings after they've opened a case. Using these settings, admins can select the right level of Support access for their org.

See Give access to Okta Support.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an integration with the OIN Wizard guide.

New column in Application Usage report

The Application Usage report now provides an Instance Name column. The new column helps users identity which apps the report was generated for.

Improved Access Requests error message

When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.

Updates to User Accounts report

The maximum number of rows in a CSV export has been increased from 1 million to 5 million.

Early Access

IP Exempt Zone

Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations or blocked network zones. See IP Exempt Zone.

OpenID Connect Identity Providers now support group sync

OpenID Connect Identity Providers now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Secure Partner Access for external partners

Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Manage Secure Partner Access.

Secure SaaS service accounts

This feature enables customers to monitor, manage, and secure access to service accounts in their SaaS apps. This new feature in Okta Privileged Access improves the Okta platform by safeguarding non-federated accounts across an org's apps. See Manage service accounts.

Fixes

  • The user count on the Groups page wasn't displayed correctly. (OKTA-603239)

  • The group picker in the Okta Browser Plugin showed an inaccurate user count. (OKTA-603587)

  • When the Settings page prompted an end user for reauthentication, the Sign-In Widget sometimes wasn't displayed correctly. (OKTA-793598)

  • Admins couldn't retry failed provisioning tasks. (OKTA-795934)

  • Admins who only had the View applications and their details and Run imports permissions could deactivate apps. (OKTA-798693)

  • SUSPENDED app users weren't supported during a group push. (OKTA-803747)

  • The authenticator enrollment and email notifications for new Okta Verify enrollments on custom domains weren't correctly branded. (OKTA-805671)

  • The text overflowed the Application notes for admins field in the General Settings section of the OIDC app page. (OKTA-813866)

  • When an admin clicked Show more tasks on the Tasks page after a Profile Push error occurred, the list of affected users appeared twice. (OKTA-814527)

  • When an app sign-on policy wasn't found, or the policy evaluation didn't match the policy rules but the catch-all rule granted access to the org, no System Log event was recorded. (OKTA-815982)

  • The Okta account management policy didn't prompt unknown users for an authenticator when they attempted to unlock their accounts or reset their passwords. (OKTA-820167)

  • Sometimes when an admin tried to view the Salesforce app integration, they were prompted to sign in. (OKTA-820465)

  • Sometimes an error occurred when pushing groups without a group description. (OKTA-820782)

  • The page title on the Sign On Policy page didn't appear in the correct place. (OKTA-821751)

  • On the Okta Admin Dashboard, the information in the Tasks widget wasn't aligned correctly. (OKTA-822294)

  • Sometimes there was an unexpected profile sync. You may experience one more unexpected profile sync. (OKTA-822824)

  • On the Edit role page, some role permissions weren't in the correct order. (OKTA-823779)

Okta Integration Network

  • Datadog (SAML) is now available. Learn more.
  • Diminish (OIDC) is now available. Learn more.
  • Docusign by Aquera (SCIM) is now available. Learn more.
  • EveryKey SSO (SAML) is now available. Learn more.
  • Five9 Identity Service based SSO (SAML) is now available. Learn more.
  • Fullstory (SAML) is now available. Learn more.
  • getregistered (SCIM) is now available. Learn more.
  • GitHub by Tech Prescient (SAML) is now available. Learn more.
  • LenelS2 Elements (SCIM) is now available. Learn more.
  • Lumos (SCIM) is now available. Learn more.
  • Metaphor (SCIM) has a new integration guide.
  • Ninth Brain Suite (SAML) is now available. Learn more.
  • Poggio (SAML) is now available. Learn more.
  • Schoox (SWA) has a new icon.
  • SecureTrustZone (SCIM) is now available. Learn more.
  • Seesaw (OIDC) is now available. Learn more.
  • Spherexx (SAML) has a new icon, description, and integration guide.
  • Upaknee Cloud Messaging Stack (OIDC) is now available. Learn more.

Weekly Updates

2024.11.1: Update 1 started deployment on December 2

Fixes

  • When an admin updated the Configured SAML Attributes for a SAML 2.0 integration, the values weren't reflected in the Admin Console. (OKTA-694781)

  • The minimum OS version required for the Okta Active Directory agent was incorrectly listed as Windows Server 2012. (OKTA-718212)

  • Text on the Edit resource to a standard role dialog was sometimes misaligned. (OKTA-794559)

  • The group picker incorrectly listed Okta Administrators on the New Web App Integration page under Assignments Limit access to selected groups. (OKTA-794750)

  • Emails stating that agents were down included an incorrect link to check agent status. (OKTA-797414)

  • SUSPENDED app users weren't supported during a group push. (OKTA-803747)

  • When an Okta AD agent failed to be reactivated because it had no SSWS token in the database, the Admin Console erroneously displayed a message stating that the agent was reactivated. (OKTA-806425)

  • There was an issue with the Sync Entitlements button on the Governance tab for the (Header Auth) Governance with SCIM 2.0 app. (OKTA-814934)

  • Some Microsoft Windows 365 Enterprise license names were missing or appeared incorrectly on the Edit Assignment page. (OKTA-817097)

  • Some error messages on the Sign-In Widget appeared in the wrong language. (OKTA-819400)

  • The OIDC scopes required to use entitlement management in Okta weren't enabled in Coupa. (OKTA-825558)

  • A GET user request for newly created users in Staged status sometimes returned incorrect activated and statusChangedvalues. (OKTA-827818)

Okta Integration Network

  • ADP Next Gen HCM by Aquera (SCIM) is now available. Learn more.
  • Analytic Index (OIDC) is now available. Learn more.
  • BarRaiser (SAML) is now available. Learn more.
  • CB Insights (SAML) is now available. Learn more.
  • Chili Piper (SAML) is now available. Learn more.
  • Clearout.io (OIDC) is now available. Learn more.
  • Cornerstone Core HR by Aquera (SCIM) is now available. Learn more.
  • Cyberlift SSO (OIDC) is now available. Learn more.
  • CytoTronics Pixel Pro (SAML) is now available. Learn more.
  • FastSpring (OIDC) is now available. Learn more.
  • Funnel.io (SAML) is now available. Learn more.
  • GitHub AE (SCIM) is now available. Learn more.
  • Greenhouse Recruiting by Aquera (SCIM) is now available. Learn more.
  • Hyperproof (SAML) has a new AIP, SSO URL, Audience URI, and integration guide.
  • LawVu (SCIM) now has Group Push, additional attributes, and an updated description.
  • LivePreso (SCIM) is now available. Learn more.
  • Marker.io (SAML) is now available. Learn more.
  • Moveworks (OIDC) has a new integration guide.
  • OPTIZMO (SCIM) is now available. Learn more.
  • Perimeter 81 (SAML) has an updated ACS URL and Audience URI.
  • Perimeter 81 (SCIM) now supports the EU location.
  • Sage HR by Aquera (SCIM) is now available. Learn more.
  • Secured Signing (OIDC) has a new icon.
  • Stripe (SAML) is now available. Learn more.
  • Vbrick Rev Cloud (SAML) is now available. Learn more.

2024.11.2: Update 2 started deployment on December 9

Fixes

  • Provisioning users from Okta to LDAP failed when multiple active app users had the same username in the same app instance. (OKTA-537618)

  • When an admin searched for an app on the Add Resource dialog, the Load More button didn't appear. (OKTA-646166)

  • Clicking Convert all Assignments for app integrations with large group memberships resulted in an error. (OKTA-731871)

  • Errors sometimes occurred when creating group rules due to validation failures in the group membership rule. (OKTA-792778)

  • User reconciliation failed during a real-time sync profile reload of users who belonged to large groups. (OKTA-793257)

  • On the Status dashboard widget, the bullet character overlapped the DEGRADATION status for Agents. (OKTA-805683)

  • When the end-user language was set to Spanish, the text on the Reset Password dialog was incorrect. (OKTA-821354)

  • A GET user request for newly created users in the staged status sometimes returned incorrect activated and statusChanged values. (OKTA-827818)

  • The Okta RADIUS agent was updated to version 2.24.0 for security enhancements, including hardening of the Password Authentication Protocol. The version also adds the Message-Authenticator attribute to responses. (OKTA-834907)

Okta Integration Network

  • ADP Decidium by Aquera (SCIM) is now available. Learn more.
  • bob (SCIM) has a new logo and integration guide.
  • CloudPay Administrator Platform is now available. Learn more.
  • Descartes (SAML) is now available. Learn more.
  • Grafana by Tech Prescient (SCIM) now supports user imports.
  • Hyperproof (SAML) has a new API, SSO URL, Audience URI, and integration guide.
  • Jenkins by Tech Prescient (SCIM) is now available. Learn more.
  • M-Files (SCIM) is now available. Learn more.
  • Nametag (API Service) is now available. Learn more.
  • Oloid (SCIM) is now available. Learn more.
  • Omnissa Identity Service (SAML) is now available. Learn more.
  • Omnissa Identity Service (SCIM) is now available. Learn more.
  • Plumm (SAML) is now available. Learn more.
  • Productboard (SCIM) has a new description and supports group push.
  • SDWAN-FAST (OIDC) is now available. Learn more.
  • Simplebooklet (OIDC) is now available. Learn more.
  • Teamup Calendar (SCIM) is now available. Learn more.
  • TOMS-Europe (OIDC) is now available. Learn more.
  • TOMS-Global (OIDC) is now available. Learn more.
  • Wasabi Account Control Manager (SCIM) is now available. Learn more.

Version: 2024.10.0

October 2024

Generally Available

Hyperspace Agent version 1.5.0

Hyperspace Agent version 1.5.0 is now available. This version uses Microsoft Edge WebView2 Runtime to display Sign-In Widget content. See Okta Hyperspace Agent version history.

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the script-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header script-src directive; later, after any unsafe inline scripts are identified and fixed, the nonce is added to the Content-Security-Policy header script-src directive. This update will be gradually applied to all endpoints.

Deprecating provisioning for Confluence (Atlassian)

Provisioning for Confluence (Atlassian) has been deprecated.

UI update on the Brands page

Dropdown menus on the Brands page have been updated to provide a more consistent look and feel.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Coupa
  • DocuSign
  • WebEx

See Provisioning-enabled apps.

Group Owner assignments removed

The Group Owner assignment option has been removed from Access Requests for admin roles sequences.

New Okta Secure Identity collection in the OIN catalog

A new Okta Secure Identity collection is available in the Okta Integration Network (OIN) catalog. This collection identifies integrations that are part of the Okta Secure Identity commitment. See the OIN catalog for a list of integrations assigned to this collection.

System Log event types and outcome reasons

The user.authentication.auth_via_IDP and user.authentication.auth_via_social System Log event types now indicate whether a successful Identity Provider sign-in attempt was due to JIT provisioning or account linking. See Event types.

OIDC Identity Provider options

OIDC Identity Providers can now have both the Account Link and JIT policies set to disabled.

Event hooks for Identity Provider authentication

You can now use user authentication with Identity Provider events as event hooks. See Event Types for a list of events that you can use with event hooks.

Fixes

  • If an error occurred while performing a group push, the Push Status of the push group was only updated after refreshing the page manually. (OKTA-710642)

  • When managing directories for a group, clicking Next without making any changes resulted in duplicate Previous and Cancel buttons being displayed. (OKTA-735984)

  • Sometimes trying to access a SAML app through a service provider flow resulted in a 500 Internal Server error. (OKTA-739430)

  • In orgs that used a custom domain, admins were prompted to enter their username when they performed a protected action. (OKTA-747566)

  • Sometimes, concurrent agentless DSSO JIT operations for a user broke app assignments, which required admin intervention to correct. (OKTA-752118)

  • The ability to view API tokens was incorrectly assigned to the custom admin role permissions for View users and their details. The ability to revoke API tokens was incorrectly assigned to the custom admin role permissions for Edit users' lifecycle states, Suspend users, and Clear users' sessions. (OKTA-801358)

  • User passwords could be updated to match the answer to the recovery question. (OKTA-804681)

  • The number of SAML-capable apps displayed on the Tasks page was incorrect. (OKTA-811744)

  • Some admins with a custom role saw an error when they attempted to import user attributes. (OKTA-815012)

Okta Integration Network

  • Bob by Aquera (SCIM) is now available. Learn more.
  • Eccentex AppBase (SCIM) is now available. Learn more.
  • GitHub Enterprise Server by Aquera (SCIM) is now available. Learn more.
  • HPE Aruba Networking SSE - Axis (SAML) is now available. Learn more.
  • Jurnee (OIDC) now has an initiate login URI.
  • Oracle Cloud HCM by Aquera (SCIM) is now available. Learn more.
  • SecureTrustZone (SAML) is now available. Learn more.
  • Snowflake by Tech Prescient (SAML) is now available. Learn more.
  • Teamgo Visitor Sign-in (SCIM) is now available. Learn more.

Weekly Updates

2024.10.1: Update 1 started deployment on November 4

Generally Available

Sign-In Widget, version 7.24.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

New IP service category

The WARP_VPN proxy service is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • Sometimes an error occurred when reactivating org2org users. (OKTA-755934)

  • In orgs with both ADSSO and IWA enabled, an ADSSO precheck failure with an IWA failure during an SP-initiated flow resulted in authenticating to Okta rather than to the Service Provider. (OKTA-793391)

  • Deactivated apps sometimes showed an Active status in the Admin Console. (OKTA-799257)

  • Some users were unable to save user attribute settings in Okta groups that were linked to directories. (OKTA-799880)

  • In some cases, AppUser profiles weren't updated when users were provisioned to AD using Okta Groups. (OKTA-800577)

  • The app.keys.* System Log events didn't contain the root session ID. (OKTA-808707)

  • When Workflows was used to request multiple bundles, some entitlements were missing. (OKTA-819958)

Okta Integration Network

  • Acronis Cyber Cloud (SCIM) has a new app profile and mappings.
  • Acsense (API Service) now has additional scopes.
  • Constant Contact by Aquera (SCIM) is now available. Learn more.
  • Cyberlift (API Service) now has an additional scope.
  • Domo by Aquera (SCIM) is now available. Learn more.
  • Eccentex AppBase (SAML) is now available. Learn more.
  • Go1 (SCIM) has an updated description.
  • Guide (OIDC) is now available. Learn more.
  • HPE Aruba Networking SSE (formerly Axis) (SAML) is now available. Learn more.
  • LegalOn Cloud (SAML) is now available. Learn more.
  • LivePreso (OIDC) is now available. Learn more.
  • Metaphor (SCIM) is now available. Learn more.
  • Netdata (SCIM) is now available. Learn more.
  • OPTIZMO (SAML) is now available. Learn more.
  • Scrut Automation (API Service) has a new logo.
  • Secured Signing (OIDC) is now available. Learn more.
  • Segment (SAML) is now available. Learn more.
  • Smallstep (SCIM) has a new logo and description.
  • Smartsheet v2 (SAML) now has an ACS URL and Audience URI.
  • Snowflake Provisioning Connector by Aquera (SCIM) is now available. Learn more.