Okta Classic Engine release notes (2023)
January 2023
2023.01.0: Monthly Production release began deployment on January 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Revoke user sessions
Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.
Directory Debugger for Okta AD and LDAP agents
Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.
Non-associated RADIUS agents deprecated
Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.
Unusual telephony requests blocked by machine-learning measures
SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.
Enhancements
New System Log events
New events are added to the System Log when custom sign-in or error pages are deleted or reset.
Policy details added to sign-on events
The System Log now displays policy details for user.authentication.auth_via_mfa events.
View last update info for app integrations and AD/LDAP directories
Admins can view the date an app integration was last updated by going to
and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to and selecting the integration.Internet Explorer 11 no longer supported
A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.
Corrected timezone on API Tokens page
The date and time on the API Tokens page used an incorrect timezone. It now uses the same timezone as the users' device.
Early Access Features
Enhancements
AWS region support for EventBridge Log Streaming
EventBridge Log Streaming now supports all commercial AWS regions.
Fixes
General Fixes
OKTA-437264
The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.
OKTA-511057
Push Group to Azure Active Directory failed when the group description property was empty.
OKTA-519198
Groups and apps counts displayed on the Admin Dashboard weren't always correct.
OKTA-543969
Accented characters were replaced with question marks in log streams to Splunk Cloud.
OKTA-548780
Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.
OKTA-559571
The Help link on the Administrators page directed users to the wrong URL.
OKTA-561119
Some users were redirected to the End-User Dashboard when they clicked an app embed link. This occurred in orgs that enabled State Token All Flows and used a custom sign-in page.
OKTA-561259
On the Edit role page, the previously selected permission types weren't retained.
OKTA-564264
Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.
Applications
Application Update
New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.
New Integrations
OIDC for the following Okta Verified applications:
-
Infra: For configuration information, see Infra Configuration Guide.
-
Kanbina AI: For configuration information, see the Kanbina AI Documentation.
-
Riot Single Sign-on: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tracxn: For configuration information, see Configure SSO between Tracxn and Okta.
Weekly Updates
2023.01.1: Update 1 started deployment on January 23
Fixes
General Fixes
OKTA-394045
The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.
OKTA-460054
Office 365 nested security groups sometimes failed to synchronize correctly from Okta.
OKTA-522922
Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.
OKTA-527705
When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.
OKTA-534291
Samanage/SolarWinds schema discovery didn't display custom attributes.
OKTA-544943
When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.
OKTA-545664
URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.
OKTA-547756
An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.
OKTA-548390
Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.
OKTA-550739
Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.
OKTA-556056
Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.
OKTA-557873
Enrollment emails weren't sent to users who enrolled in the DUO Security factor.
OKTA-557976
For some users, the profile page didn't display all of their enrolled MFA factors.
OKTA-565041
Group filtering failed when more than 100 groups appeared in the list of results.
OKTA-565899
An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.
OKTA-566372
Users were sometimes unable to sign in to several Office 365 apps from Okta.
OKTA-567711
In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- Verona: For configuration information, see Configuring Provisioning for Verona.
SAML for the following Okta Verified applications:
-
Alibaba Cloud CloudSSO (OKTA-531834)
-
DoControl (OKTA-556624)
-
EasyLlama (OKTA-547466)
-
Extracker (OKTA-555971)
-
Saleo (OKTA-552314)
-
Verona (OKTA-551188)
-
Viewst (OKTA-555217)
-
WOVN.io (OKTA-551752)
OIDC for the following Okta Verified application:
- Sharry: For configuration information, see the Sharry OKTA CONFIGURATION GUIDE.
2023.01.2: Update 2 started deployment on February 6
Generally Available
Content Security Policy enhancements
Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.
Fixes
General Fixes
OKTA-545622
AD-sourced users received an error when resetting passwords during their Okta account activation.
OKTA-545918
Admin roles that were granted to a user through group membership sometimes didn't appear on the user's
tab.OKTA-551921
When a large number of profile mappings were associated with a user type, updates to the user type could time out.
OKTA-553201
Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the Google Authenticator factor.
OKTA-554013
Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.
OKTA-566285
A threading issue caused directory imports to fail intermittently.
OKTA-566682
When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.
OKTA-566824
Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.
OKTA-567707
A security issue is fixed, which requires RADIUS agent version 2.18.0.
OKTA-567972
An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).
OKTA-567979
Last update information was displayed for API Service Apps and OIDC clients.
OKTA-571393
Users couldn't enroll YubiKeys with the FIDO2 (WebAuthn) factor and received an error message on Firefox and Embedded Edge browsers.
Applications
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
- BizLibrary: For configuration information, see Configuring SCIM with Okta.
SAML for the following Okta Verified applications:
-
Better Stack (OKTA-566261)
-
Mist Cloud (OKTA-559122)
-
Tower (OKTA-567818)
OIDC for the following Okta Verified application:
- Oyster HR: For configuration information, see Okta configuration guide | Oyster.
February 2023
2023.02.0: Monthly Production release began deployment on February 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
New Features
Sign-In Widget, version 7.3.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta Provisioning agent, version 2.0.13
This version of the Okta Provisioning agent contains the migration of the Windows installer from Internet Explorer to Edge. The installer now requires Edge WebView2. If your machine is connected to the internet, WebView2 is downloaded automatically during the agent installation. If not, you must manually install it before installing the new agent version. See Okta Provisioning agent and SDK version history.
Agents page removed from the navigation panel
The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.
Splunk edition support for Log Streaming integrations
The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.
Custom links for personal information and password management on End-User Dashboard
If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.
This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.
You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.
Run delegated flows from the Admin Console
With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.
Full Featured Code Editor for error pages
Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.
Custom app login deprecated
The custom app login feature is deprecated. This functionality is unchanged for orgs that actively use custom app login. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in.
Enhancements
iFrame option for OAuth sign-out URI
OAuth sign-out URI can now be embedded inside iFrame.
Log Streaming status messages
Log streaming status messages now include a prefix related to the log streaming operation.
Updated AWS EventBridge supported regions for Log Stream integrations
The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.
OIN Manager enhancements
The OIN Manager now orders the app protocol tabs by best practice.
Informative error messages for SAML sign-in
Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.
Early Access Features
Early Access features from this release are now Generally Available.
Fixes
General Fixes
OKTA-501372
The People page used an incorrect field name as the sorting key.
OKTA-540894
Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.
OKTA-544814
Clicking Show More in the tab resulted in an Invalid search criteria error.
OKTA-554006
Clicking Save and Add another to add new attributes on the Profile Editor page didn't consistently function as expected.
OKTA-555768
Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.
OKTA-566469
The Coupa integration URL displayed under the application Sign On tab was incorrect.
OKTA-567511
Users weren't assigned to applications through group assignments following an import from AD into Okta.
OKTA-567991
Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.
OKTA-568319
In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.
OKTA-572600
Sometimes, custom email domain configurations didn't appear on the Domains page in the Admin Console.
OKTA-573320
The max_age and login_hint parameters in the authorize request were sometimes ignored when a client used the private_key_jwt client authentication method.
OKTA-573738
Some field widths rendered improperly.
OKTA-468178
In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
Paychex Online (OKTA-573082)
Applications
Application Update
The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Better Stack: For configuration information, see Integrate Okta SSO & SCIM with Better Stack.
- Cafe: For configuration information, see Okta SCIM Configuration Guide.
- Kakao Work: For configuration information, see Kakao Work SCIM Setup.
- Torii: For configuration information, see Torii's SCIM Setup with Okta.
OIDC for the following Okta Verified applications:
-
Craftable: For configuration information, see Single Sign On with Okta.
-
LeadLander: For configuration information, see the LeadLander Okta configuration guide.
-
Loxo: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Mobius Conveyor: For configuration information, see Okta SSO Configuration Guide.
-
MyInterskill LMS: For configuration information, see SSO – Okta Configuration Guide.
-
ngrok: For configuration information, see Okta SSO (OpenID Connect).
-
Paramify: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
Weekly Updates
2023.02.1: Update 1 started deployment on February 21
Generally Available
Sign-In Widget, version 7.3.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
General Fixes
OKTA-508580
When the Okta profile mapping was pushed to AD, the event didn't appear in the System Log and the manager attribute wasn't pushed.
OKTA-537710
Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.
OKTA-556133
End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.
OKTA-561269
The YubiKey Report wasn't generated when certain report filters were applied.
OKTA-565300
Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.
OKTA-565984
Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.
OKTA-566892
Sometimes MFA prompts overlapped portions of the browser sign-in pages.
OKTA-572416
The Help Center link on the Resources menu directed users to the wrong URL.
OKTA-574624
In Org Admin description was incorrect.
, the
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
- Adobe Stock (OKTA-564445)
- Adyen (OKTA-561677)
- Airbnb (OKTA-559114)
- AlertLogic (OKTA-560876)
- American Express @ Work (OKTA-565294)
- BlueCross BlueShield of Texas (OKTA-564224)
- Drilling Info (OKTA-558048)
- Empower (OKTA-552346)
- Endicia (OKTA-557826)
- Glassdoor (OKTA-564363)
- hoovers_level3 (OKTA-562717)
- MailChimp (OKTA-554384)
- MY.MYOB (OKTA-553331)
- myFonts (OKTA-566037)
- OpenAir (OKTA-545505)
- Paychex (OKTA-561268)
- Paychex Online (OKTA-564325)
- Regions OnePass (OKTA-568163)
- Truckstop (OKTA-552741)
- VitaFlex Participan (OKTA-562503)
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Akamai Enterprise Application Access: For configuration information, see SCIM provisioning with Okta.
- ArmorCode: For configuration information, see SCIM Configuration Guide Instructions.
SAML for the following Okta Verified applications:
- Articulate 360 (OKTA-544737)
- Kakao Work (OKTA-556713)
- Pleo (OKTA-564884)
- Tower (OKTA-567818)
2023.02.2: Update 2 started deployment on March 6
Generally Available
Fixes
General Fixes
OKTA-431900
The
button was visible to admins who didn't have permission to enroll authentication factors.OKTA-452990
When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.
OKTA-495146
The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.
OKTA-503419
App catalog search results didn't include SCIM functionality labels.
OKTA-566637
The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.
OKTA-572089
Browsing the Provisioning tab for an app triggered a System Log update.
OKTA-574711
The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.
OKTA-574890
When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.
OKTA-576067
Custom domains couldn't be validated if there were uppercase characters in a subdomain.
OKTA-578439
Some event hook requests failed to send in Preview orgs.
OKTA-579157
For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Adobe Creative (OKTA-555215)
-
Asana (OKTA-566187)
-
ManageEngine Support Center Plus (OKTA-529921)
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Samsung Knox Manage: For configuration information, see Configure Knox Manage SCIM Connector and Okta for automatic user provisioning.
-
Shortcut: For configuration information, see Configuring Okta to Manage Shortcut Users with SCIM.
-
Ziflow: For configuration information, see SCIM provisioning with Okta.
SAML for the following Okta Verified applications:
-
Scalr.io (OKTA-552065)
-
Trusaic (OKTA-559106)
OIDC for the following Okta Verified applications:
-
Activaire Curator: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Arrivy: For configuration information, see How to set up OIDC Okta Single sign-on with Arrivy.
-
ConductorOne: For configuration information, see Set up ConductorOne using Okta,
-
HacWare: For configuration information, see SSO Login via Okta and HacWare.
-
Jatheon Cloud: For configuration information, see How to Set Up Okta SSO Integration.
-
Kadence: For configuration information, see Okta Single Sign-On (SSO) Setup Guide.
-
Oort Identity Security: For configuration information, see Okta Integration Network SSO Instructions.
-
Skye: For configuration information, see Single Sign-On (SSO) - Okta.
-
Solarq: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tabled: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
-
Tackle.io: For configuration information, see Okta SSO Setup Guide.
-
TaskCall: For configuration information, see Okta Integration Guide.
-
TestMonitor: For configuration information, see How to set up Okta Single Sign-on in TestMonitor.
March 2023
2023.03.0: Monthly Production release began deployment on March 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.4.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.16.0
This version of the agent contains:
- Use of FIPS 140-2 validated cryptographic security modules
- bc-fips: Version 1.0.2.3
- bcpkix-fips: Version 1.0.6
- bctls-fips: Version 1.0.13
- Support for LDAP agent auto-update
- This version allows support for LDAP agent auto-update. Stay tuned for the self-service EA feature within Okta that will enable LDAP agent auto-update when available.
- Upon agent installation on Linux platforms, we now grant the OktaLDAPService user permission to automatically install the newest agent version using the auto-update feature.
- Bug fixes
- Security enhancements
Identity Engine Upgrade Hub
Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new OIE Upgrade Hub page displays in the navigation panel under Dashboards. The OIE Upgrade Hub provides a quick and easy way to schedule your org's OIE upgrade for a more powerful and customizable identity experience. See Upgrade from Okta Classic Engine.
Agents page added to the navigation panel
The operational status of org agents can now be viewed by selecting the Agents page from the navigation panel. See View your org agents' status.
Rate limit increased for Event Hooks
The number of events that can be delivered to Event Hooks is now 400,000 events per org, per day. See Hooks.
Updated Okta logo
New Okta branding is now used for the Admin Console, the sign-in page, and the browser page flavicon.
Manage the Okta loading animation for custom apps
You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see
SAML logout metadata
SAML app integration metadata details now includes logout URL information when Single Logout is enabled.
OIN Manager enhancements
The OIN Manager now includes text to support API Service integrations.
System Log event
A new System Log event is created when an LDAP interface operation fails because an administrative rate limit was exceeded.
Enhanced Admin Console search
The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you're looking for. See Admin Console search.
Optional consent settings for OAuth 2.0 scopes
OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .
SAML setup parameters
More setup parameters are now visible when configuring SAML as a sign-in method for app integrations. See Configure Single Sign-On options.
Log Streaming
While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.
Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log streaming.
OIDC Identity Providers private/public key pair support
Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.
Early Access Features
Early Access features from this release are now Generally Available.
Fixes
OKTA-530926
Authentication sometimes failed for LDAP users due to a null pointer exception. The issue is fixed in LDAP agent version 5.16.0.
OKTA-548568
Password validation caused an unexpected error during a self-service password reset.
OKTA-553278
Group memberships didn't update when an Okta user was relinked to Active Directory and then a full import was run.
OKTA-554109
Read-only admins were able to edit application integration pages.
OKTA-561769
A user with a Custom Administrator role could make changes to the End-User Dashboard but couldn't preview the dashboard.
OKTA-562113
Auto-population of non-English variable names in the Profile Editor didn't work as expected.
OKTA-564673
Empty groups caused LDAP delegated authentication testing to fail.
OKTA-578615
Some users could request a new one-time passcode after exceeding the limit for failed MFA attempts.
OKTA-580307
The Sign-in Widget sometimes failed to load for testing LDAP authentication.
OKTA-581530
Missing logos on the Groups page were displayed as broken links.
Applications
New Integrations
New SCIM integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- BeProduct: For configuration information, see How to set up Okta Single Sign-On integration.
- Forkable: For configuration information, see How to set up Okta SCIM integration.
- RudderStack: For configuration information, see Okta SCIM Configuration.
- scalr.io: For configuration information, see Configure Okta.
SAML for the following Okta Verified application:
-
Wistia (OKTA-561362)
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
Adobe (OKTA-569857)
-
Adobe Stock (OKTA-564445)
-
Brex (OKTA-573146)
-
Criteo (OKTA-577154)
-
CTCC OncoEMR (OKTA-576358)
-
Lucidchart (OKTA-566188)
-
MyFonts (OKTA-566037)
-
Washington Post (OKTA-575907)
Weekly Updates
2023.03.1: Update 1 started deployment on March 20
Generally Available
Fixes
OKTA-464288
SMS customization wasn't restricted in free developer orgs.
OKTA-516653
Group descriptions for AD groups linked to Okta groups weren't pushed.
OKTA-544970
When orgs used email template injection, some internal class information was visible in the message.
OKTA-562755
On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.
OKTA-567399
A deactivated Identity Provider couldn't be reactivated.
OKTA-567906
Admins were able to configure a multifactor enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.
OKTA-570664
BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.
OKTA-576483
Admins weren't able to add a network zone with the name BlockedIPZone.
OKTA-577014
Some users received inaccurate error messages when they registered their phone number for password reset and account unlock.
OKTA-585800
Some Cornerstone profiles failed to import due to missing information.
OKTA-589114
When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.
Applications
Application update
The Front SCIM integration is updated to support group push.
New Integrations
New SCIM Integration application:
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:
-
O'Reilly Learning Platform: For configuration information, see Configure SCIM for user provisioning.
OIDC for the following Okta Verified applications:
- BrandShield: For configuration information, see BrandShield Okta Single-Sign-On (SSO) - Integration Guide.
- Edify: For configuration information, see Set up an Okta SSO configuration (Edify Console).
- ellie.ai: For configuration information, see Okta configuration guide for ellie.ai.
- HaileyHR: For configuration information, see Integration with Okta.
SAML for the following Okta Verified application:
-
ASP.NET (OKTA-575640)
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
-
Acorns (OKTA-579034)
-
GoToMeeting (OKTA-566182)
-
PayPal (OKTA-562742)
2023.03.2: Update 2 started deployment on March 27
Generally Available
Sign-In Widget, version 7.4.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
OKTA-503099
Admins were able to modify the auth_time claim for an access token using a token inline hook.
OKTA-562337
The options in the dropdown used to filter Admin Dashboard tasks were untranslated.
OKTA-566659
DocuSign group pushes failed when removing users from a group.
OKTA-568170
Some orgs couldn't disable the New Sign-On Notifications email.
OKTA-568376
Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.
OKTA-579088
In Description link next to each of the agents was incorrect.
, theOKTA-584216
A suffix was added to the application label for new Onspring instances.
OKTA-587063
An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.
OKTA-588262
The favicons for the Admin Console and End-User Dashboard were misaligned.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Spiro.ai: For configuration information, see Connecting your Okta Account with Spiro.
- Venue: For configuration information, see Integrating Venue with Okta.
SAML for the following Okta Verified application:
-
Laurel (OKTA-586151)
OIDC for the following Okta Verified application:
- Fullview: For configuration information, see Fullview Okta configuration guide.
App Integration Fix
The following SWA app wasn't working correctly and is now fixed:
-
Poll Everywhere (OKTA-585747))
2023.03.3: Update 3 started deployment on April 3
Fixes
OKTA-576159
On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.
OKTA-581158
System Log events for manual imports showed that the import was scheduled by Okta.
OKTA-585107
The hidden permissions count on the Edit role page was incorrect.
OKTA-585478
App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.
OKTA-587347
On mobile devices, users with long email addresses couldn't see all the options in their settings dropdown menu.
OKTA-592074
Screen readers read apps on the End-User Dashboard as buttons instead of links.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Mitimes: For configuration information, see IT Admin - SSO - Okta.
- Envoy: For configuration information, see Envoy Okta App Integration Configuration Guide.
- Insightly: For configuration information, see Setting Up SAML and SCIM Integrations.
- Riskpal: For configuration information, see Riskpal integration with okta.
- TrackTik: For configuration information, see Set up and use provisioning for Okta.
- Truly: For configuration information, see SCIM Configuration Guide.
- Xledger: For configuration information, see Configure SCIM Provisioning between Xledger and Okta.
SAML for the following Okta Verified applications:
-
Bitdefender GravityZone (OKTA-575873 - Okta-hosted instructions)
-
CorporateFitness.app (OKTA-575873 - Okta-hosted instructions)
-
RevSpace: For configuration information, see How to Configure SAML 2.0 for RevSpace.
OIDC for the following Okta Verified applications:
- AcquireTM: For configuration information, see AcquireTM Single Sign-on Setup Guide.
- NordPass: For configuration information, see How to set up SSO with Okta for organization members.
- Xledger: For configuration information, see Configure SSO between Xledger and Okta.
API service app for the following Okta Verified application:
- Calero - SaaS Expense Management: For configuration information, see Calero.com Okta SSO Connector Setup.
April 2023
2023.04.0: Monthly Production release began deployment on April 10
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.5.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 3.14.0
This version of the agent contains the following changes:
-
Security enhancements.
-
Bug fixes.
-
Installer will show a warning if the service account isn't a member of Pre-Windows 2000 Compatible Access.
-
Migration of the Windows installer from Internet Explorer to Edge.
The installer now requires Edge WebView2. WebView2 is downloaded automatically during the agent installation if your machine is connected to the internet. If not, you must manually install it before installing the new agent version. See Okta Active Directory agent version history.
Okta Provisioning agent, version 2.0.14
This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history.
Schedule your Okta Identity Engine upgrade directly from the Admin Dashboard
Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new self-service upgrade widget is displayed on the Admin Dashboard. The widget provides a quick and easy way to schedule your org's upgrade for a more powerful and customizable identity experience. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine. This feature will be gradually made available to all orgs.
OAuth 2.0 authentication for inline hooks
Okta inline hook calls to third-party external web services previously provided only header-based authentication for security. Although sent with SSL, the header or custom header authentication didn't meet more stringent security requirements for various clients and industries.
To improve the security of inline hooks, Okta now supports authentication with OAuth 2.0 access tokens. Tokens ensure secure calls to external web services.
When creating inline hooks in the Admin Console (or by API), administrators or developers can now select OAuth 2.0 authentication and choose between two methods of OAuth 2.0: Client Secret or Private Key. A new Key Management API and Admin Console page is also available to create public/private key pairs for use with OAuth 2.0 inline hooks. See Manage keys.
Using the OAuth 2.0 framework provides better security than Basic Authentication, and is less work than setting up an IP allowlisting solution. Clients also have the ability to use access tokens minted by their own custom authorization servers to guarantee that Okta is calling their client web services and it isn't triggered by any external actors. See Add an inline hook
API Service Integrations
Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.
OIN Manager support for Workflow Connector submission
Okta Workflows is a no-code, if-this-then-that logic builder that Okta orgs can use to automate custom or complex employee onboarding and offboarding flows in your application. You can now publish Workflow connectors that you create with the Workflows Connector Builder in the Okta Integration Network (OIN) catalog. Publishing a Workflows Connector with Okta allows your customers to deeply integrate your product with all other connectors in the catalog. Submit your Workflow Connector by using the OIN Manager. See Submit an integration for Workflows connectors.
Configurable rate limits available for OAuth 2.0 apps
Rate limit violations mainly occur on authenticated endpoints. Currently, it isn't clear which OAuth 2.0 authenticated app consumes all the rate limits for an org. This increases the risk that one app consumes the entire rate limit bucket. To avoid this possibility, Okta admins can now configure how much rate limit capacity an individual OAuth 2.0 app can consume by editing the Application rate limits tab for each app. By setting a capacity on individual OAuth 2.0 apps, Okta admins have a new tool to monitor and investigate rate limit violations, and have the ability to view rate limit traffic generated by individual OAuth 2.0 apps. See Rate limit dashboard bar graph.
Support added for DPoP with service apps
Okta now supports Demonstrating Proof-of-Possession for service apps. However, service apps can provide the same level of security by using private_key_jwt for client authentication. See Configure OAuth 2.0 Demonstrating Proof-of-Possession and Client authentication.
Multiple IdP profiles in Google Workspace
The Google Workspace integration now supports multiple IdP profiles. See How to Configure SAML 2.0 for Google Workspace.
Early Access Features
Import users to Office 365 using Microsoft Graph API
This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.
Fixes
OKTA-511637
If users clicked the reveal password icon in the Sign-In Widget before they entered their password, blank spaces were removed upon submission.
OKTA-570362
The End-User Dashboard displayed email confirmation notifications for users who didn't change their primary email.
OKTA-573667
The dates on the Agent auto-update settings page in the Admin Dashboard were missing the year.
OKTA-581516
HTML wasn't formed correctly in SAML responses.
OKTA-586482
Sometimes users couldn't enroll in or set up On-Prem MFA or RSA SecurID.
OKTA-588390
Token Preview for custom authorization servers failed for group claims with more than 100 groups.
OKTA-592588
The Routing rules tab on the Identity Providers page wasn't hidden for users without admin permissions.
OKTA-593452
The Everyone group in Okta couldn't be imported through the Okta Org2Org app.
Applications
New Integrations
SAML for the following Okta Verified applications:
- WalkMe: For configuration information, see WalkMe SAML Integration with Okta.
- WalkMe (encrypted assertions): For configuration information, see WalkMe SAML Integration with Okta.
OIDC for the following Okta Verified application:
- WalkMe: For configuration information, see WalkMe OpenID Connect (OIDC) Integration with Okta.
Weekly Updates
2023.04.1: Update 1 started deployment on April 17
Fixes
-
OKTA-529298
Renaming an individually selected organizational unit in Active Directory caused it to be unselected in Okta when imported.
-
OKTA-573682
Some of the widgets on the Admin Dashboard didn't use the correct date and time format.
-
OKTA-578310
Some labels and error messages related to assigning applications were untranslated.
-
OKTA-584757
Sometimes group push operations to ServiceNow failed.
-
OKTA-597224
Org admins could schedule and manage their org's Identity Engine upgrade using the OIE Upgrade Hub.
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
- Hiver: For configuration information, see Configuration of Okta integration.
- Productboard: For configuration information, see Setting up SCIM provisioning with OKTA.
SAML for the following Okta Verified application:
-
Obsidian Security: For configuration information, see How to Configure SAML 2.0 for Obsidian Security.
OIDC for the following Okta Verified application:
-
Sclera: For configuration information, see Okta Integration with Sclera.
App Integration Fix
The following SWA app wasn't working correctly and is now fixed:
-
Adobe Stock (OKTA-564445)
2023.04.2: Update 2 started deployment on May 1
Generally Available
Sign-In Widget, version 5.7.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-475223
On the Admin Dashboard, the Tasks menu Pending and Complete labels overlapped with the dropdown icon.
-
OKTA-500841
RADIUS server agent was incorrectly listed among Disconnects and reconnects under System notifications.
-
OKTA-555152
The shortcut URL /login/default didn't always go to the End User Dashboard.
-
OKTA-564388
When Multibrand was enabled, orgs couldn't add an email domain that they'd previously deleted.
-
OKTA-566659
Pushing group changes to Docusign failed when a member was removed from a group or a group push mapping was removed in Okta.
-
OKTA-568489
Pushing groups for provisioning to Office 365 failed if the groups already existed.
-
OKTA-568851
Some URLs on multifactor authentication app pages pointed to incorrect destinations.
-
OKTA-579360
Users were still active in the hub org after being deactivated in a spoke org.
-
OKTA-581789
Import completion emails weren't sent to administrators with custom admin roles.
-
OKTA-583585
Admins were unable to update passwords for SWA apps in orgs with certain configurations.
-
OKTA-585741
Empty values for attribute statements in SAML assertions didn't remove previously specified values.
-
OKTA-586713
The variable ${baseURL} in the HTML for some email templates didn't resolve in the browser.
-
OKTA-587325
After activating their accounts, users who enrolled through the Sign up link received an error if they clicked Set up later on the Security methods page.
-
OKTA-588140
The Delegated flows page was visible to orgs that hadn't configured any delegable flows.
-
OKTA-588408
Admins could configure the Maximum Okta session lifetime setting for an Okta sign-on policy rule that denied access.
-
OKTA-591800
When the sign-in page was edited using the code editor, the event type system.custom_error.update was logged.
-
OKTA-593131
Some attributes previously added to user profiles from incoming SAML responses weren't cleared when the attribute was later omitted.
-
OKTA-594775
In some orgs, the Office 365 thick client sign-in page didn't display the app instance name.
-
OKTA-595042
A successful MFA that followed unsuccessful MFA attempts mistakenly locked out users.
-
OKTA-596437
When the API Service Integration feature was disabled, a query for inactive app integrations incorrectly returned a list with revoked API service integrations.
-
OKTA-597697
When Multibrand was enabled, orgs couldn't reset the default application for the Sign-In Widget.
-
OKTA-599040
An extra input field sometimes appeared on the sign-in page for SP-initiated SSO.
-
OKTA-599062
On the Push Groups to Active Directory page Okta admins were unable to view all the organizational unit.
-
OKTA-599243
When the redesigned resource editor feature was enabled, admins could save the Add Resource screen without selecting a resource.
-
OKTA-599483
In orgs with the new authenticator management feature enabled, attempts to create or update an Okta enrollment policy failed.
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
KSOC: For configuration information, see KSOC Configuration Guide (you need KSOC permissions to view).
-
MANTL: For configuration information, see Okta Provisioning Using SCIM.
-
Salesbricks: For configuration information, see Okta OIN configuration guide.
SAML for the following Okta Verified applications:
-
ProcessBolt AUS: For configuration information, see ProcessBolt AUS Okta Config Guide.
-
TimeRewards: For configuration information, see Okta Single Sign-On (SSO) integration.
-
WebCE (OKTA-571275)
OIDC for the following Okta Verified applications:
-
Agora: For configuration information, see Setting up Okta SSO.
-
MANTL: For configuration information, see Okta OIDC SSO Integration.
-
TimeRewards: For configuration information, see Okta Single Sign-On (SSO) integration.
App Integration Fix
The following SWA app wasn't working correctly and is now fixed:
-
Louisiana Medicaid (OKTA-578791)
2023.04.3: Update 3 started deployment on May 8
Fixes
-
OKTA-570851
Some app provisioning error strings weren't translated.
-
OKTA-586571
In some orgs, users who successfully reset their passwords were redirected to a custom error page instead of the home page.
-
OKTA-591232
Logos weren't correctly displayed on email templates.
-
OKTA-599684
When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.
-
OKTA-604536
An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.
-
OKTA-607199
ThreatInsight temporarily prevented non-malicious users from accessing Okta.
Applications
New Integrations
New SCIM Integration applications:
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Agora: For configuration information, see Setting up Okta SCIM provisioning.
-
anecdotes: For configuration information, see SCIM Provisioning of Users with OKTA.
-
Huntress: For configuration information, see SAML SSO Setup for Okta.
-
MaestroQA - EU: For configuration information, see MaestroQA/Okta SCIM configuration guide.
-
Reclaim.ai - EU: For configuration information, see Okta SSO Setup Guide - App Catalog.
-
SGNL: For configuration information, see Configuring Single Sign-On with Okta.
SAML for the following Okta Verified applications:
-
MaestroQA - EU: For configuration information, see How to Configure SAML 2.0 for MaestroQA-EU.
-
TalentQuest: For configuration information, see How to Configure SAML 2.0 for TalentQuest.
May 2023
2023.05.0: Monthly Production release began deployment on May 15
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Okta AD agent, version 3.15.0
This version of the agent contains the following changes:
-
Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.
Okta On-Prem MFA agent, version 1.7.0
This version includes support for extended client session timeout. See Install the On-Prem MFA Agent.
Confluence Authenticator, version 3.2.2
This release contains security fixes. See Okta Confluence Authenticator version history.
Okta Jira Authenticator, version 3.2.2
This release contains security fixes. See Okta Jira Authenticator Version History.
Import users to Office 365 using Microsoft Graph API
This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API. This feature will be gradually made available to all orgs.
OAuth 2.0 On-Behalf-Of Token Exchange
Exchange helps retain the user context in requests to downstream services. It provides a protocol approach to support scenarios where a client can exchange an access token received from an upstream client with a new token by interacting with the authorization server. See Set up OAuth 2.0 On-Behalf-Of Token Exchange.
Okta Expression Language matches operator deprecated
The Okta Expression Language matches operator that is used to evaluate a string against a regular expression is deprecated. This feature is currently enabled by default for new orgs only.
Okta administrators group for all org admins
A default Okta administrators group is now available in every Okta org. The new group allows you to create sign-on policies that automatically apply to all admins in your org. See Groups.
Help links for standard admin roles
In
, each standard admin role now provides a link to its corresponding help page. This allows admins to quickly and easily locate the documentation that supports their standard role assignments.
Self-Service Okta Identity Engine Upgrades for eligible orgs
Okta is slowly rolling out self-service upgrade functionality to eligible orgs. Using the new self-service upgrade widget, orgs with acknowledgment action items can now review and complete those items, and then schedule their upgrade. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility and the self-service upgrade widget appears on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine.
Note that only super admins can view and manage the self-service upgrade widget.
New upgrade warning
For self-service Identity Engine upgrades, a warning message now appears to indicate that the Classic Engine Sessions API isn't supported.
More events eligible for hooks
The following System Log events are now eligible for event hooks:
-
group.application_assignment.add
-
group.application_assignment.remove
-
group.application_assignment.update
New legal disclaimer in Okta Trial accounts
A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.
Okta branding changes for the Admin Console
Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.
Additional measures to counter toll fraud
For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.
Early Access Features
Event hook filters
You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.
This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.
Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.
-
OKTA-566113
After changing the display language for an Okta org from English to another language, some text was still displayed in English.
-
OKTA-580684
In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.
-
OKTA-595053
Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.
-
OKTA-596360
Locked out users could still authenticate and sign in through Integrated Windows Authentication (IWA).
-
OKTA-596600
For apps with Group Push enabled, the tab displayed incorrect dates and times.
-
OKTA-597396
Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.
-
OKTA-599408
GMT timezones couldn't be selected correctly in the System Log.
-
OKTA-600867
The Yubikey Reports page wasn't properly translated.
-
OKTA-601875
After a user was deactivated, their remaining tasks resulted in errors.
-
OKTA-603305
On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.
-
OKTA-607249
Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
-
360Learning: For configuration information, see OKTA: configuration guide.
-
Forest Admin: For configuration information, see Forest Admin User Guide.
-
Pigeonhole Live: For configuration information, see Configuring Provisioning for Pigeonhole Live.
-
Recurly: For configuration information, see SCIM for Okta.
-
Tines: For configuration information, see How to Configure SAML 2.0 for Tines for admins.
SAML for the following Okta Verified applications
-
Demio: For configuration information, see How to Configure SAML 2.0 for Demio.
-
Flagsmith: For configuration information, see Okta Configuration Guide.
- Sendoso (OKTA-543675)
OIDC for the following Okta Verified applications
-
cmBuilder: For configuration information, see Okta Single Sign-On (SSO) - Configuration Guide.
-
Vozzi: For configuration information, see Okta Integration Configuration Guide.
Weekly Updates
2023.05.1: Update 1 started deployment on May 22
Fixes
-
OKTA-588667
After creating accounts, some users weren't able to complete the sign-in process.
-
OKTA-596446
Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.
-
OKTA-597490
The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.
-
OKTA-597959
Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.
-
OKTA-601618
Email change confirmation notices came from an Okta test account rather than a brand-specific sender.
-
OKTA-603731
Macros in email subjects weren't processed correctly for some email templates.
-
OKTA-604404
Imports performed during UltiPro maintenance resulted in inconsistent data being returned.
-
OKTA-604914
When the redesigned resource editor feature was enabled, admins couldn't add individual applications to their resource sets.
-
OKTA-609336
Incorrect descriptions were displayed on the
tab. -
OKTA-609390
During Identity Engine self-service upgrades, admins could see false indications that the Sessions API was in use.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
- Apollo.io: For configuration information, see Configure SCIM User Provisioning in Okta for Your Apollo Account.
- CrashPlan: For configuration information, see How to provision users to CrashPlan from Okta.
SAML for the following Okta Verified applications
- Apollo.io: For configuration information, see Set Up Single Sign-On (SSO) with Okta for Your Apollo Account.
- COSgrid MicroZAccess: For configuration information, see How to Configure SAML 2.0 for COSGrid Networks for admins.
- Digital Pigeon: For configuration information, see Okta SSO Configuration (OIN Guide).
- Kallidus HR: For configuration information, see Kallidus Sapling - Okta Integration Guide.
- Reach Security: For configuration information, see SAML Onboarding (you need to sign in to view this documentation).
- Sauce Labs: For configuration information, see Configuring SSO in Okta.
OIDC for the following Okta Verified applications
- Cledara: For configuration information, see Integrate with Okta.
- DNSimple: For configuration information, see Okta as an Identity Provider.
2023.05.2: Update 2 started deployment on May 30
Fixes
-
OKTA-414791
LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.
-
OKTA-423781
The Privacy link on the Okta dashboard wasn't translated.
-
OKTA-585123
When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.
-
OKTA-591228
Admins with a custom role couldn't receive user reports of suspicious activity in email notifications.
-
OKTA-602635
Some text on the Administrator assignment by role page wasn't translated properly.
-
OKTA-602794
Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.
-
OKTA-604386
The Edit button disappeared from the panel.
-
OKTA-604825
When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.
-
OKTA-613226
Some of the new Okta branding changes weren't displayed in the Admin Console.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration app is now Generally Available in the OIN Catalog:
- Dagster Cloud: For configuration information, see Dagster Cloud Okta user provisioning guide with SCIM.
SAML for the following Okta Verified applications
- Amplified: For configuration information, see Okta SAML integration.
- Healthfeed: For configuration information, see Healthfeed Customer Configuration.
API service app for the following Okta Verified applications
- Kandji Device Trust: For configuration information, see Okta Device Trust.
- Sevco Security: For configuration information, see Configure the Sevco Security app in Okta.
OIDC for the following Okta Verified applications
- Amplified: For configuration information, see Okta OIDC SSO integration.
- Debricked OIDC SSO: For configuration information, see Set up Single Sign On (SSO) for Debricked.
- DNSimple: For configuration information, see Okta as an Identity Provider.
- Software Analytics: For configuration information, see Okta Setup.
- Zesty.io: For configuration information, see Okta SSO Configuration Guide.
2023.05.3: Update 3 started deployment on June 12
Fixes
-
OKTA-516583
The application logo wasn't displayed on the Groups page for some groups.
-
OKTA-566503
When no tokens were listed on the API Tokens page, the displayed message wasn't translated.
-
OKTA-572820
Deleting large numbers of IdP routing rules with API calls caused System Log discrepancies.
-
OKTA-577794
The destination in SAML responses sometimes didn't match the Assertion Consumer Service URL in signed authentication requests.
-
OKTA-583072
The System Log showed that an MFA reset notification email was sent when that notification option was disabled and no email was sent.
-
OKTA-597009
The Microsoft Team Exploratory licenses weren't imported correctly into Okta, which prevented users from provisioning the correct licenses.
-
OKTA-599540
HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.
-
OKTA-599994
The Honor Force Authentication SAML setting didn't work with Agentless Desktop Single Sign-on (ADSSO).
-
OKTA-602946
On password hash import, users couldn't change their passwords even after the minimum password age setting period.
-
OKTA-604985
Approvers received duplicate task approval requests when users requested an app from the End-User Dashboard.
-
OKTA-605016
In the Add Dynamic Zone dialog, the Bagmati region of Nepal was missing from the State/Region dropdown menu.
-
OKTA-607167
The search bar in the Groups tab on the user profile page didn't display the placeholder text correctly.
-
OKTA-610185
When the Conditions for Admin Access feature was enabled, restricted profile attributes were visible in
> for imported users. -
OKTA-611867
The Active User Statuses field didn't appear in some configurations.
-
OKTA-612177
Some users in China didn't receive one-time passwords through SMS.
-
OKTA-612312
Admins couldn't delete a custom email domain if it was used by multiple orgs.
-
OKTA-612615
On the Tasks page, the Edit Assignment button wasn't translated.
-
OKTA-612888
Sign-on policies didn't persist for the admin group.
-
OKTA-612972
When the redesigned resource editor feature was enabled, large sets of resources were displayed outside of the Add Resource dialog, and the tooltip didn't specify the resource limit.
-
OKTA-613226
Some of the Okta branding changes weren't displayed in the Admin Console.
-
OKTA-613979
The Microsoft Office 365 Sign On tab displayed incorrect information in the Metadata details section.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
- Cisco Webex Identity SCIM 2.0: For configuration information, see Okta users and groups provisioning integration with Cisco Webex Identity SCIM 2.0.
- Foxit Admin Console: For configuration information, see Automatically Provision Licenses for OKTA.
- Outgage: For configuration information, see Configure user provisioning with Okta.
SAML for the following Okta Verified applications
- BugBase: For configuration information, see SSO with SAML.
- Currents: For configuration information, see Setting up SAML2.0 SSO with Okta as an IdP - Cypress SSO.
- Experian Right to Work: For configuration information, see Experian Right To Work SSO App.
- Foxit Admin Console: For configuration information, see How to integrate Foxit Admin Console with Okta.
- Mimoto: For configuration information, see Setting up single sign-on (SSO).
- National Crime Check: For configuration information, see Enable SSO for Okta.
- Rapidr: For configuration information, see Integrate with an identity provider and sign in with SAML SSO.
- Raydiant Employee Experience: For configuration information, see How to Configure SAML 2.0 for Raydiant.
- Scytale: For configuration information, see Configure Okta SSO.
- SellerCrowd: For configuration information, see Configuring SSO using OKTA.
- Sitejabber: For configuration information, see SiteJabber Okta Guidelines (you need Sitejabber credentials to view this documentation).
- Stack Identity Cloud IAM Ops: For configuration information, see OKTA SSO Guide.
API service app for the following Okta Verified application
- SGNL: For configuration information, see Creating and Configuring an Okta System of Record.
OIDC for the following Okta Verified applications
- Digioh: For configuration information, see Digioh Okta Configuration Guide.
- Moveworks: For configuration information, see OKTA SSO Configuration Guide.
- RefNow: For configuration information, see Setup Okta SSO.
- Stomio for Managers: For configuration information, see Setup SSO with Okta.
- Uplifter: For configuration information, see Using Okta for Single Sign On (SSO).
June 2023
2023.06.0: Monthly Production release began deployment on June 20
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Okta Provisioning agent, version 2.0.15
This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.
Multibrand customizations
Multibrand customizations allow customers to use one org to manage multiple brands and multiple custom domains. This drastically simplifies multi-tenant architectures where customers create multiple orgs to satisfy branding requirements. Multibrand customizations allow orgs to create up to three custom domains (more upon request), which can be mapped to multiple sign-in pages, multiple sets of emails, error pages, and multiple versions of the End-User Dashboard. See Branding.
Smart Card IdP with Agentless DSSO
Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.
Facebook at Work integration enhancement
Facebook at Work uses the Okta Expression Language to map the manager attribute. This allows admins to adjust how the manager attribute is stored in the user profile so they can choose between an id field or a name.
New System Log events for Workflows subfolders
The System Log now displays the following subfolders events for Okta Workflows:
- workflows.user.folder.create
- workflows.user.folder.rename
- workflows.user.folder.export
- workflows.user.folder.import
- workflows.user.table.schema.import
- workflows.user.table.schema.export
New event for hooks
The user.authentication.sso event is now eligible for use in event hooks.
Enhanced reports value selection
The following reports provide improved selectors for Users, Groups, and Apps in the filters configuration:
- Telephony Usage
- User App Access
- Group Membership
- User Accounts
- Past Access Requests
- Past Campaign Summary
- Past Campaign Details
Universal Directory attribute and enum limits
Universal Directory now has limits to the number of attributes per org and the number of enums that can be defined for a single attribute.
Early Access Features
This release doesn't have any Early Access features.
-
OKTA-588559
The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.
-
OKTA-597490
Searches in the LDAP interface didn't return results for a deactivated user when the common name (cn) value was combined with other filters.
-
OKTA-600091
The email change notification triggered from the Admin Dashboard sometimes displayed an Okta subdomain instead of the org's custom domain.
-
OKTA-607434
Unhelpful error messages appeared when the NameIdPolicy was unspecified in SAML client requests that required signed requests.
-
OKTA-611700
Timestamps weren't translated on the Tasks page.
-
OKTA-611709
On the Administrators page, the Resource set, Role, and Admin icon labels weren't translated.
-
OKTA-615404
When an admin searched for a group with more than 1000 members, the Top results tab displayed 1001 instead of 1000+.
-
OKTA-616169
When the Assign admin roles to public client app feature was enabled, admins couldn't assign roles to groups.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration app is now Generally Available in the OIN:
- Folderit: For configuration information, see OKTA SCIM setup guide.
SAML for the following Okta Verified applications
- Bluesky: For configuration information, see SAML Onboarding for Okta.
- CITI Program: For configuration information, see Okta IdP Single Sign-On (SSO) Setup - Technical Specifications Guide.
- Folderit: For configuration information, see OKTA SAML setup guide.
- Wellworks For You 2.0: For configuration information, see How to Configure SAML 2.0 for Wellworks For You 2.0.
OIDC for the following Okta Verified application
- SPACE: For configuration information, see Okta sign in Configuration Guide.
Weekly Updates
2023.06.1: Update 1 started deployment on June 26
Generally Available
Sign-In Widget, version 7.7.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-549617
The Application Usage report didn't include SSO events for RADIUS-enabled apps.
-
OKTA-551193
Some users encountered a server error during inbound SAML authentication.
-
OKTA-570405
User activation email templates for Okta trial orgs didn't have a current legal disclaimer in the footer.
-
OKTA-596780
When a user's OIDC IdP authentication factor enrollment failed, no System Log event was recorded.
-
OKTA-599424
The first time they signed in to the Citrix app, some users couldn't enroll in required MFA factors.
-
OKTA-605001
Admins could edit profile attributes that they didn't have permission to edit, which caused errors.
-
OKTA-605968
Some orgs couldn't change the default email template variant for a custom brand.
-
OKTA-607193
HealthInsight didn't include admins with custom roles when it evaluated the percentage of admins with super admin privileges.
-
OKTA-610007
Customers that used the Zoom Identity Attestation feature without API Access Management enabled couldn't complete the sign-in flow.
-
OKTA-614168
The YubiKey report incorrectly showed that a revoked key was last used instead of the current key.
-
OKTA-618732
The SMS authentication factor couldn't always be set up for Australian phone numbers.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
- Dremio Cloud: For configuration information, see Configure SCIM Provisioning with Okta.
- Palo Alto Networks: For configuration information, see Configure SCIM Connector for the Cloud Identity Engine.
OIDC for the following Okta Verified applications
-
Cabinet: For configuration information, see SSO Login via Okta and Cabinet.
-
Dremio Cloud: For configuration information, see Configure Okta as an Identity Provider.
2023.06.2: Update 2 started deployment on July 10
Fixes
-
OKTA-564847
Sign-out errors sometimes appeared as raw JSON text rather than triggering an Okta error page.
-
OKTA-581464
The System Log didn't provide user information for an expired password during the Resource Owner Password grant type flow.
-
OKTA-581496
Some apps that had provisioning enabled appeared on the Provisioning Capable Apps reports.
-
OKTA-588414
Users who were removed from an Okta group using an API call were added back to the group because of the group rules.
-
OKTA-588559
The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.
-
OKTA-602343
The System Log didn't display client details for user_claim_evaluation_failure events if a token inline hook was enabled.
-
OKTA-602566
Apps using a custom identity source displayed user and group assignments in the General tab.
-
OKTA-604491
Users were sometimes unable to display authorization server access policies in the Admin Console.
-
OKTA-613164
Some admins could access IdP configuration editing pages without sufficient permissions.
-
OKTA-617952
When the Redesigned Resource Editor feature was enabled, super admins couldn't preview the resource set assignments for the access requests and access certifications admin roles.
-
OKTA-619651
My Okta didn't load when the Enable Sync Account Information setting wasn't selected.
-
OKTA-621542
For SAML IdP configurations, searches for a user group to assign to the app sometimes failed to stop.
-
OKTA-627295
NetSuite couldn't be provisioned to new users.
Applications
Application Updates
The following SCIM integrations now support group push:
-
Rootly
-
Zerotek
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
- Astro: For configuration information, see Set up SCIM provisioning on Astro.
- ClickTime: For configuration information, see Okta SCIM Implementation Guide.
- Dovetail: For configuration information, see Setting up automated provisioning with Okta.
- Getty Images: For configuration information, see Okta SCIM Configuration Guide.
- Modernloop: For configuration information, see Okta Setup.
- Oktopost: For configuration information, see Configure Provisioning with Okta.
- RubiconMD: For configuration information, see Configure user provisioning with Okta.
- SellerCrowd: For configuration information, see Configure SCIM integration in Okta.
SAML for the following Okta Verified applications
- Astro: For configuration information, see Set up authentication and single sign-on for Astro.
- Getty Images: For configuration information, see Okta SAML 2.0 (SSO) Configuration Guide.
- Klnch People: For configuration information, see How to Configure SAML 2.0 for Klnch People Platform.
- PRN Solutions Portal: For configuration information, see SAML Setup with Okta.
- Skykit: For configuration information, see Okta SAML 2.0 Configuration Guide.
OIDC for the following Okta Verified applications
- Armorerlink: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Markit Procurement Service: For configuration information, see SSO Login via Okta to Markit.
- Simply Stakeholders: For configuration information, see Okta SSO.
- Taktile: For configuration information, see Okta configuration guide.
- Treno: For configuration information, see Configure SSO using Okta.
App Integration Fixes
The following SWA apps weren't working correctly and are now fixed:
-
Bill.com (OKTA-617155)
-
Chatwork (OKTA-612555)
-
CrowdStrike Falcon (OKTA-606550)
-
EmblemHealth (OKTA-616627)
-
HelloSign (OKTA-606499)
-
MYOB Essentials (OKTA-611408)
-
NearMap.com (OKTA-619941)
The following SAML app wasn't working correctly and is now fixed:
-
ManageEngine (OKTA-571050)
July 2023
2023.07.0: Monthly Production release began deployment on July 17
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.8.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.17.0
This version of the agent contains:
- Migration of the Windows installer from Internet Explorer to Edge
- The service OktaLDAPAgent stop command now correctly terminates agents installed on Red Hat and CentOS platforms
- Security enhancements
Self-Service Okta Identity Engine Upgrades eligibility extended
Okta is enabling self-service Okta Identity Engine upgrade functionality to orgs that require configuration changes. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility, and the self-service upgrade widget is displayed on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine. This feature will be gradually made available to all orgs. Note that only Super Admins can view and manage the self-service upgrade widget.
System Log time zone formats updated
In the System Log, the time zone dropdown menu now provides additional information about each available time zone. See System Log.
App Password Health report uses browser time zone
On the App Password Health report, last-reset request dates and times are now based on the browser's time zone settings. See App Password Health report.
Okta-generated client secret length increase
The length of Okta-generated client secrets is increased from 40 to 64 characters.
Updated Okta logo
A branding update to the Okta groups logo is now available in the Admin Console.
Early Access Features
Admin Console Japanese translation
When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.
-
OKTA-414975
Application sign-on policies for deleted apps prevented admins from disabling the last MFA factor in their org.
-
OKTA-602939
The Admin role assignments report email wasn't translated.
-
OKTA-615453
Some text strings were incorrect on the End-User Dashboard layout page.
Applications
Application Updates
-
The Rybbon app integration has been rebranded as BHN Rewards.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN:
-
Apono: For configuration information, see Okta SCIM.
SAML for the following Okta Verified applications
-
CodeREADr: For configuration information, see Supported Features.
-
Datto File Protection: For configuration information, see Single sign-on integration for Okta.
-
Emeritus: For configuration information, see Supported Features.
-
HackNotice: For configuration information, see Okta SAML Integration (Coming Soon).
-
Whosoff: For configuration information, see How to setup Okta SSO.
App Integration Fixes
The following SWA app was not working correctly and is now fixed:
-
BlueHost (OKTA-620224)
Weekly Updates
2023.07.1: Update 1 started deployment on August 1
Fixes
-
OKTA-599540
HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.
-
OKTA-605041
An unclear error message appeared when an admin created a role or resource set with a long name.
-
OKTA-611304
In a Device Authorization flow, some text strings on the verification page weren't translated.
-
OKTA-612727
The Admin Dashboard Tasks table displayed an incorrect amount of provisioning capable apps.
-
OKTA-612875
After managerId was removed from the Salesforce schema in Okta, it couldn't be added again.
-
OKTA-613076
In the Sign On tab of Office 365, the Okta MFA from Azure AD option appeared disabled. When the option was switched to edit mode, it was enabled.
-
OKTA-613394
Users couldn't sign in with a PIV in an Org2Org flow.
-
OKTA-615441
Some users couldn't sign in with Agentless Desktop Single Sign-on because routing rules were re-evaluated during the sign-on process.
-
OKTA-615457
The Edit resources to a standard role page didn't display apps that had the same name.
-
OKTA-615728
Some admins couldn't access the OIE Upgrade Hub.
-
OKTA-617528
The auto-update schedules for the Active Directory and LDAP agents were incorrectly shown as up-to-date, even when a new version was released.
-
OKTA-617817
Admins were sometimes unable to access the Admin Console from a custom domain.
-
OKTA-620153
ACS URL validation failed for orgs that used SAML SSO with Okta-to-Okta IdP configurations and had subdomain names that weren't all lowercase characters.
-
OKTA-621284
Admins with the Manage users permission couldn't create users with WS-Federation IdPs.
-
OKTA-622541
In the Self-Service Unlock when Account is not Locked email template, the base URL variable wasn't replaced with the Okta tenant URL.
-
OKTA-626022
Some Active Directory agents that had previously failed to auto-update were incorrectly marked as Queued for update, despite being updated to the latest version.
-
OKTA-627415
On the Features page, the link to access the LDAP Agent Auto-update documentation was broken.
-
OKTA-628522
RADIUS agent libraries contained internal security issues. Fixes require upgrading to agent version 2.19.0 and using Microsoft Edge as the browser.
Applications
Application Update
-
The OpenPath app integration has been rebranded as Avigilon Alta.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:
-
Axiad Cloud: For configuration information, see Enable SCIM Provisioning in Okta.
-
Blameless: For configuration information, see Configuring Provisioning for Blameless.
- Diffchecker: For configuration information, see Integrating Diffchecker with Okta.
-
Navan: For configuration information, see How do I set up Okta SCIM.
SAML for the following Okta Verified applications
-
Axiad Cloud: For configuration information, see Add Axiad Cloud Integration and Configure SAML.
-
Diffchecker: For configuration information, see Integrating Diffchecker with Okta.
-
FactSet: For configuration information, see Okta: Adding FactSet Integration.
-
flex: For configuration information, see Okta SAML.
-
redirect.pizza: For configuration information, see SSO via Okta.
-
RubiconMD: For configuration information, see How to Configure SAML 2.0 for RubiconMD.
-
Skippr for Organizations: For configuration information, see Skippr for Organizations with SAML 2.0.
-
Tamnoon: For configuration information, see Tamnoon SAML 2.0.
-
The People Experience Hub: For configuration information, see Single Sign-on for Okta.
OIDC for the following Okta Verified applications
-
Agendalink: For configuration information, see How to configure Okta SSO.
-
Anywell: For configuration information, see Configuration Guide.
-
Batis: For configuration information, see Okta integration Howto.
-
CareerArc: For configuration information, see SSO Login via Okta.
-
Convrs: For configuration information, see Okta OIDC.
-
CultureScience: For configuration information, see Logging in with SSO through Okta.
- Dovetail: For configuration information, see Configure Okta.
-
Gatsby: For configuration information, see Okta Customer Configuration Instructions.
-
Intelo.AI: For configuration information, see Okta Integration with Intelo.
2023.07.2: Update 2 started deployment on August 7
Generally Available
Sign-In Widget, version 7.8.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-604448
Some text on the Groups page wasn't translated.
-
OKTA-620583
On the Add Resource dialog, the list of search results was misaligned.
-
OKTA-620873
Admins couldn't upload PEM-formatted certificates containing encrypted private keys for RADIUS apps.
-
OKTA-622783
The initial expiresIn date for the Salesforce authentication token wasn't set from the API.
-
OKTA-626593
Admins couldn't access the Create new resource set page directly from a URL.
-
OKTA-631303
Admins couldn't access the Administrator assignment by role page. This occurred when a public client app with a custom client ID was assigned a standard admin role.
Applications
New Integrations
SAML for the following Okta Verified applications:
-
Descope: For configuration information, see Setup Okta Integration Application.
-
Valence: For configuration information, see SSO With Okta.
OIDC for the following Okta Verified applications:
- iyarn: For configuration information, see Logging in with Single Sign-On (SSO) through Okta.
- Syndeca: For configuration information, see Okta Single Sign On (SSO) Instructions.
App Integration Fixes
The following SWA apps were not working correctly and are now fixed:
-
E-OSCAR (OKTA-624390)
-
UPS (OKTA-625886)
-
UPS CampusShip (OKTA-624286)
August 2023
2023.08.0: Monthly Production release began deployment on August 14
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Okta AD agent, version 3.16.0
When the executor.log and coordinator.log files exceed 5 MB in size, the contents roll over into executor.log.old and coordinator.log.old files.
Okta Active Directory Federation Services Plugin, version 1.7.13
Version 1.7.13 of the Okta Active Directory Federation Services (ADFS) Plugin is now available for download. It includes support for Microsoft Windows Server 2022 and includes bug fixes and security hardening. See Okta ADFS Plugin version history.
Integrate with any identity source
To get Okta's full HR-driven provisioning and LCM functionality for an HR integration, customers previously had to use one of five pre-integrated HR systems or build complex custom code with the Okta Users API to replicate some of Okta's LCM functionality for other identity sources.
With Anything-as-a-Source (XaaS), customers now have the flexibility to connect any identity source to Okta and realize the full benefits of HR-driven provisioning with a simpler solution. See Anything-as-a-Source.
Self-service upgrades to Identity Engine
Admins can now reschedule their self-service upgrades for as soon as two hours or up to 30 days in the future. See Upgrade to Okta Identity Engine.
Getting Started video for new orgs
The Getting Started page now displays an introductory video. The video provides a quick overview of the common tasks and functions for new orgs, and helps admins familiarize themselves with the Admin Console. See Get started with Okta.
API service integration client secret rotation in the Admin Console
New in this release is the ability to rotate client secrets for an API service integration through the Admin Console. Previously, if a customer wanted to update the client secret for an API service integration, they had to reinstall the integration to obtain a new client ID and secret. There was no option to revoke the client secret while maintaining the client ID and API service integration instance in Okta. With this new feature, customers can generate a new secret, deactivate an old secret, and remove a deactivated secret from the API service integration instance. These functionalities help customers implement security best practices without service downtime. See API Service Integrations.
New event types for User Auth Events
Two additional event types are now available under User Auth Events:
- User's session was cleared
- User's MFA factor was updated
New application lifecycle event hook
An event hook to deny user access due to a condition in an app sign-on policy is now available to admins. See Create an event hook .
Polling enhancements for Agentless DSSO
When the server is in SAFE_MODE, Agentless DSSO polling signs in a user if they are in ACTIVE state in Okta.
Early Access Features
Early Access features from this release are now Generally Available.
-
OKTA-575884
The Okta Active Directory Federation Services (ADFS) Plugin wrote errors to the plugin log when users attempted to sign in.
-
OKTA-595086
The display of the authorization server Access Policies page froze with large numbers of policies.
-
OKTA-610347
Some orgs couldn't add more than 50 global session policies.
-
OKTA-617816
After orgs upgraded to Identity Engine, the application name in OV Push disappeared.
-
OKTA-626699
On the Administrator assignment by admin page, the Role dropdown list sometimes displayed duplicate admin roles.
-
OKTA-631752
Adding some IdPs as Factor only caused errors.
Applications
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN:
-
LeaseHawk: For configuration information, see Okta User Provisioning Integration with SCIM.
SAML for the following Okta Verified applications
-
Apache Kafta: For configuration information, see Configure SAML SSO for Confluent Cloud with Okta Identity Provider.
-
CloudSaver - Tag Manager: For configuration information, see How to Configure SAML 2.0 for CloudSaver Tag Manager for Admins.
-
Current: For configuration information, see Current's Okta Integration.
-
Jasper AI: For configuration information, see Configuring Jasper Single Sign-On (SSO).
-
Kolide: For configuration information, see How to configure SAML for Kolide.
-
Reasons for Access: For configuration information, see Configuring Reasons for Access with Okta.
-
Teamspective: For configuration information, see Okta SAML Single Sign-On (SSO) for Teamspective.
OIDC for the following Okta Verified applications
-
AlphaSOC Console: For configuration information, see Okta SSO Integration.
-
Everlaw: For configuration information, see Organization Admin: Single Sign-On.
-
Flike: For configuration information, see Okta SSO Configuration Guide.
-
LeaseHawk: For configuration information, see How to Configure OIDC for LeaseHawk with Okta.
-
Valos: For configuration information, see Logging in with Okta Single Sign-On (SSO).
-
Yooz: For configuration information, see How to configure OIDC for Yooz.
-
Zello: For configuration information, see Okta SSO Configuration Guidelines.
Weekly Updates
2023.08.1: Update 1 started deployment on August 22
Fixes
-
OKTA-619028
Read-only admins received user reports of suspicious activity email notifications in error.
-
OKTA-632131
OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.
-
OKTA-632850
Slack provisioning didn't automatically retry after exceeding rate limits.
-
OKTA-633585
The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.
-
OKTA-634923
Users weren't present in the import queue after being unassigned from an app.
-
OKTA-635579
When a super admin went to the Edit group assignments button was mislabeled.
tab, the -
OKTA-636652
The Administrators page wasn't translated to Japanese.
Applications
Application Update
-
Group push and group import is now available for the Smartsheet SCIM integration.
New Integrations
New SCIM Integration applications
The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:
-
Skippr for Organizations: For configuration information, see Skippr for Organizations with SCIM 2.0.
SAML for the following Okta Verified applications:
-
9Line: For configuration information, see Okta SAML SSO Configuration.
-
Blameless: For configuration information, see How to Configure SAML 2.0 for Blameless for admins.
-
Fathom: For configuration information, see SAML 2.0 Configuration Guide.
-
Y42: For configuration information, see Okta.
OIDC for the following Okta Verified applications:
-
rule5: For configuration information, see rule5 Okta Configuration Guide.
-
QuotaPath: For configuration information, see Okta SSO.
-
Rupert: For configuration information, see Rupert Okta SSO Configuration.
2023.08.2: Update 2 started deployment on August 28
Fixes
-
OKTA-601623
When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.
-
OKTA-621253
Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.
-
OKTA-627175
Some tasks displayed a greater-than sign (>) instead of the date.
-
OKTA-630368
RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.
-
OKTA-634010
Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.
-
OKTA-639427
When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.
Applications
New API Service Integration applications:
-
Sysdig: For configuration information, see Okta Integration.
OIDC for the following Okta Verified applications:
-
AskFora: For configuration information, see AskFora Okta Configuration Guide.
2023.08.3: Update 3 started deployment on September 5
Fixes
-
OKTA-620655
When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.
-
OKTA-641043
Admins could select values from disabled dropdown menus.
Applications
Okta Verified applications:
- Accend: For configuration information, see How do I enable OpenID Connect (OIDC) SSO with Accend?.
- WASP: For configuration information, see SSO Login to WASP via Okta.
September 2023
2023.09.0: Monthly Production release began deployment on September 18
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.10.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 1.16.0
This release includes:
- Migration of the Windows installer from Internet Explorer to Edge.
- Security enhancements.
- Internal updates.
Okta LDAP agent, version 5.18.0
This version of the agent contains security enhancements.
Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.
Okta MFA Credential Provider for Windows, version 1.3.9
This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.
Authentication challenge for redirects
Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.
Custom Identity Source app available
The Custom Identity Source app is now available in Okta Integration Network.
Count summary added to report
The User accounts report now displays the total number of records returned for the report.
Product Offers dashboard widget
A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.
Automatically assign the super admin role to an app
Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.
Okta apps and plugin no longer available to certain users
Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.
Early Access Features
This release doesn't have any Early Access features.
-
OKTA-570804
The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.
-
OKTA-574216
Reconciling group memberships sometimes failed for large groups.
-
OKTA-578184
The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.
-
OKTA-592745
Full and incremental imports of Workday users took longer than expected.
-
OKTA-605996
A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.
-
OKTA-616604
The password requirements list on the Sign-In Widget contained a grammatical error.
-
OKTA-616905
Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.
-
OKTA-619102
Invalid text sometimes appeared in attribute names.
-
OKTA-619179
A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).
-
OKTA-619419
Group admins could see their org's app sign-in data.
-
OKTA-624387
Sometimes attempting to change an app's username failed due to a timeout.
-
OKTA-627559
Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.
-
OKTA-628944
Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.
-
OKTA-629774
Some user import jobs failed to restart after interruption.
-
OKTA-631621
Read-only admins couldn't review the details of IdP configurations.
-
OKTA-633431
When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.
-
OKTA-634308
Group app assignment ordering for Office 365 apps couldn't be changed.
-
OKTA-637259
An error occurred when importing users from Solarwinds Service Desk.
-
OKTA-641062
The link to Slack configuration documentation was invalid.
-
OKTA-641447
Super admins couldn't save new custom admin roles.
-
OKTA-648092
New admins didn't get the Support app in their End-User Dashboard.
Okta Integration Network
App updates
- The CoRise app integration has been rebranded as Uplimit.
New Okta Verified app integrations
- Armis (SCIM)
- Astrix Security (OIDC)
- CloudEagle (API service)
- Darwinbox (SAML)
- DataOne (OIDC)
- Edgility (OIDC)
- Elba SSO (OIDC)
- Experience.com (OIDC)
- GraphOS Studio (SAML)
- HealthKey (OIDC)
- Huntress Security Awareness Training (API service)
- Lifebalance Program (OIDC)
- Mapiq (OIDC)
- Mapiq (SAML)
- OpenComp (OIDC)
- OpsHelm (OIDC)
- OpsHelm (SCIM)
- PlanYear (SAML)
- Spyglass (OIDC)
- Tuvis (SAML)
App integration fixes
- American Express Online (OKTA-637925)
- hoovers_level3 (OKTA-637274)
- MSCI ESG Manager (OKTA-637624)
- PartnerXchange (OKTA-632251)
- Staples Advantage (OKTA-639141)
Weekly Updates
2023.09.1: Update 1 started deployment on September 25
Generally Available
Sign-In Widget, version 7.10.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Content security policy enforcement extended for custom domains
Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.
Enhanced Okta LDAP integrations with Universal Directory
Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.
Fixes
-
OKTA-595549
IdP users were redirected to an unbranded sign-in page after SSO failure.
-
OKTA-614488
Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.
-
OKTA-619163
When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.
-
OKTA-627660
Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.
-
OKTA-628227
Some SAML-linked accounts in DocuSign couldn't use SWA.
-
OKTA-629263
Email change confirmation notices came from an Okta test account rather than a brand-specific sender.
-
OKTA-637801
Admins without permission to manage apps saw an Edit button for the app's VPN Notification settings.
-
OKTA-638911
The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.
-
OKTA-639465
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.
-
OKTA-647842
Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.
Okta Integration Network
App updates
- The Amazon Business SAML app now has a configurable SAML issuer.
- The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
- Application profile and mapping has been updated for the Jostle SCIM app.
- The mobile.dev SAML app has been rebranded as Maestro Cloud.
New Okta Verified app integrations
- Base-B (SAML)
- Base-B (SCIM)
- Comprehensive (OIDC)
- Palo Alto Networks Cloud Identity Engine (API service)
- Palo Alto Networks Cloud Identity Engine (Application-enabled) (API service)
- Rezonate Security (API service)
- supervisor.com (OIDC)
- WorkSchedule.Net (OIDC)
App integration fixes
- American Express Online by Concur (OKTA-642832)
2023.09.2: Update 2 started deployment on October 9
Fixes
-
OKTA-619723
When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn't access the .
-
OKTA-623635
Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.
-
OKTA-627862
Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.
-
OKTA-633507
The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.
-
OKTA-641112
System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.
-
OKTA-643155
If an org had configured Duo Security as an MFA factor and also a custom IdP factor named Duo Security, then the org couldn't be upgraded to Identity Engine.
-
OKTA-643204
Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.
-
OKTA-643499
Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.
Okta Integration Network
App updates
- The Experience.com OIDC app now has additional redirect URIs.
-
The Planview Admin SAML app now has the Audience ID variable.
New Okta Verified app integrations
- Clumio (SCIM)
- Elba (API service)
- innDex (OIDC)
- Sloneek (OIDC)
- Zonka Feedback (SAML)
App integration fixes
- Bloomberg (SWA) (OKTA-642380)
- BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
- Citi Velocity (SWA) (OKTA-637196)
- SAP Concur Solutions (SWA) (OKTA-643965)
October 2023
2023.10.0: Monthly Production release began deployment on October 16
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.11.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
SharePoint People Picker, version 2.4.0.0
SharePoint People Picker 2.4.0.0 is now available for download. See Configure Okta SharePoint People Picker agent.
Custom email domain
You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.
OpenLDAP support for Auxiliary Object classes
You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.
New custom admin role permission
Super admins can now assign View delegated flow permission to their custom admin roles. See Role permissions.
Additional resource and entitlements reports
Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:
- Group Membership report: Lists individual members of a group and how membership was granted.
- User App Access report: Lists which users can access an application and how access was granted.
- User accounts report: Lists users with accounts in Okta and their profile information.
Sign-in requirements for new devices
Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.
IdP lifecycle event hooks
IdP lifecycle events are now eligible for use as event hooks. See Event Types.
Early Access Features
Workday writeback enhancement
When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.
-
OKTA-398711
Text on the Administrator assignment by admin page was misaligned.
-
OKTA-575513
Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.
-
OKTA-619175
UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.
-
OKTA-619223
Content was displayed incorrectly on the Change User Type page.
-
OKTA-620144
For some users, logos for imported app groups didn't appear in the Admin Console.
-
OKTA-620771
When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.
-
OKTA-621526
The MFA Usage Report didn't display the correct PIV/Smart Card label.
-
OKTA-636864
Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.
-
OKTA-639089
When a user was moved from one AD domain to another, their original group app assignments were retained.
-
OKTA-642630
Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.
-
OKTA-643148
The Tasks page didn't indicate when each task was assigned.
-
OKTA-643598
The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.
-
OKTA-649240
Super admins couldn't edit the scoped resources that were assigned to an Application admin.
-
OKTA-650511
Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.
-
OKTA-653189
Admins couldn't reschedule their org's Identity Engine upgrade to 30 days from the current date.
-
OKTA-654506
The writeback enhancement failed to push profile information to Workday when a user's profile was empty.
-
OKTA-655148
The SAMLResponse field in the HTML response couldn't be retrieved for some clients.
Okta Integration Network
New Okta Verified app integrations
- Datawiza Access Management Platform for PeopleSoft (OIDC)
- Nooks (OIDC)
App integration fixes
- 1Password Business (SWA) (OKTA-646676)
- Canva (SWA) (OKTA-642049)
- concur-solutions (SWA) (OKTA-649651)
- Dice (SWA) (OKTA-645005)
- mySE: My Schneider Electric (SWA) (OKTA-644927)
- PagerDuty (SWA) (OKTA-643598)
Weekly Updates
2023.10.1: Update 1 started deployment on October 23
Generally Available
Sign-In Widget, version 7.11.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Admin sessions bound to Autonomous System Number (ASN)
When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.
Fixes
-
OKTA-632174
The Edit User Assignment page showed roles that had already been removed by an admin.
-
OKTA-636990
If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.
-
OKTA-638649
Field validation didn't work for Trusted Origins URLs.
-
OKTA-642760
Double-clicking the Save button on an app sign-on policy rule caused duplicate migrations when orgs upgraded to Identity Engine.
-
OKTA-644143
Users who were added to a group through group assignments were displayed as manually assigned.
-
OKTA-648338
The Zendesk app integration made API requests using the GET command instead of the POST command.
-
OKTA-653489
Admins couldn't add custom default Salesforce attributes that had been deleted from the Profile Editor.
-
OKTA-655852
The Okta sign-in flow returned an error for certain URLs.
Okta Integration Network
App updates
- The Extracker app integration has been rebranded as Clearstory.
- The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
- The Mapiq app integration has a new logo.
-
The People Experience Hub app integration no longer has an Encryption Certificate field.
- The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
- The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.
New Okta Verified app integrations
- Badge (OIDC)
- Badge (SAML)
- Cisco Webex Identity SCIM 2.09 (SAML)
- Datawiza Access Management Platform for E-Business Suite (EBS) (OIDC)
- Datawiza Access Management Platform for JD Edwards (JDE) (OIDC)
- Deel HR (SCIM)
- dscout (SAML)
- Fletch (SAML)
- Incode Omni (OIDC)
- Q for Sales (OIDC)
- SpiderSense (SAML)
- Voicenter (OIDC)
App integration fixes
- Tableau Cloud (SCIM) (OKTA-625933)
2023.10.2: Update 2 started deployment on November 6
Generally Available
Sign-In Widget, version 7.11.3
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-457923
The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.
-
OKTA-559609
Email notifications for report downloads sometimes didn't refer to the report name correctly.
-
OKTA-568355
When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.
-
OKTA-578997
Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.
-
OKTA-586764
On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.
-
OKTA-597530
Admins couldn't delete authorization server clients on the Access Policies page.
-
OKTA-599823
An answer to a security question could include parts of the question.
-
OKTA-612507
Some errors weren't translated.
-
OKTA-626459
When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.
-
OKTA-627678
An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.
-
OKTA-639311
When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.
-
OKTA-643533
The Default application for the Sign-In Widget setting was visible to orgs that hadn't enabled the feature.
-
OKTA-647442
Sometimes, a search request would fail if it included a recently created user.
-
OKTA-651722
Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.
-
OKTA-653019
Base attributes of new Slack integrations weren't visible.
-
OKTA-654857
Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.
-
OKTA-658729
Admins sometimes couldn't reschedule their upgrade to Identity Engine if they had already rescheduled it to more than 30 days into the future.
Okta Integration Network
App updates
- The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
- The Fullview app integration has a new direct URI and a new initiate login URI.
- The YesWeHack app intergration has a new icon.
New Okta Verified app integrations
- Authentic Web (SAML)
- Extic (SAML)
- GoSearch (SAML)
- Kizen (SAML)
- Kno2fy (SAML)
- LeanIX (API service)
- Proofpoint Security Awareness Training (SCIM)
- Summize (OIDC)
- Swayable (SAML)
- Trint (SAML)
- Trint (SCIM)
- ZAMP (OIDC)
App integration fixes
- Adobe (SWA) (OKTA-647811)
- Algolia (SWA) (OKTA-654566)
- American Express (Business) (SWA) (OKTA-649753)
- Application Bank of America CashPro (SWA) (OKTA-648836)
- i-Ready (SWA) (OKTA-644769)
- IMDB Pro (SWA) (OKTA-653918)
- MIT Technology Review (SWA) (OKTA-656622)
- SuccessFactors (SWA) (OKTA-568355)
- Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
- Twilio (SWA) (OKTA-655486)
November 2023
2023.11.0: Monthly Production release began deployment on November 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.12.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.
Lockout Prevention
This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they've used before aren't locked out when unknown devices cause lockouts.
FIPS compliance for iOS or Android devices
Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.
Self-Service Okta Identity Engine Upgrades for all orgs
The self-service upgrade widget now appears on the Admin Dashboard for all Classic Engine orgs. The widget allows super admins to schedule their upgrade to Identity Engine. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine.
Custom email domain updates
The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.
Improved LDAP provisioning settings error message
During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.
Additional data to support debugging user authentication
When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.
Modified System Log event for Autonomous System Number (ASN) changes
When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.
OIN Manager notice
The integration estimated-verification-time notice has been updated in the OIN Manager.
Early Access Features
New app settings permissions for custom admin roles
Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.
-
OKTA-538785
Sometimes users encountered an error when the Self-Service Registration flow made a request to the /tokens endpoint.
-
OKTA-566962
Some text strings on the Okta Sign-on Policy page weren't translated.
-
OKTA-633313
A user with a custom admin role couldn't create federated users due to misplaced permissions.
-
OKTA-633789
When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.
-
OKTA-649095
Some AD-sourced users received prompts to reset their password even when the AD password policy restricted password changes.
-
OKTA-649810
The Add Resource dialog box sometimes displayed duplicate group names.
-
OKTA-653756
When many apps were added to routing rules through the API, system performance was degraded.
-
OKTA-653873
In some orgs, on-premises imports performed using the Okta Provisioning Agent ignored safeguard thresholds.
-
OKTA-664830
Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.
-
OKTA-666396
When the display language was set to Japanese, the Okta Sign-on Policy page displayed a translation error instead of the Everyone group name.
Okta Integration Network
App updates
- The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
- The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.
New Okta Verified app integrations
- AIRRECT Cloud (OIDC)
- DemoHop (OIDC)
- Salto (SAML)
- Serenity Connect (SAML)
- Zluri (SAML)
Weekly Updates
2023.11.1: Update 1 started deployment on December 4
Generally Available
Sign-In Widget, version 7.12.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Fixes
-
OKTA-627327
Admins couldn't upgrade to Identity Engine if the Embedded Application SSO Step-Up Authentication API feature was enabled.
-
OKTA-649293
Users couldn't be assigned to Box using the Assign Box to People page.
-
OKTA-649788
A tooltip was truncated on the API Tokens page.
-
OKTA-651979
Some custom scopes weren't listed in the search box used for adding scopes to OIDC access policy rules.
-
OKTA-657130
When admin translations were enabled, some users saw an error when they tried to access an app.
-
OKTA-657143
The password expiration prompt wasn't shown to users signing in with the OIDC flow.
-
OKTA-658969
Attributes defined in Okta for ServiceNow failed to sync by default.
-
OKTA-661982
When an import failed for a user, unique attributes for that user were sometimes retained in Okta.
-
OKTA-662487
The Session Management labels on the Global Session Policy rule page were confusing.
-
OKTA-663777
In the Add Resource dialog box, admins couldn't search for apps with special characters.
-
OKTA-666323
When an admin added a SAML app to an existing resource set, users who were assigned the resource set couldn't access the app.
-
OKTA-667106
Sign-In Widget version 7.12.1 didn't work with Internet Explorer version 11 if the org had passwordless authentication enabled.
Okta Integration Network
New Okta Verified app integrations
- Anzenna (API service)
- businesscards.io (SAML)
- Command Zero (API service)
- Contentstack (SAML)
- CurationHealth (OIDC)
- Datadog (SCIM)
- Datawiza Access Management Platform for Outlook Web Access (OWA) (OIDC)
- Fareharbor (SAML)
- Gem (API service)
- hireEZ (SCIM)
- Justt.ai (OIDC)
- LexPlay (OIDC)
- mula (OIDC)
- Netradyne Driveri (OIDC)
- Opensurvey Dataspace (OIDC)
- Ramp (SCIM)
- Splashtop Secure Workspace (OIDC)
- Splashtop Secure Workspace (SAML)
- Splashtop Secure Workspace (SCIM)
- Standard Metrics (OIDC)
- SVMMARY (SAML)
- XSpecs (SAML)
- Zenlytic (OIDC)
December 2023
2023.12.0: Monthly Production release began deployment on December 11
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.13.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.19.0
This version of the agent contains:
- Security enhancements.
- Configurable fipsMode setting. Users can now enable or disable FIPS-supported encryption algorithms.
Note: To revert to an older version of the agent, Linux agent users must uninstall version 5.19.0 and then reinstall the older version. See Okta LDAP Agent version history.
Okta MFA Credential Provider for Windows, version 1.4.0
This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.
MFA enrollment by user report
Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.
Demonstrating Proof-of-Possession
OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OpenID Connect app integrations.
Responsive Admin Dashboard layout
When you resize the Admin Console to 600 x 751 pixels or smaller, the dashboard widgets now stack vertically instead of horizontally.
Improved Product Offers dashboard widget
The appearance and readability of the Product Offers dashboard widget have been improved to provide a better user experience.
Copy System Log events
A copy button is now available for each event listed in the System Log.
New attributes available for Smart Card username
Issuer and Serial Number attributes are now available when you configure the IdP username for the Smart Card Identity Provider.
Early Access Features
Early Access features from this release are now Generally Available.
-
OKTA-419477
There was a typographical error on the Active Directory Import page.
-
OKTA-633914
Active AD users who initiated self-service unlock were emailed recovery instructions instead of a message that their account was already unlocked.
-
OKTA-636211
The footer message in User Activation email templates contained an inaccurate email link.
-
OKTA-642341
During an SP-initiated sign-in flow, an interstitial page didn't appear in the browser's configured language.
-
OKTA-650686
Memory cache errors sometimes occurred when admins performed imports on orgs with a large number of app assignments.
-
OKTA-655084
Some AD provisioning events that failed were shown as successful in the System Log.
-
OKTA-657022
Setting the group owner in Okta sometimes failed when the ManagedBy field from Active Directory was used.
-
OKTA-661574
When an administrator signed in to the Okta Dashboard, and then attempted to access the Admin Console, they weren't prompted for MFA.
-
OKTA-661797
When a user clicked an app tile on the Okta Dashboard, the Safari browser opened apps in a new window without user interface controls instead of a new tab.
-
OKTA-664847
Application assignments sometimes failed in orgs that use custom admin roles.
-
OKTA-668354
An incorrect warning appeared on the Administrator assignment page when a custom admin role was assigned with granular directory permissions and an Active Directory resource set.
-
OKTA-670388
Admins sometimes couldn't modify app sign-on policy rules in Classic Engine orgs that were prepared for upgrade to Identity Engine.
Okta Integration Network
App updates
- The BombBomb app integration has a new logo.
New Okta Verified app integrations
- Curation Health (OIDC)
- Dashplant (API service)
- Datadog (API service)
- Hone (SAML)
- Integrishield.com (OIDC)
- Jellyfish (SCIM)
- Modern Health (SCIM)
- Re-flow (SCIM)
- RethinkCare (SAML)
- Sift (SAML)
- Silk Security (SAML)
- T3 Connect (SCIM)
App integration fixes
- Bank of America CashPro (SWA) (OKTA-668979)
- Delta Dental (SWA) (OKTA-664057)
- HelloFax (SWA) (OKTA-657466)
- MacStadium (SWA) (OKTA-662973)
- SendGrid (SWA) (OKTA-657094)
- Team Gantt (SWA) (OKTA-663418)
- Unity Ads (SWA) (OKTA-658284)
- ZipCar (SWA) (OKTA-657448)
- Zurich Adviser Portal (SWA) (OKTA-662671)
Weekly Updates
2023.12.1: Update 1 started deployment on December 18
Fixes
-
OKTA-607948
Error messages were unclear when an LDAP query filter was invalid in Active Directory and LDAP integrations.
-
OKTA-640503
Custom admins didn't receive email notifications when the LDAP and Active Directory agent was disconnected or reconnected.
-
OKTA-644010
The System Log didn't log the time when the user was prompted for authenticator enrollment or verification.
-
OKTA-662134
Resetting a user's security question using the API endpoint didn't generate a System Log entry.
-
OKTA-663793
The System Log didn't capture a failed user authentication during LDAP delegated authentication.
-
OKTA-667475
Updated custom schema values weren't imported from Google.
-
OKTA-668140
Users sometimes received an error message when accessing the Profile Editor from the Admin Dashboard.
-
OKTA-669824
When the display language was set to Polish, the Sign-In Widget wasn't translated properly.
-
OKTA-669999
Some users weren't imported after being unassigned from a sourcing app.
Okta Integration Network
App updates
- The Blameless app integration has updated endpoints.
New Okta Verified app integrations
- Built (OIDC)
- Built (SCIM)
- GoSearch (SCIM)
- Jellyfish (SAML)
- LeanIX - SaaS Discovery (API service)
- T3 Connect (SCIM)
- Tackle.io (OIDC)
2023.12.2: Update 2 started deployment on January 8
Generally Available
Admin Console session configuration
Admins can now set the session lifetime and idle time for Admin Console users independently of global session limits. This provides greater security control over the Admin Console.
Fixes
-
OKTA-621160
Some inbound SSO flows failed when a default app was set for the Sign-In Widget.
-
OKTA-636560
When using Okta Expression Language in Identity Engine, the group.profile.name key didn't return exact matches.
-
OKTA-646953
Users couldn't sign in to URLs for custom domains.
-
OKTA-651667
When retrying a batch update of Active Directory agents, agents that had already been updated were marked as updates in progress in the email notification.
-
OKTA-657959
When assigning users to a group using group rules, the group rule evaluation timed out, and users who matched the attributes weren't added to the group.
-
OKTA-661907
Some users on Android 6 devices were erroneously granted access to Okta-protected resources despite the authentication policy rule.
-
OKTA-663893
Users without API access management enabled saw a Create Authorization Server banner on the page.
-
OKTA-668142
Third-party admin status couldn't be removed from an admin. This occurred when they belonged to a third-party admin group that no longer had admin privileges.
-
OKTA-672678
Sometimes countdown messages weren't displayed when Admin Console sessions were close to expiring.
-
OKTA-675063
RADIUS agent libraries contained internal security issues. Upgrade to version 2.20.0 to correct those issues.
-
OKTA-675938
Google USB-C/NFC Titan Security Key (K52T) enrollment wasn't supported.
-
OKTA-679640
Admins sometimes received an error when trying to access the Admin Console.
Okta Integration Network
App updates
- The CodeSignal SAML app integration has a new description.
- The HackerRank For Work SCIM app integration now supports user deactivation.
- The Perimeter 81 SCIM app integration now supports group push.
- The Symantec Secure Access Cloud app integration has been rebranded as Symantec ZTNA.
- The WorkRamp app integration now supports EU locations.
- The ZAMP OIDC app integration now has IdP-initiated support.
New Okta Verified app integrations
- AgentNex (SAML)
- AuditNex (SAML)
- ChargeDesk (OIDC)
- Collage HR (OIDC)
- Ethos (OIDC)
- Iterate (OIDC)
- Kertos (API service)
- Kluster (OIDC)
- Liquid & Grit (OIDC)
- Lookout Secure Access (SAML)
- OneRange (SAML)
- Promethean AI (OIDC)
- Push Security (API service)
- Re-flow (SAML)
- Routespring (SAML)
- Semplates (OIDC)
- Siit (SAML)
- Siit (API service)
- Skippr OIDC for Organizations (OIDC)
- StackAdapt (OIDC)
- Tabulera (SAML)
- Venue (SCIM)