Okta Classic Engine release notes (2023)

January 2023

2023.01.0: Monthly Production release began deployment on January 17

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Revoke user sessions

Admins can end all Okta sessions for an end user when resetting their password. This option protects the user account from unauthorized access. If policy allows, Okta-sourced end users can choose to sign themselves out of all other devices when performing self-service password reset or resetting their passwords in Settings. See Revoke all user sessions. This feature is now enabled by default for all orgs.

Directory Debugger for Okta AD and LDAP agents

Admins can now enable the Directory Debugger to provide Okta Support with access to Okta AD and LDAP agent diagnostic data. This new diagnostic and troubleshooting tool accelerates issue resolution by eliminating delays collecting data and improves communication between orgs and Okta. See Enable the Directories Debugger. This feature is being re-released.

Non-associated RADIUS agents deprecated

Access for RADIUS agents that have not been associated with an application has now been disabled. See RADIUS integrations.

Unusual telephony requests blocked by machine-learning measures

SMS and voice requests are now blocked if an internal machine-learning-based toll fraud and abuse-detection model considers the requests unusual. Telephony requests that are blocked by the machine-learning model have a DENY status in the System Log.

Enhancements

New System Log events

New events are added to the System Log when custom sign-in or error pages are deleted or reset.

Policy details added to sign-on events

The System Log now displays policy details for user.authentication.auth_via_mfa events.

View last update info for app integrations and AD/LDAP directories

Admins can view the date an app integration was last updated by going to ApplicationsApplications and selecting the integration. They can view the date an AD/LDAP directory integration was last updated by going to DirectoryDirectory Integrations and selecting the integration.

Internet Explorer 11 no longer supported

A new banner has been added on the End-User Dashboard to notify the Internet Explorer 11 users that the browser is no longer supported.

Corrected timezone on API Tokens page

The date and time on the API Tokens page used an incorrect timezone. It now uses the same timezone as the users' device.

Early Access Features

Enhancements

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

Fixes

General Fixes

OKTA-437264

The HEC Token field wasn't displayed correctly in the Splunk Cloud Log Stream settings.

OKTA-511057

Push Group to Azure Active Directory failed when the group description property was empty.

OKTA-519198

Groups and apps counts displayed on the Admin Dashboard weren't always correct.

OKTA-543969

Accented characters were replaced with question marks in log streams to Splunk Cloud.

OKTA-548780

Custom domain settings were deleted during editing if the admin chose the option Bring your own certificate.

OKTA-559571

The Help link on the Administrators page directed users to the wrong URL.

OKTA-561119

Some users were redirected to the End-User Dashboard when they clicked an app embed link. This occurred in orgs that enabled State Token All Flows and used a custom sign-in page.

OKTA-561259

On the Edit role page, the previously selected permission types weren't retained.

OKTA-564264

Notifications for adding or renewing fingerprint authentication were sometimes not managed correctly.

Applications

Application Update

New GitHub Teams API URL: In response to GitHub's plan to sunset deprecated Teams API endpoints over the coming months, our GitHub integration has been updated to use the new /organizations/:org_id/team/:team_id path. No action needed for Okta admins.

New Integrations

OIDC for the following Okta Verified applications:

Weekly Updates

2023.01.1: Update 1 started deployment on January 23

Fixes

General Fixes

OKTA-394045

The End-User Dashboard wasn't aligned correctly when viewed on mobile browsers.

OKTA-460054

Office 365 nested security groups sometimes failed to synchronize correctly from Okta.

OKTA-522922

Not all users deactivated in an Org2Org spoke tenant were deprovisioned in the hub tenant.

OKTA-527705

When authenticating to Citrix apps with RADIUS, users received multiple notifications in error if they selected No, it's not me in Okta Verify.

OKTA-534291

Samanage/SolarWinds schema discovery didn't display custom attributes.

OKTA-544943

When a user was deactivated in Okta, the Okta Workflows and Okta Workflows OAuth app integrations weren't removed from the user's assigned app integrations.

OKTA-545664

URLs /login/agentlessDsso/interact and /api/internal/v1/agentlessDssoPrecheck were blocked by the browser when executed in an iFrame.

OKTA-547756

An incorrect error message was displayed during self-service registration when an email address that exceeded the maximum length allowed was entered.

OKTA-548390

Enabling Agentless DSSO didn't create a default routing rule if no routing rules existed.

OKTA-550739

Users could request that one-time passwords for SMS, Voice, and Email activation be resent more times than allowed by the rate limit.

OKTA-556056

Group claims failed if a user who belonged to more than 100 groups appeared in the group claims expression results.

OKTA-557873

Enrollment emails weren't sent to users who enrolled in the DUO Security factor.

OKTA-557976

For some users, the profile page didn't display all of their enrolled MFA factors.

OKTA-565041

Group filtering failed when more than 100 groups appeared in the list of results.

OKTA-565899

An incorrect error message appeared when users saved an empty Website URL field in their on the fly app settings.

OKTA-566372

Users were sometimes unable to sign in to several Office 365 apps from Okta.

OKTA-567711

In some orgs, Email Change Confirmed Notification emails were sent unexpectedly. Admins should verify that the recipients lists audience settings are accurate for Change Email Confirmation and Email Change Confirmed Notification.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Alibaba Cloud CloudSSO (OKTA-531834)

  • DoControl (OKTA-556624)

  • EasyLlama (OKTA-547466)

  • Extracker (OKTA-555971)

  • Saleo (OKTA-552314)

  • Verona (OKTA-551188)

  • Viewst (OKTA-555217)

  • WOVN.io (OKTA-551752)

OIDC for the following Okta Verified application:

2023.01.2: Update 2 started deployment on February 6

Generally Available

Content Security Policy enhancements

Over the next few months we are gradually releasing enhancements to our Content Security Policy (CSP) headers. During this time you may notice an increase in header sizes.

Fixes

General Fixes

OKTA-545622

AD-sourced users received an error when resetting passwords during their Okta account activation.

OKTA-545918

Admin roles that were granted to a user through group membership sometimes didn't appear on the user's People Admin roles tab.

OKTA-551921

When a large number of profile mappings were associated with a user type, updates to the user type could time out.

OKTA-553201

Users who scanned a Google Authenticator one-time passcode with Okta Verify received an error message and couldn't enroll in the Google Authenticator factor.

OKTA-554013

Batch federation of multiple Microsoft Azure domains failed if the batch contained any child domains.

OKTA-566285

A threading issue caused directory imports to fail intermittently.

OKTA-566682

When an admin configured an IdP routing rule that allowed users to access certain apps, the list of available apps was blank.

OKTA-566824

Sometimes super admins encountered a timeout when listing admin users on the Administrators page in the Admin Console.

OKTA-567707

A security issue is fixed, which requires RADIUS agent version 2.18.0.

OKTA-567972

An unclear error message was returned when a group rules API call (create, update, or activate) was made to assign users to read-only groups (for example, Everyone ).

OKTA-567979

Last update information was displayed for API Service Apps and OIDC clients.

OKTA-571393

Users couldn't enroll YubiKeys with the FIDO2 (WebAuthn) factor and received an error message on Firefox and Embedded Edge browsers.

Applications

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Better Stack (OKTA-566261)

  • Mist Cloud (OKTA-559122)

  • Tower (OKTA-567818)

OIDC for the following Okta Verified application:

February 2023

2023.02.0: Monthly Production release began deployment on February 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

New Features

Sign-In Widget, version 7.3.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta Provisioning agent, version 2.0.13

This version of the Okta Provisioning agent contains the migration of the Windows installer from Internet Explorer to Edge. The installer now requires Edge WebView2. If your machine is connected to the internet, WebView2 is downloaded automatically during the agent installation. If not, you must manually install it before installing the new agent version. See Okta Provisioning agent and SDK version history.

Agents page removed from the navigation panel

The operational status of org agents moved from the Agent page of the Admin Console to the Status widget of the Admin Dashboard. See View your org agents' status.

Splunk edition support for Log Streaming integrations

The Spunk Cloud Log Streaming integration now supports GCP and GovCloud customers. You can set the Splunk edition parameter (settings.edition) to AWS (aws), GCP (gcp), or AWS GovCloud (aws_govcloud) in your log streaming integration. See Splunk Cloud Settings properties.

Custom links for personal information and password management on End-User Dashboard

If you manage end users' personal information and passwords in an external application, you can configure that application as the User Identity Source in Customizations. Using this setting, you can provide a link to the application in the End-User Dashboard. When end users click the link, they're taken to the third-party page to update their information and password.

This setting is only applicable to the end users whose personal information and password are managed outside of Okta (for example, Active Directory). See Customize personal information and password management.

You must upgrade to Sign-in Widget version 7.3.0 or higher to use this feature. See the Sign-In Widget Release Notes.

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

Full Featured Code Editor for error pages

Full Featured Code Editor integrates Monaco code editing library into the Admin Console to make editing code for error pages more efficient and less reliant on documentation. Developers can write, test, and publish code faster with the better syntax highlighting, autocomplete, autosave, diff view, and a Revert changes button. See Customize the Okta-hosted error pages.

Custom app login deprecated

The custom app login feature is deprecated. This functionality is unchanged for orgs that actively use custom app login. Orgs that don't use custom app login should continue to use the Okta-hosted sign-in experience or configure IdP routing rules that redirect users to the appropriate app to sign in.

Enhancements

iFrame option for OAuth sign-out URI

OAuth sign-out URI can now be embedded inside iFrame.

Log Streaming status messages

Log streaming status messages now include a prefix related to the log streaming operation.

Updated AWS EventBridge supported regions for Log Stream integrations

The list of supported AWS EventBridge regions has been updated based on configurable event sources. See the list of available AWS regions for Log Stream integrations.

OIN Manager enhancements

The OIN Manager now orders the app protocol tabs by best practice.

Informative error messages for SAML sign-in

Error messages presented during a SAML sign-in flow now provide an informative description of the error along with a link to the sign-in page.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

General Fixes

OKTA-501372

The People page used an incorrect field name as the sorting key.

OKTA-540894

Users who attempted to cancel a Sign in with PIV/CAC card request weren't redirected back to the custom domain.

OKTA-544814

Clicking Show More in the API Trusted Origins tab resulted in an Invalid search criteria error.

OKTA-554006

Clicking Save and Add another to add new attributes on the Profile Editor page didn't consistently function as expected.

OKTA-555768

Improved New Device Behavior Evaluation incorrectly identified a previously used device as new when the admin accessed the Okta Admin Dashboard.

OKTA-566469

The Coupa integration URL displayed under the application Sign On tab was incorrect.

OKTA-567511

Users weren't assigned to applications through group assignments following an import from AD into Okta.

OKTA-567991

Signing in to the End-User Dashboard through a third-party IdP displayed an incorrect error message if the password had expired.

OKTA-568319

In the End-User Dashboard, the link to access the Okta Browser Plugin installation guide redirected users to a broken page.

OKTA-572600

Sometimes, custom email domain configurations didn't appear on the Domains page in the Admin Console.

OKTA-573320

The max_age and login_hint parameters in the authorize request were sometimes ignored when a client used the private_key_jwt client authentication method.

OKTA-573738

Some field widths rendered improperly.

OKTA-468178

In the Tasks section of the End-User Dashboard, generic error messages were displayed when validation errors occurred for pending tasks.

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • Paychex Online (OKTA-573082)

Applications

Application Update

The HubSpot Provisioning integration is updated with a new HubSpot Roles attribute. See Configuring Provisioning for HubSpot.

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

Weekly Updates

2023.02.1: Update 1 started deployment on February 21

Generally Available

Sign-In Widget, version 7.3.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

General Fixes

OKTA-508580

When the Okta profile mapping was pushed to AD, the event didn't appear in the System Log and the manager attribute wasn't pushed.

OKTA-537710

Users on M1 MacBooks were unable to sign in to organizations provisioned with an OS-specific workflow.

OKTA-556133

End users received email notifications of new sign-on events even though such notifications were disabled in the org security settings.

OKTA-561269

The YubiKey Report wasn't generated when certain report filters were applied.

OKTA-565300

Accessibility issues on the password verification page of the End-User Dashboard prevented screenreaders from reading the text.

OKTA-565984

Case sensitivity caused usernames sent in SAML 2.0 IdP assertions not to match usernames in the destination org if a custom IdP factor was used and the name ID format was unspecified.

OKTA-566892

Sometimes MFA prompts overlapped portions of the browser sign-in pages.

OKTA-572416

The Help Center link on the Resources menu directed users to the wrong URL.

OKTA-574624

In Administrators Roles, the Org Admin description was incorrect.

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Adobe Stock (OKTA-564445)
  • Adyen (OKTA-561677)
  • Airbnb (OKTA-559114)
  • AlertLogic (OKTA-560876)
  • American Express @ Work (OKTA-565294)
  • BlueCross BlueShield of Texas (OKTA-564224)
  • Drilling Info (OKTA-558048)
  • Empower (OKTA-552346)
  • Endicia (OKTA-557826)
  • Glassdoor (OKTA-564363)
  • hoovers_level3 (OKTA-562717)
  • MailChimp (OKTA-554384)
  • MY.MYOB (OKTA-553331)
  • myFonts (OKTA-566037)
  • OpenAir (OKTA-545505)
  • Paychex (OKTA-561268)
  • Paychex Online (OKTA-564325)
  • Regions OnePass (OKTA-568163)
  • Truckstop (OKTA-552741)
  • VitaFlex Participan (OKTA-562503)

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Articulate 360 (OKTA-544737)
  • Kakao Work (OKTA-556713)
  • Pleo (OKTA-564884)
  • Tower (OKTA-567818)

2023.02.2: Update 2 started deployment on March 6

Generally Available

Fixes

General Fixes

OKTA-431900

The PeopleEnroll FIDO2 Security Key button was visible to admins who didn't have permission to enroll authentication factors.

OKTA-452990

When a user clicked the Admin button on the End-User Dashboard using a mobile device, Okta didn't check if the user's session was still active.

OKTA-495146

The MFA Usage report and various API responses displayed different authenticator enrollment dates for users.

OKTA-503419

App catalog search results didn't include SCIM functionality labels.

OKTA-566637

The agentless DSSO just-in-time provisioning flow imported ineligible AD groups in to Okta.

OKTA-572089

Browsing the Provisioning tab for an app triggered a System Log update.

OKTA-574711

The sign-in process didn't exit after users selected No, It's Not Me in Okta Verify.

OKTA-574890

When the End-User Dashboard was in grid view, screen readers couldn't recognize apps as clickable links.

OKTA-576067

Custom domains couldn't be validated if there were uppercase characters in a subdomain.

OKTA-578439

Some event hook requests failed to send in Preview orgs.

OKTA-579157

For orgs that were updated to SCIM 2.0, Workplace by Facebook profile pushes that included the manager attribute failed.

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe Creative (OKTA-555215)

  • Asana (OKTA-566187)

  • ManageEngine Support Center Plus (OKTA-529921)

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Scalr.io (OKTA-552065)

  • Trusaic (OKTA-559106)

OIDC for the following Okta Verified applications:

March 2023

2023.03.0: Monthly Production release began deployment on March 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.4.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.16.0

This version of the agent contains:

  • Use of FIPS 140-2 validated cryptographic security modules
    • bc-fips: Version 1.0.2.3
    • bcpkix-fips: Version 1.0.6
    • bctls-fips: Version 1.0.13
  • Support for LDAP agent auto-update
    • This version allows support for LDAP agent auto-update. Stay tuned for the self-service EA feature within Okta that will enable LDAP agent auto-update when available.
    • Upon agent installation on Linux platforms, we now grant the OktaLDAPService user permission to automatically install the newest agent version using the auto-update feature.
  • Bug fixes
  • Security enhancements

See Okta LDAP Agent version history.

Identity Engine Upgrade Hub

Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new OIE Upgrade Hub page displays in the navigation panel under Dashboards. The OIE Upgrade Hub provides a quick and easy way to schedule your org's OIE upgrade for a more powerful and customizable identity experience. See Upgrade from Okta Classic Engine.

Agents page added to the navigation panel

The operational status of org agents can now be viewed by selecting the Agents page from the navigation panel. See View your org agents' status.

Rate limit increased for Event Hooks

The number of events that can be delivered to Event Hooks is now 400,000 events per org, per day. See Hooks.

Updated Okta logo

New Okta branding is now used for the Admin Console, the sign-in page, and the browser page flavicon.

Manage the Okta loading animation for custom apps

You can now disable the default Okta loading animation (interstitial page) that appears when users are redirected to custom applications. End users are shown a blank interstitial page, instead. This allows you to present a more branded end user experience. For more information, see Customize your Okta org. This feature is being re-released.

SAML logout metadata

SAML app integration metadata details now includes logout URL information when Single Logout is enabled.

OIN Manager enhancements

The OIN Manager now includes text to support API Service integrations.

System Log event

A new System Log event is created when an LDAP interface operation fails because an administrative rate limit was exceeded.

Enhanced Admin Console search

The Admin Console search now displays your search results in a user-friendly drop-down list. The list provides Top results, People, Apps, and Groups filters so you can quickly and easily find what you're looking for. See Admin Console search.

Optional consent settings for OAuth 2.0 scopes

OAuth 2.0 Optional Consent provides an Optional setting that enables a user to opt in or out of an app's requested OAuth scopes. When Optional is set to true, the user can skip consent for that scope. See Create API access scopes .

SAML setup parameters

More setup parameters are now visible when configuring SAML as a sign-in method for app integrations. See Configure Single Sign-On options.

Log Streaming

While Okta captures and stores its System Log events, many organizations use third-party systems to monitor, aggregate, and act on event data.

Log Streaming enables Okta admins to more easily and securely send System Log events to a specified system such as Amazon Eventbridge in real time with simple, pre-built connectors. They can easily scale without worrying about rate limits, and no admin API token is required. See Log streaming.

OIDC Identity Providers private/public key pair support

Previously, Okta only supported the use of client secret as the client authentication method with an OpenID Connect-based Identity Provider. Okta now supports the use of private/public key pairs (private_key_jwt) with OpenID Connect-based Identity Providers. Additionally, the Signed Request Object now also supports the use of private/public key pairs. See Create an Identity Provider in Okta.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

OKTA-530926

Authentication sometimes failed for LDAP users due to a null pointer exception. The issue is fixed in LDAP agent version 5.16.0.

OKTA-548568

Password validation caused an unexpected error during a self-service password reset.

OKTA-553278

Group memberships didn't update when an Okta user was relinked to Active Directory and then a full import was run.

OKTA-554109

Read-only admins were able to edit application integration pages.

OKTA-561769

A user with a Custom Administrator role could make changes to the End-User Dashboard but couldn't preview the dashboard.

OKTA-562113

Auto-population of non-English variable names in the Profile Editor didn't work as expected.

OKTA-564673

Empty groups caused LDAP delegated authentication testing to fail.

OKTA-578615

Some users could request a new one-time passcode after exceeding the limit for failed MFA attempts.

OKTA-580307

The Sign-in Widget sometimes failed to load for testing LDAP authentication.

OKTA-581530

Missing logos on the Groups page were displayed as broken links.

Applications

New Integrations

New SCIM integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Wistia (OKTA-561362)

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • Adobe (OKTA-569857)

  • Adobe Stock (OKTA-564445)

  • Brex (OKTA-573146)

  • Criteo (OKTA-577154)

  • CTCC OncoEMR (OKTA-576358)

  • Lucidchart (OKTA-566188)

  • MyFonts (OKTA-566037)

  • Washington Post (OKTA-575907)

Weekly Updates

2023.03.1: Update 1 started deployment on March 20

Generally Available

Fixes

OKTA-464288

SMS customization wasn't restricted in free developer orgs.

OKTA-516653

Group descriptions for AD groups linked to Okta groups weren't pushed.

OKTA-544970

When orgs used email template injection, some internal class information was visible in the message.

OKTA-562755

On the Admin Dashboard, the Total admins and Individually assigned counts were incorrect.

OKTA-567399

A deactivated Identity Provider couldn't be reactivated.

OKTA-567906

Admins were able to configure a multifactor enrollment policy that allowed the Okta Verify Push mode but didn't allow the one-time password mode.

OKTA-570664

BambooHR reported an error when Okta attempted to update a value using the value of a custom attribute.

OKTA-576483

Admins weren't able to add a network zone with the name BlockedIPZone.

OKTA-577014

Some users received inaccurate error messages when they registered their phone number for password reset and account unlock.

OKTA-585800

Some Cornerstone profiles failed to import due to missing information.

OKTA-589114

When orgs used daylight savings time, the Admin Dashboard and the System Log events timestamps were one hour behind.

Applications

Application update

The Front SCIM integration is updated to support group push.

New Integrations

New SCIM Integration application:

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog as partner-built:

OIDC for the following Okta Verified applications:

SAML for the following Okta Verified application:

  • ASP.NET (OKTA-575640)

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Acorns (OKTA-579034)

  • GoToMeeting (OKTA-566182)

  • PayPal (OKTA-562742)

2023.03.2: Update 2 started deployment on March 27

Generally Available

Sign-In Widget, version 7.4.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

OKTA-503099

Admins were able to modify the auth_time claim for an access token using a token inline hook.

OKTA-562337

The options in the dropdown used to filter Admin Dashboard tasks were untranslated.

OKTA-566659

DocuSign group pushes failed when removing users from a group.

OKTA-568170

Some orgs couldn't disable the New Sign-On Notifications email.

OKTA-568376

Users couldn't enroll an IdP as an authentication factor if their username didn't match the case of the username in their IdP profile.

OKTA-579088

In AgentsOn-premise, the Description link next to each of the agents was incorrect.

OKTA-584216

A suffix was added to the application label for new Onspring instances.

OKTA-587063

An older version of the OAuth library was included in the Okta Provisioning agent. The issue is fixed in Okta Provisioning agent 2.0.14.

OKTA-588262

The favicons for the Admin Console and End-User Dashboard were misaligned.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

  • Laurel (OKTA-586151)

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Poll Everywhere (OKTA-585747))

2023.03.3: Update 3 started deployment on April 3

Fixes

OKTA-576159

On the IdP configuration page, searching for groups under JIT Settings sometimes returned an error.

OKTA-581158

System Log events for manual imports showed that the import was scheduled by Okta.

OKTA-585107

The hidden permissions count on the Edit role page was incorrect.

OKTA-585478

App sign-on events with usernames that exceeded 100 characters weren't always added to the System Log.

OKTA-587347

On mobile devices, users with long email addresses couldn't see all the options in their settings dropdown menu.

OKTA-592074

Screen readers read apps on the End-User Dashboard as buttons instead of links.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

  • Bitdefender GravityZone (OKTA-575873 - Okta-hosted instructions)

  • CorporateFitness.app (OKTA-575873 - Okta-hosted instructions)

OIDC for the following Okta Verified applications:

API service app for the following Okta Verified application:

April 2023

2023.04.0: Monthly Production release began deployment on April 10

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.5.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 3.14.0

This version of the agent contains the following changes:

  • Security enhancements.

  • Bug fixes.

  • Installer will show a warning if the service account isn't a member of Pre-Windows 2000 Compatible Access.

  • Migration of the Windows installer from Internet Explorer to Edge.

The installer now requires Edge WebView2. WebView2 is downloaded automatically during the agent installation if your machine is connected to the internet. If not, you must manually install it before installing the new agent version. See Okta Active Directory agent version history.

Okta Provisioning agent, version 2.0.14

This version of the agent contains security fixes. See Okta Provisioning agent and SDK version history.

Schedule your Okta Identity Engine upgrade directly from the Admin Dashboard

Okta is slowly rolling out self-service Identity Engine upgrade functionality to eligible orgs. When your org becomes eligible, the new self-service upgrade widget is displayed on the Admin Dashboard. The widget provides a quick and easy way to schedule your org's upgrade for a more powerful and customizable identity experience. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine. This feature will be gradually made available to all orgs.

OAuth 2.0 authentication for inline hooks

Okta inline hook calls to third-party external web services previously provided only header-based authentication for security. Although sent with SSL, the header or custom header authentication didn't meet more stringent security requirements for various clients and industries.

To improve the security of inline hooks, Okta now supports authentication with OAuth 2.0 access tokens. Tokens ensure secure calls to external web services.

When creating inline hooks in the Admin Console (or by API), administrators or developers can now select OAuth 2.0 authentication and choose between two methods of OAuth 2.0: Client Secret or Private Key. A new Key Management API and Admin Console page is also available to create public/private key pairs for use with OAuth 2.0 inline hooks. See Manage keys.

Using the OAuth 2.0 framework provides better security than Basic Authentication, and is less work than setting up an IP allowlisting solution. Clients also have the ability to use access tokens minted by their own custom authorization servers to guarantee that Okta is calling their client web services and it isn't triggered by any external actors. See Add an inline hook

API Service Integrations

Using a more secure OAuth 2.0 connection than access tokens, this integration type uses the Core Okta API to access or modify resources like System Logs, apps, sessions, and policies. See API Service Integrations.

OIN Manager support for Workflow Connector submission

Okta Workflows is a no-code, if-this-then-that logic builder that Okta orgs can use to automate custom or complex employee onboarding and offboarding flows in your application. You can now publish Workflow connectors that you create with the Workflows Connector Builder in the Okta Integration Network (OIN) catalog. Publishing a Workflows Connector with Okta allows your customers to deeply integrate your product with all other connectors in the catalog. Submit your Workflow Connector by using the OIN Manager. See Submit an integration for Workflows connectors.

Configurable rate limits available for OAuth 2.0 apps

Rate limit violations mainly occur on authenticated endpoints. Currently, it isn't clear which OAuth 2.0 authenticated app consumes all the rate limits for an org. This increases the risk that one app consumes the entire rate limit bucket. To avoid this possibility, Okta admins can now configure how much rate limit capacity an individual OAuth 2.0 app can consume by editing the Application rate limits tab for each app. By setting a capacity on individual OAuth 2.0 apps, Okta admins have a new tool to monitor and investigate rate limit violations, and have the ability to view rate limit traffic generated by individual OAuth 2.0 apps. See Rate limit dashboard bar graph.

Support added for DPoP with service apps

Okta now supports Demonstrating Proof-of-Possession for service apps. However, service apps can provide the same level of security by using private_key_jwt for client authentication. See Configure OAuth 2.0 Demonstrating Proof-of-Possession and Client authentication.

Multiple IdP profiles in Google Workspace

The Google Workspace integration now supports multiple IdP profiles. See How to Configure SAML 2.0 for Google Workspace.

Early Access Features

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

Fixes

OKTA-511637

If users clicked the reveal password icon in the Sign-In Widget before they entered their password, blank spaces were removed upon submission.

OKTA-570362

The End-User Dashboard displayed email confirmation notifications for users who didn't change their primary email.

OKTA-573667

The dates on the Agent auto-update settings page in the Admin Dashboard were missing the year.

OKTA-581516

HTML wasn't formed correctly in SAML responses.

OKTA-586482

Sometimes users couldn't enroll in or set up On-Prem MFA or RSA SecurID.

OKTA-588390

Token Preview for custom authorization servers failed for group claims with more than 100 groups.

OKTA-592588

The Routing rules tab on the Identity Providers page wasn't hidden for users without admin permissions.

OKTA-593452

The Everyone group in Okta couldn't be imported through the Okta Org2Org app.

Applications

New Integrations

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified application:

Weekly Updates

2023.04.1: Update 1 started deployment on April 17

Fixes

  • OKTA-529298

    Renaming an individually selected organizational unit in Active Directory caused it to be unselected in Okta when imported.

  • OKTA-573682

    Some of the widgets on the Admin Dashboard didn't use the correct date and time format.

  • OKTA-578310

    Some labels and error messages related to assigning applications were untranslated.

  • OKTA-584757

    Sometimes group push operations to ServiceNow failed.

  • OKTA-597224

    Org admins could schedule and manage their org's Identity Engine upgrade using the OIE Upgrade Hub.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified application:

OIDC for the following Okta Verified application:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Adobe Stock (OKTA-564445)

2023.04.2: Update 2 started deployment on May 1

Generally Available

Sign-In Widget, version 5.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-475223

    On the Admin Dashboard, the Tasks menu Pending and Complete labels overlapped with the dropdown icon.

  • OKTA-500841

    RADIUS server agent was incorrectly listed among Disconnects and reconnects under System notifications.

  • OKTA-555152

    The shortcut URL /login/default didn't always go to the End User Dashboard.

  • OKTA-564388

    When Multibrand was enabled, orgs couldn't add an email domain that they'd previously deleted.

  • OKTA-566659

    Pushing group changes to Docusign failed when a member was removed from a group or a group push mapping was removed in Okta.

  • OKTA-568489

    Pushing groups for provisioning to Office 365 failed if the groups already existed.

  • OKTA-568851

    Some URLs on multifactor authentication app pages pointed to incorrect destinations.

  • OKTA-579360

    Users were still active in the hub org after being deactivated in a spoke org.

  • OKTA-581789

    Import completion emails weren't sent to administrators with custom admin roles.

  • OKTA-583585

    Admins were unable to update passwords for SWA apps in orgs with certain configurations.

  • OKTA-585741

    Empty values for attribute statements in SAML assertions didn't remove previously specified values.

  • OKTA-586713

    The variable ${baseURL} in the HTML for some email templates didn't resolve in the browser.

  • OKTA-587325

    After activating their accounts, users who enrolled through the Sign up link received an error if they clicked Set up later on the Security methods page.

  • OKTA-588140

    The Delegated flows page was visible to orgs that hadn't configured any delegable flows.

  • OKTA-588408

    Admins could configure the Maximum Okta session lifetime setting for an Okta sign-on policy rule that denied access.

  • OKTA-591800

    When the sign-in page was edited using the code editor, the event type system.custom_error.update was logged.

  • OKTA-593131

    Some attributes previously added to user profiles from incoming SAML responses weren't cleared when the attribute was later omitted.

  • OKTA-594775

    In some orgs, the Office 365 thick client sign-in page didn't display the app instance name.

  • OKTA-595042

    A successful MFA that followed unsuccessful MFA attempts mistakenly locked out users.

  • OKTA-596437

    When the API Service Integration feature was disabled, a query for inactive app integrations incorrectly returned a list with revoked API service integrations.

  • OKTA-597697

    When Multibrand was enabled, orgs couldn't reset the default application for the Sign-In Widget.

  • OKTA-599040

    An extra input field sometimes appeared on the sign-in page for SP-initiated SSO.

  • OKTA-599062

    On the Push Groups to Active Directory page Okta admins were unable to view all the organizational unit.

  • OKTA-599243

    When the redesigned resource editor feature was enabled, admins could save the Add Resource screen without selecting a resource.

  • OKTA-599483

    In orgs with the new authenticator management feature enabled, attempts to create or update an Okta enrollment policy failed.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

App Integration Fix

The following SWA app wasn't working correctly and is now fixed:

  • Louisiana Medicaid (OKTA-578791)

2023.04.3: Update 3 started deployment on May 8

Fixes

  • OKTA-570851

    Some app provisioning error strings weren't translated.

  • OKTA-586571

    In some orgs, users who successfully reset their passwords were redirected to a custom error page instead of the home page.

  • OKTA-591232

    Logos weren't correctly displayed on email templates.

  • OKTA-599684

    When Active Directory users were added through an import or JIT provisioning, their application groups were retrieved from an incorrect domain. This caused an internal error that prevented users from signing in to Okta.

  • OKTA-604536

    An older library was being used by the toolkit used by Okta Confluence Authenticator and Okta Jira Authenticator. The issue is fixed in version 3.2.2 of the toolkit.

  • OKTA-607199

    ThreatInsight temporarily prevented non-malicious users from accessing Okta.

Applications

New Integrations

New SCIM Integration applications:

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

May 2023

2023.05.0: Monthly Production release began deployment on May 15

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.15.0

This version of the agent contains the following changes:

  • Bug fixes. Active Directory (AD) agent auto-update health check caused auto-update to fail when upgrading from version 3.13.0 to 3.14.0.

See Okta Active Directory agent version history.

Okta On-Prem MFA agent, version 1.7.0

This version includes support for extended client session timeout. See Install the On-Prem MFA Agent.

Confluence Authenticator, version 3.2.2

This release contains security fixes. See Okta Confluence Authenticator version history.

Okta Jira Authenticator, version 3.2.2

This release contains security fixes. See Okta Jira Authenticator Version History.

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn't change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API. This feature will be gradually made available to all orgs.

OAuth 2.0 On-Behalf-Of Token Exchange

Exchange helps retain the user context in requests to downstream services. It provides a protocol approach to support scenarios where a client can exchange an access token received from an upstream client with a new token by interacting with the authorization server. See Set up OAuth 2.0 On-Behalf-Of Token Exchange.

Okta Expression Language matches operator deprecated

The Okta Expression Language matches operator that is used to evaluate a string against a regular expression is deprecated. This feature is currently enabled by default for new orgs only.

Okta administrators group for all org admins

A default Okta administrators group is now available in every Okta org. The new group allows you to create sign-on policies that automatically apply to all admins in your org. See Groups.

Help links for standard admin roles

In AdministratorsRoles, each standard admin role now provides a link to its corresponding help page. This allows admins to quickly and easily locate the documentation that supports their standard role assignments.

Self-Service Okta Identity Engine Upgrades for eligible orgs

Okta is slowly rolling out self-service upgrade functionality to eligible orgs. Using the new self-service upgrade widget, orgs with acknowledgment action items can now review and complete those items, and then schedule their upgrade. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility and the self-service upgrade widget appears on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade from Okta Classic Engine.

Note that only super admins can view and manage the self-service upgrade widget.

New upgrade warning

For self-service Identity Engine upgrades, a warning message now appears to indicate that the Classic Engine Sessions API isn't supported.

More events eligible for hooks

The following System Log events are now eligible for event hooks:

  • group.application_assignment.add

  • group.application_assignment.remove

  • group.application_assignment.update

New legal disclaimer in Okta Trial accounts

A new legal disclaimer is displayed on the Add Person dialog in Okta trial accounts to prevent sending unsolicited and unauthorized activation emails.

Okta branding changes for the Admin Console

Branding updates to headings, fonts, colors, borders, and logos are now available in the Admin Console.

Additional measures to counter toll fraud

For SMS and voice authentications, additional mitigation measures now help counter phone number-based toll fraud.

Early Access Features

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

Fixes

  • OKTA-566113

    After changing the display language for an Okta org from English to another language, some text was still displayed in English.

  • OKTA-580684

    In the Okta Expression Language, the isMemberOfGroupNameContains expression couldn't differentiate underscores and hyphens, which caused unexpected user membership assignments.

  • OKTA-595053

    Users who clicked Back to sign in before setting up their security methods were incorrectly notified that their configuration was successful. This occurred only in orgs with custom domains.

  • OKTA-596360

    Locked out users could still authenticate and sign in through Integrated Windows Authentication (IWA).

  • OKTA-596600

    For apps with Group Push enabled, the Application Push Groups tab displayed incorrect dates and times.

  • OKTA-597396

    Pushing groups from Okta to Microsoft Office 365 sometimes failed if an empty group description was updated.

  • OKTA-599408

    GMT timezones couldn't be selected correctly in the System Log.

  • OKTA-600867

    The Yubikey Reports page wasn't properly translated.

  • OKTA-601875

    After a user was deactivated, their remaining tasks resulted in errors.

  • OKTA-603305

    On the Edit resource set page, an error appeared when an admin deleted a resource type and then added it again. This occurred when the redesigned resource editor feature was enabled.

  • OKTA-607249

    Service clients with the correct permissions couldn't modify policies that contained the Okta Administrator Group.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

2023.05.1: Update 1 started deployment on May 22

Fixes

  • OKTA-588667

    After creating accounts, some users weren't able to complete the sign-in process.

  • OKTA-596446

    Error summary messages weren't written to the System Log when custom errors occurred during an import inline hook operation.

  • OKTA-597490

    The LDAP interface didn't return any result for a deactivated user when the cn value was combined with other filters.

  • OKTA-597959

    Okta users authenticating through Agentless Desktop SSO (ADSSO) were sometimes incorrectly shown a migration-check error message.

  • OKTA-601618

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-603731

    Macros in email subjects weren't processed correctly for some email templates.

  • OKTA-604404

    Imports performed during UltiPro maintenance resulted in inconsistent data being returned.

  • OKTA-604914

    When the redesigned resource editor feature was enabled, admins couldn't add individual applications to their resource sets.

  • OKTA-609336

    Incorrect descriptions were displayed on the AgentsOn-premise tab.

  • OKTA-609390

    During Identity Engine self-service upgrades, admins could see false indications that the Sessions API was in use.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.05.2: Update 2 started deployment on May 30

Fixes

  • OKTA-414791

    LDAP requests resulted in an error if the memberOf filter didn't include a Group DN.

  • OKTA-423781

    The Privacy link on the Okta dashboard wasn't translated.

  • OKTA-585123

    When the Full Featured Code Editor was enabled, some admins couldn't edit the Sign-In Widget version or their sign-in page draft changes.

  • OKTA-591228

    Admins with a custom role couldn't receive user reports of suspicious activity in email notifications.

  • OKTA-602635

    Some text on the Administrator assignment by role page wasn't translated properly.

  • OKTA-602794

    Token inline hooks failed even when a URL claim name was correctly encoded with a JSON pointer.

  • OKTA-604386

    The Edit button disappeared from the Other customizationsUser Accounts panel.

  • OKTA-604825

    When an admin added the Manage users permission to a role, any existing permission conditions were removed. Also, admins with restricted profile attributes could edit those attributes on their own profile.

  • OKTA-613226

    Some of the new Okta branding changes weren't displayed in the Admin Console.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

API service app for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.05.3: Update 3 started deployment on June 12

Fixes

  • OKTA-516583

    The application logo wasn't displayed on the Groups page for some groups.

  • OKTA-566503

    When no tokens were listed on the API Tokens page, the displayed message wasn't translated.

  • OKTA-572820

    Deleting large numbers of IdP routing rules with API calls caused System Log discrepancies.

  • OKTA-577794

    The destination in SAML responses sometimes didn't match the Assertion Consumer Service URL in signed authentication requests.

  • OKTA-583072

    The System Log showed that an MFA reset notification email was sent when that notification option was disabled and no email was sent.

  • OKTA-597009

    The Microsoft Team Exploratory licenses weren't imported correctly into Okta, which prevented users from provisioning the correct licenses.

  • OKTA-599540

    HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

  • OKTA-599994

    The Honor Force Authentication SAML setting didn't work with Agentless Desktop Single Sign-on (ADSSO).

  • OKTA-602946

    On password hash import, users couldn't change their passwords even after the minimum password age setting period.

  • OKTA-604985

    Approvers received duplicate task approval requests when users requested an app from the End-User Dashboard.

  • OKTA-605016

    In the Add Dynamic Zone dialog, the Bagmati region of Nepal was missing from the State/Region dropdown menu.

  • OKTA-607167

    The search bar in the Groups tab on the user profile page didn't display the placeholder text correctly.

  • OKTA-610185

    When the Conditions for Admin Access feature was enabled, restricted profile attributes were visible in User > Profile for imported users.

  • OKTA-611867

    The Active User Statuses field didn't appear in some configurations.

  • OKTA-612177

    Some users in China didn't receive one-time passwords through SMS.

  • OKTA-612312

    Admins couldn't delete a custom email domain if it was used by multiple orgs.

  • OKTA-612615

    On the Tasks page, the Edit Assignment button wasn't translated.

  • OKTA-612888

    Sign-on policies didn't persist for the admin group.

  • OKTA-612972

    When the redesigned resource editor feature was enabled, large sets of resources were displayed outside of the Add Resource dialog, and the tooltip didn't specify the resource limit.

  • OKTA-613226

    Some of the Okta branding changes weren't displayed in the Admin Console.

  • OKTA-613979

    The Microsoft Office 365 Sign On tab displayed incorrect information in the Metadata details section.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

API service app for the following Okta Verified application

OIDC for the following Okta Verified applications

June 2023

2023.06.0: Monthly Production release began deployment on June 20

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta Provisioning agent, version 2.0.15

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Multibrand customizations

Multibrand customizations allow customers to use one org to manage multiple brands and multiple custom domains. This drastically simplifies multi-tenant architectures where customers create multiple orgs to satisfy branding requirements. Multibrand customizations allow orgs to create up to three custom domains (more upon request), which can be mapped to multiple sign-in pages, multiple sets of emails, error pages, and multiple versions of the End-User Dashboard. See Branding.

Smart Card IdP with Agentless DSSO

Okta can now be configured to allow users to use Agentless DSSO without being prompted when Smart Card IdP is configured.

Facebook at Work integration enhancement

Facebook at Work uses the Okta Expression Language to map the manager attribute. This allows admins to adjust how the manager attribute is stored in the user profile so they can choose between an id field or a name.

New System Log events for Workflows subfolders

The System Log now displays the following subfolders events for Okta Workflows:

  • workflows.user.folder.create
  • workflows.user.folder.rename
  • workflows.user.folder.export
  • workflows.user.folder.import
  • workflows.user.table.schema.import
  • workflows.user.table.schema.export

New event for hooks

The user.authentication.sso event is now eligible for use in event hooks.

Enhanced reports value selection

The following reports provide improved selectors for Users, Groups, and Apps in the filters configuration:

  • Telephony Usage
  • User App Access
  • Group Membership
  • User Accounts
  • Past Access Requests
  • Past Campaign Summary
  • Past Campaign Details

Universal Directory attribute and enum limits

Universal Directory now has limits to the number of attributes per org and the number of enums that can be defined for a single attribute.

Early Access Features

This release doesn't have any Early Access features.

Fixes

  • OKTA-588559

    The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

  • OKTA-597490

    Searches in the LDAP interface didn't return results for a deactivated user when the common name (cn) value was combined with other filters.

  • OKTA-600091

    The email change notification triggered from the Admin Dashboard sometimes displayed an Okta subdomain instead of the org's custom domain.

  • OKTA-607434

    Unhelpful error messages appeared when the NameIdPolicy was unspecified in SAML client requests that required signed requests.

  • OKTA-611700

    Timestamps weren't translated on the Tasks page.

  • OKTA-611709

    On the Administrators page, the Resource set, Role, and Admin icon labels weren't translated.

  • OKTA-615404

    When an admin searched for a group with more than 1000 members, the Top results tab displayed 1001 instead of 1000+.

  • OKTA-616169

    When the Assign admin roles to public client app feature was enabled, admins couldn't assign roles to groups.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration app is now Generally Available in the OIN:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified application

Weekly Updates

2023.06.1: Update 1 started deployment on June 26

Generally Available

Sign-In Widget, version 7.7.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-549617

    The Application Usage report didn't include SSO events for RADIUS-enabled apps.

  • OKTA-551193

    Some users encountered a server error during inbound SAML authentication.

  • OKTA-570405

    User activation email templates for Okta trial orgs didn't have a current legal disclaimer in the footer.

  • OKTA-596780

    When a user's OIDC IdP authentication factor enrollment failed, no System Log event was recorded.

  • OKTA-599424

    The first time they signed in to the Citrix app, some users couldn't enroll in required MFA factors.

  • OKTA-605001

    Admins could edit profile attributes that they didn't have permission to edit, which caused errors.

  • OKTA-605968

    Some orgs couldn't change the default email template variant for a custom brand.

  • OKTA-607193

    HealthInsight didn't include admins with custom roles when it evaluated the percentage of admins with super admin privileges.

  • OKTA-610007

    Customers that used the Zoom Identity Attestation feature without API Access Management enabled couldn't complete the sign-in flow.

  • OKTA-614168

    The YubiKey report incorrectly showed that a revoked key was last used instead of the current key.

  • OKTA-618732

    The SMS authentication factor couldn't always be set up for Australian phone numbers.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

OIDC for the following Okta Verified applications

2023.06.2: Update 2 started deployment on July 10

Fixes

  • OKTA-564847

    Sign-out errors sometimes appeared as raw JSON text rather than triggering an Okta error page.

  • OKTA-581464

    The System Log didn't provide user information for an expired password during the Resource Owner Password grant type flow.

  • OKTA-581496

    Some apps that had provisioning enabled appeared on the Provisioning Capable Apps reports.

  • OKTA-588414

    Users who were removed from an Okta group using an API call were added back to the group because of the group rules.

  • OKTA-588559

    The max_age=0 property wasn't treated the same as prompt=login for OAuth 2.0 /authorize requests.

  • OKTA-602343

    The System Log didn't display client details for user_claim_evaluation_failure events if a token inline hook was enabled.

  • OKTA-602566

    Apps using a custom identity source displayed user and group assignments in the General tab.

  • OKTA-604491

    Users were sometimes unable to display authorization server access policies in the Admin Console.

  • OKTA-613164

    Some admins could access IdP configuration editing pages without sufficient permissions.

  • OKTA-617952

    When the Redesigned Resource Editor feature was enabled, super admins couldn't preview the resource set assignments for the access requests and access certifications admin roles.

  • OKTA-619651

    My Okta didn't load when the Enable Sync Account Information setting wasn't selected.

  • OKTA-621542

    For SAML IdP configurations, searches for a user group to assign to the app sometimes failed to stop.

  • OKTA-627295

    NetSuite couldn't be provisioned to new users.

Applications

Application Updates

The following SCIM integrations now support group push:

  • Rootly

  • Zerotek

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

App Integration Fixes

The following SWA apps weren't working correctly and are now fixed:

  • Bill.com (OKTA-617155)

  • Chatwork (OKTA-612555)

  • CrowdStrike Falcon (OKTA-606550)

  • EmblemHealth (OKTA-616627)

  • HelloSign (OKTA-606499)

  • MYOB Essentials (OKTA-611408)

  • NearMap.com (OKTA-619941)

The following SAML app wasn't working correctly and is now fixed:

  • ManageEngine (OKTA-571050)

July 2023

2023.07.0: Monthly Production release began deployment on July 17

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.8.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.17.0

This version of the agent contains:

  • Migration of the Windows installer from Internet Explorer to Edge
  • The service OktaLDAPAgent stop command now correctly terminates agents installed on Red Hat and CentOS platforms
  • Security enhancements

See Okta LDAP Agent version history.

Self-Service Okta Identity Engine Upgrades eligibility extended

Okta is enabling self-service Okta Identity Engine upgrade functionality to orgs that require configuration changes. When your org becomes eligible for the upgrade, you receive an email confirming your eligibility, and the self-service upgrade widget is displayed on the Admin Dashboard. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine. This feature will be gradually made available to all orgs. Note that only Super Admins can view and manage the self-service upgrade widget.

System Log time zone formats updated

In the System Log, the time zone dropdown menu now provides additional information about each available time zone. See System Log.

App Password Health report uses browser time zone

On the App Password Health report, last-reset request dates and times are now based on the browser's time zone settings. See App Password Health report.

Okta-generated client secret length increase

The length of Okta-generated client secrets is increased from 40 to 64 characters.

Updated Okta logo

A branding update to the Okta groups logo is now available in the Admin Console.

Early Access Features

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

Fixes

  • OKTA-414975

    Application sign-on policies for deleted apps prevented admins from disabling the last MFA factor in their org.

  • OKTA-602939

    The Admin role assignments report email wasn't translated.

  • OKTA-615453

    Some text strings were incorrect on the End-User Dashboard layout page.

Applications

Application Updates

  • The Rybbon app integration has been rebranded as BHN Rewards.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

  • Apono: For configuration information, see Okta SCIM.

SAML for the following Okta Verified applications

App Integration Fixes

The following SWA app was not working correctly and is now fixed:

  • BlueHost (OKTA-620224)

Weekly Updates

2023.07.1: Update 1 started deployment on August 1

Fixes

  • OKTA-599540

    HTTP replies to SP-initated SAML requests contained two session IDs, which sometimes caused user sessions to expire unexpectedly.

  • OKTA-605041

    An unclear error message appeared when an admin created a role or resource set with a long name.

  • OKTA-611304

    In a Device Authorization flow, some text strings on the verification page weren't translated.

  • OKTA-612727

    The Admin Dashboard Tasks table displayed an incorrect amount of provisioning capable apps.

  • OKTA-612875

    After managerId was removed from the Salesforce schema in Okta, it couldn't be added again.

  • OKTA-613076

    In the Sign On tab of Office 365, the Okta MFA from Azure AD option appeared disabled. When the option was switched to edit mode, it was enabled.

  • OKTA-613394

    Users couldn't sign in with a PIV in an Org2Org flow.

  • OKTA-615441

    Some users couldn't sign in with Agentless Desktop Single Sign-on because routing rules were re-evaluated during the sign-on process.

  • OKTA-615457

    The Edit resources to a standard role page didn't display apps that had the same name.

  • OKTA-615728

    Some admins couldn't access the OIE Upgrade Hub.

  • OKTA-617528

    The auto-update schedules for the Active Directory and LDAP agents were incorrectly shown as up-to-date, even when a new version was released.

  • OKTA-617817

    Admins were sometimes unable to access the Admin Console from a custom domain.

  • OKTA-620153

    ACS URL validation failed for orgs that used SAML SSO with Okta-to-Okta IdP configurations and had subdomain names that weren't all lowercase characters.

  • OKTA-621284

    Admins with the Manage users permission couldn't create users with WS-Federation IdPs.

  • OKTA-622541

    In the Self-Service Unlock when Account is not Locked email template, the base URL variable wasn't replaced with the Okta tenant URL.

  • OKTA-626022

    Some Active Directory agents that had previously failed to auto-update were incorrectly marked as Queued for update, despite being updated to the latest version.

  • OKTA-627415

    On the Features page, the link to access the LDAP Agent Auto-update documentation was broken.

  • OKTA-628522

    RADIUS agent libraries contained internal security issues. Fixes require upgrading to agent version 2.19.0 and using Microsoft Edge as the browser.

Applications

Application Update

  • The OpenPath app integration has been rebranded as Avigilon Alta.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

2023.07.2: Update 2 started deployment on August 7

Generally Available

Sign-In Widget, version 7.8.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-604448

    Some text on the Groups page wasn't translated.

  • OKTA-620583

    On the Add Resource dialog, the list of search results was misaligned.

  • OKTA-620873

    Admins couldn't upload PEM-formatted certificates containing encrypted private keys for RADIUS apps.

  • OKTA-622783

    The initial expiresIn date for the Salesforce authentication token wasn't set from the API.

  • OKTA-626593

    Admins couldn't access the Create new resource set page directly from a URL.

  • OKTA-631303

    Admins couldn't access the Administrator assignment by role page. This occurred when a public client app with a custom client ID was assigned a standard admin role.

Applications

New Integrations

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

App Integration Fixes

The following SWA apps were not working correctly and are now fixed:

  • E-OSCAR (OKTA-624390)

  • UPS (OKTA-625886)

  • UPS CampusShip (OKTA-624286)

August 2023

2023.08.0: Monthly Production release began deployment on August 14

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta AD agent, version 3.16.0

When the executor.log and coordinator.log files exceed 5 MB in size, the contents roll over into executor.log.old and coordinator.log.old files.

Okta Active Directory Federation Services Plugin, version 1.7.13

Version 1.7.13 of the Okta Active Directory Federation Services (ADFS) Plugin is now available for download. It includes support for Microsoft Windows Server 2022 and includes bug fixes and security hardening. See Okta ADFS Plugin version history.

Integrate with any identity source

To get Okta's full HR-driven provisioning and LCM functionality for an HR integration, customers previously had to use one of five pre-integrated HR systems or build complex custom code with the Okta Users API to replicate some of Okta's LCM functionality for other identity sources.

With Anything-as-a-Source (XaaS), customers now have the flexibility to connect any identity source to Okta and realize the full benefits of HR-driven provisioning with a simpler solution. See Anything-as-a-Source.

Self-service upgrades to Identity Engine

Admins can now reschedule their self-service upgrades for as soon as two hours or up to 30 days in the future. See Upgrade to Okta Identity Engine.

Getting Started video for new orgs

The Getting Started page now displays an introductory video. The video provides a quick overview of the common tasks and functions for new orgs, and helps admins familiarize themselves with the Admin Console. See Get started with Okta.

API service integration client secret rotation in the Admin Console

New in this release is the ability to rotate client secrets for an API service integration through the Admin Console. Previously, if a customer wanted to update the client secret for an API service integration, they had to reinstall the integration to obtain a new client ID and secret. There was no option to revoke the client secret while maintaining the client ID and API service integration instance in Okta. With this new feature, customers can generate a new secret, deactivate an old secret, and remove a deactivated secret from the API service integration instance. These functionalities help customers implement security best practices without service downtime. See API Service Integrations.

New event types for User Auth Events

Two additional event types are now available under User Auth Events:

  • User's session was cleared
  • User's MFA factor was updated

New application lifecycle event hook

An event hook to deny user access due to a condition in an app sign-on policy is now available to admins. See Create an event hook .

Polling enhancements for Agentless DSSO

When the server is in SAFE_MODE, Agentless DSSO polling signs in a user if they are in ACTIVE state in Okta.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-575884

    The Okta Active Directory Federation Services (ADFS) Plugin wrote errors to the plugin log when users attempted to sign in.

  • OKTA-595086

    The display of the authorization server Access Policies page froze with large numbers of policies.

  • OKTA-610347

    Some orgs couldn't add more than 50 global session policies.

  • OKTA-617816

    After orgs upgraded to Identity Engine, the application name in OV Push disappeared.

  • OKTA-626699

    On the Administrator assignment by admin page, the Role dropdown list sometimes displayed duplicate admin roles.

  • OKTA-631752

    Adding some IdPs as Factor only caused errors.

Applications

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN:

SAML for the following Okta Verified applications

OIDC for the following Okta Verified applications

Weekly Updates

2023.08.1: Update 1 started deployment on August 22

Fixes

  • OKTA-619028

    Read-only admins received user reports of suspicious activity email notifications in error.

  • OKTA-632131

    OpenID Connect /token requests using the SAML 2.0 Assertion grant type flow failed if the SAML assertion expiry was greater than 30 days.

  • OKTA-632850

    Slack provisioning didn't automatically retry after exceeding rate limits.

  • OKTA-633585

    The on-demand auto-update banners for the Active Directory agent displayed updates in a random order.

  • OKTA-634923

    Users weren't present in the import queue after being unassigned from an app.

  • OKTA-635579

    When a super admin went to the Groups Admin Roles tab, the Edit group assignments button was mislabeled.

  • OKTA-636652

    The Administrators page wasn't translated to Japanese.

Applications

Application Update

  • Group push and group import is now available for the Smartsheet SCIM integration.

New Integrations

New SCIM Integration applications

The following partner-built provisioning integration apps are now Generally Available in the OIN Catalog as partner-built:

SAML for the following Okta Verified applications:

OIDC for the following Okta Verified applications:

2023.08.2: Update 2 started deployment on August 28

Fixes

  • OKTA-601623

    When configuring an API Service Integration (either through the Admin Console or using APIs), admins could set a JWKS URL using HTTP instead of HTTPS.

  • OKTA-621253

    Email Change Confirmed Notification messages weren't sent if the audience was set to Admin only.

  • OKTA-627175

    Some tasks displayed a greater-than sign (>) instead of the date.

  • OKTA-630368

    RADIUS logs showed multiple, repetitious Invalid cookie header warning messages.

  • OKTA-634010

    Users who were locked out of Okta but not Active Directory could receive Okta Verify push prompts and sign in to Okta.

  • OKTA-639427

    When admins added a new user in Preview orgs, the Realm attribute appeared on the dialog.

Applications

New API Service Integration applications:

OIDC for the following Okta Verified applications:

2023.08.3: Update 3 started deployment on September 5

Fixes

  • OKTA-620655

    When an error occurred during Identity Engine upgrades, a Customer Config Required message appeared instead of an Okta Assistance Required message.

  • OKTA-641043

    Admins could select values from disabled dropdown menus.

Applications

Okta Verified applications:

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 1.16.0

This release includes:

  • Migration of the Windows installer from Internet Explorer to Edge.
  • Security enhancements.
  • Internal updates.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

This release doesn't have any Early Access features.

Fixes

  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org's app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-629774

    Some user import jobs failed to restart after interruption.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn't save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Uplimit.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

Weekly Updates

2023.09.1: Update 1 started deployment on September 25

Generally Available

Sign-In Widget, version 7.10.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Content security policy enforcement extended for custom domains

Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.

Enhanced Okta LDAP integrations with Universal Directory

Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.

Fixes

  • OKTA-595549

    IdP users were redirected to an unbranded sign-in page after SSO failure.

  • OKTA-614488

    Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.

  • OKTA-619163

    When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.

  • OKTA-627660

    Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.

  • OKTA-628227

    Some SAML-linked accounts in DocuSign couldn't use SWA.

  • OKTA-629263

    Email change confirmation notices came from an Okta test account rather than a brand-specific sender.

  • OKTA-637801

    Admins without permission to manage apps saw an Edit button for the app's VPN Notification settings.

  • OKTA-638911

    The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.

  • OKTA-639465

    The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.

  • OKTA-647842

    Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.

Okta Integration Network

App updates

  • The Amazon Business SAML app now has a configurable SAML issuer.
  • The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
  • Application profile and mapping has been updated for the Jostle SCIM app.
  • The mobile.dev SAML app has been rebranded as Maestro Cloud.

New Okta Verified app integrations

App integration fixes

  • American Express Online by Concur (OKTA-642832)

2023.09.2: Update 2 started deployment on October 9

Fixes

  • OKTA-619723

    When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn't access the GroupsGroup page.

  • OKTA-623635

    Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.

  • OKTA-627862

    Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.

  • OKTA-633507

    The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.

  • OKTA-641112

    System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.

  • OKTA-643155

    If an org had configured Duo Security as an MFA factor and also a custom IdP factor named Duo Security, then the org couldn't be upgraded to Identity Engine.

  • OKTA-643204

    Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.

  • OKTA-643499

    Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.

Okta Integration Network

App updates

  • The Experience.com OIDC app now has additional redirect URIs.
  • The Planview Admin SAML app now has the Audience ID variable.

New Okta Verified app integrations

App integration fixes

  • Bloomberg (SWA) (OKTA-642380)
  • BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
  • Citi Velocity (SWA) (OKTA-637196)
  • SAP Concur Solutions (SWA) (OKTA-643965)

October 2023

2023.10.0: Monthly Production release began deployment on October 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

SharePoint People Picker, version 2.4.0.0

SharePoint People Picker 2.4.0.0 is now available for download. See Configure Okta SharePoint People Picker agent.

Custom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.

New custom admin role permission

Super admins can now assign View delegated flow permission to their custom admin roles. See Role permissions.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.
  • User App Access report: Lists which users can access an application and how access was granted.
  • User accounts report: Lists users with accounts in Okta and their profile information.

See Entitlements and Access Reports.

Sign-in requirements for new devices

Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.

IdP lifecycle event hooks

IdP lifecycle events are now eligible for use as event hooks. See Event Types.

Early Access Features

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

Fixes

  • OKTA-398711

    Text on the Administrator assignment by admin page was misaligned.

  • OKTA-575513

    Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.

  • OKTA-619175

    UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.

  • OKTA-619223

    Content was displayed incorrectly on the Change User Type page.

  • OKTA-620144

    For some users, logos for imported app groups didn't appear in the Admin Console.

  • OKTA-620771

    When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.

  • OKTA-621526

    The MFA Usage Report didn't display the correct PIV/Smart Card label.

  • OKTA-636864

    Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.

  • OKTA-639089

    When a user was moved from one AD domain to another, their original group app assignments were retained.

  • OKTA-642630

    Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.

  • OKTA-643148

    The Tasks page didn't indicate when each task was assigned.

  • OKTA-643598

    The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.

  • OKTA-649240

    Super admins couldn't edit the scoped resources that were assigned to an Application admin.

  • OKTA-650511

    Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.

  • OKTA-653189

    Admins couldn't reschedule their org's Identity Engine upgrade to 30 days from the current date.

  • OKTA-654506

    The writeback enhancement failed to push profile information to Workday when a user's profile was empty.

  • OKTA-655148

    The SAMLResponse field in the HTML response couldn't be retrieved for some clients.

Okta Integration Network

New Okta Verified app integrations

App integration fixes

  • 1Password Business (SWA) (OKTA-646676)
  • Canva (SWA) (OKTA-642049)
  • concur-solutions (SWA) (OKTA-649651)
  • Dice (SWA) (OKTA-645005)
  • mySE: My Schneider Electric (SWA) (OKTA-644927)
  • PagerDuty (SWA) (OKTA-643598)

Weekly Updates

2023.10.1: Update 1 started deployment on October 23

Generally Available

Sign-In Widget, version 7.11.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Fixes

  • OKTA-632174

    The Edit User Assignment page showed roles that had already been removed by an admin.

  • OKTA-636990

    If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.

  • OKTA-638649

    Field validation didn't work for Trusted Origins URLs.

  • OKTA-642760

    Double-clicking the Save button on an app sign-on policy rule caused duplicate migrations when orgs upgraded to Identity Engine.

  • OKTA-644143

    Users who were added to a group through group assignments were displayed as manually assigned.

  • OKTA-648338

    The Zendesk app integration made API requests using the GET command instead of the POST command.

  • OKTA-653489

    Admins couldn't add custom default Salesforce attributes that had been deleted from the Profile Editor.

  • OKTA-655852

    The Okta sign-in flow returned an error for certain URLs.

Okta Integration Network

App updates

  • The Extracker app integration has been rebranded as Clearstory.
  • The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
  • The Mapiq app integration has a new logo.
  • The People Experience Hub app integration no longer has an Encryption Certificate field.

  • The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
  • The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.

New Okta Verified app integrations

App integration fixes

  • Tableau Cloud (SCIM) (OKTA-625933)

2023.10.2: Update 2 started deployment on November 6

Generally Available

Sign-In Widget, version 7.11.3

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-457923

    The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.

  • OKTA-559609

    Email notifications for report downloads sometimes didn't refer to the report name correctly.

  • OKTA-568355

    When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.

  • OKTA-578997

    Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.

  • OKTA-586764

    On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.

  • OKTA-597530

    Admins couldn't delete authorization server clients on the Access Policies page.

  • OKTA-599823

    An answer to a security question could include parts of the question.

  • OKTA-612507

    Some errors weren't translated.

  • OKTA-626459

    When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.

  • OKTA-627678

    An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.

  • OKTA-639311

    When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.

  • OKTA-643533

    The Default application for the Sign-In Widget setting was visible to orgs that hadn't enabled the feature.

  • OKTA-647442

    Sometimes, a search request would fail if it included a recently created user.

  • OKTA-651722

    Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.

  • OKTA-653019

    Base attributes of new Slack integrations weren't visible.

  • OKTA-654857

    Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.

  • OKTA-658729

    Admins sometimes couldn't reschedule their upgrade to Identity Engine if they had already rescheduled it to more than 30 days into the future.

Okta Integration Network

App updates

  • The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
  • The Fullview app integration has a new direct URI and a new initiate login URI.
  • The YesWeHack app intergration has a new icon.

New Okta Verified app integrations

App integration fixes

  • Adobe (SWA) (OKTA-647811)
  • Algolia (SWA) (OKTA-654566)
  • American Express (Business) (SWA) (OKTA-649753)
  • Application Bank of America CashPro (SWA) (OKTA-648836)
  • i-Ready (SWA) (OKTA-644769)
  • IMDB Pro (SWA) (OKTA-653918)
  • MIT Technology Review (SWA) (OKTA-656622)
  • SuccessFactors (SWA) (OKTA-568355)
  • Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
  • Twilio (SWA) (OKTA-655486)

November 2023

2023.11.0: Monthly Production release began deployment on November 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Lockout Prevention

This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they've used before aren't locked out when unknown devices cause lockouts.

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.

See About FIPS-mode encryption.

Self-Service Okta Identity Engine Upgrades for all orgs

The self-service upgrade widget now appears on the Admin Dashboard for all Classic Engine orgs. The widget allows super admins to schedule their upgrade to Identity Engine. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine.

Custom email domain updates

The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.

Improved LDAP provisioning settings error message

During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.

Additional data to support debugging user authentication

When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.

Modified System Log event for Autonomous System Number (ASN) changes

When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.

OIN Manager notice

The integration estimated-verification-time notice has been updated in the OIN Manager.

Early Access Features

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

Fixes

  • OKTA-538785

    Sometimes users encountered an error when the Self-Service Registration flow made a request to the /tokens endpoint.

  • OKTA-566962

    Some text strings on the Okta Sign-on Policy page weren't translated.

  • OKTA-633313

    A user with a custom admin role couldn't create federated users due to misplaced permissions.

  • OKTA-633789

    When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.

  • OKTA-649095

    Some AD-sourced users received prompts to reset their password even when the AD password policy restricted password changes.

  • OKTA-649810

    The Add Resource dialog box sometimes displayed duplicate group names.

  • OKTA-653756

    When many apps were added to routing rules through the API, system performance was degraded.

  • OKTA-653873

    In some orgs, on-premises imports performed using the Okta Provisioning Agent ignored safeguard thresholds.

  • OKTA-664830

    Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.

  • OKTA-666396

    When the display language was set to Japanese, the Okta Sign-on Policy page displayed a translation error instead of the Everyone group name.

Okta Integration Network

App updates

  • The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
  • The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.

New Okta Verified app integrations

Weekly Updates

2023.11.1: Update 1 started deployment on December 4

Generally Available

Sign-In Widget, version 7.12.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

Fixes

  • OKTA-627327

    Admins couldn't upgrade to Identity Engine if the Embedded Application SSO Step-Up Authentication API feature was enabled.

  • OKTA-649293

    Users couldn't be assigned to Box using the Assign Box to People page.

  • OKTA-649788

    A tooltip was truncated on the API Tokens page.

  • OKTA-651979

    Some custom scopes weren't listed in the search box used for adding scopes to OIDC access policy rules.

  • OKTA-657130

    When admin translations were enabled, some users saw an error when they tried to access an app.

  • OKTA-657143

    The password expiration prompt wasn't shown to users signing in with the OIDC flow.

  • OKTA-658969

    Attributes defined in Okta for ServiceNow failed to sync by default.

  • OKTA-661982

    When an import failed for a user, unique attributes for that user were sometimes retained in Okta.

  • OKTA-662487

    The Session Management labels on the Global Session Policy rule page were confusing.

  • OKTA-663777

    In the Add Resource dialog box, admins couldn't search for apps with special characters.

  • OKTA-666323

    When an admin added a SAML app to an existing resource set, users who were assigned the resource set couldn't access the app.

  • OKTA-667106

    Sign-In Widget version 7.12.1 didn't work with Internet Explorer version 11 if the org had passwordless authentication enabled.

Okta Integration Network

New Okta Verified app integrations

December 2023

2023.12.0: Monthly Production release began deployment on December 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.0

This version of the agent contains:

  • Security enhancements.
  • Configurable fipsMode setting. Users can now enable or disable FIPS-supported encryption algorithms.

Note: To revert to an older version of the agent, Linux agent users must uninstall version 5.19.0 and then reinstall the older version. See Okta LDAP Agent version history.

Okta MFA Credential Provider for Windows, version 1.4.0

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

MFA enrollment by user report

Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.

Demonstrating Proof-of-Possession

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OpenID Connect app integrations.

Responsive Admin Dashboard layout

When you resize the Admin Console to 600 x 751 pixels or smaller, the dashboard widgets now stack vertically instead of horizontally.

Improved Product Offers dashboard widget

The appearance and readability of the Product Offers dashboard widget have been improved to provide a better user experience.

Copy System Log events

A copy button is now available for each event listed in the System Log.

New attributes available for Smart Card username

Issuer and Serial Number attributes are now available when you configure the IdP username for the Smart Card Identity Provider.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-419477

    There was a typographical error on the Active Directory Import page.

  • OKTA-633914

    Active AD users who initiated self-service unlock were emailed recovery instructions instead of a message that their account was already unlocked.

  • OKTA-636211

    The footer message in User Activation email templates contained an inaccurate email link.

  • OKTA-642341

    During an SP-initiated sign-in flow, an interstitial page didn't appear in the browser's configured language.

  • OKTA-650686

    Memory cache errors sometimes occurred when admins performed imports on orgs with a large number of app assignments.

  • OKTA-655084

    Some AD provisioning events that failed were shown as successful in the System Log.

  • OKTA-657022

    Setting the group owner in Okta sometimes failed when the ManagedBy field from Active Directory was used.

  • OKTA-661574

    When an administrator signed in to the Okta Dashboard, and then attempted to access the Admin Console, they weren't prompted for MFA.

  • OKTA-661797

    When a user clicked an app tile on the Okta Dashboard, the Safari browser opened apps in a new window without user interface controls instead of a new tab.

  • OKTA-664847

    Application assignments sometimes failed in orgs that use custom admin roles.

  • OKTA-668354

    An incorrect warning appeared on the Administrator assignment page when a custom admin role was assigned with granular directory permissions and an Active Directory resource set.

  • OKTA-670388

    Admins sometimes couldn't modify app sign-on policy rules in Classic Engine orgs that were prepared for upgrade to Identity Engine.

Okta Integration Network

App updates

  • The BombBomb app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • Bank of America CashPro (SWA) (OKTA-668979)
  • Delta Dental (SWA) (OKTA-664057)
  • HelloFax (SWA) (OKTA-657466)
  • MacStadium (SWA) (OKTA-662973)
  • SendGrid (SWA) (OKTA-657094)
  • Team Gantt (SWA) (OKTA-663418)
  • Unity Ads (SWA) (OKTA-658284)
  • ZipCar (SWA) (OKTA-657448)
  • Zurich Adviser Portal (SWA) (OKTA-662671)

Weekly Updates

2023.12.1: Update 1 started deployment on December 18

Fixes

  • OKTA-607948

    Error messages were unclear when an LDAP query filter was invalid in Active Directory and LDAP integrations.

  • OKTA-640503

    Custom admins didn't receive email notifications when the LDAP and Active Directory agent was disconnected or reconnected.

  • OKTA-644010

    The System Log didn't log the time when the user was prompted for authenticator enrollment or verification.

  • OKTA-662134

    Resetting a user's security question using the API endpoint didn't generate a System Log entry.

  • OKTA-663793

    The System Log didn't capture a failed user authentication during LDAP delegated authentication.

  • OKTA-667475

    Updated custom schema values weren't imported from Google.

  • OKTA-668140

    Users sometimes received an error message when accessing the Profile Editor from the Admin Dashboard.

  • OKTA-669824

    When the display language was set to Polish, the Sign-In Widget wasn't translated properly.

  • OKTA-669999

    Some users weren't imported after being unassigned from a sourcing app.

Okta Integration Network

App updates

  • The Blameless app integration has updated endpoints.

New Okta Verified app integrations

2023.12.2: Update 2 started deployment on January 8

Generally Available

Admin Console session configuration

Admins can now set the session lifetime and idle time for Admin Console users independently of global session limits. This provides greater security control over the Admin Console.

See Configure Admin Console session lifetime.

Fixes

  • OKTA-621160

    Some inbound SSO flows failed when a default app was set for the Sign-In Widget.

  • OKTA-636560

    When using Okta Expression Language in Identity Engine, the group.profile.name key didn't return exact matches.

  • OKTA-646953

    Users couldn't sign in to URLs for custom domains.

  • OKTA-651667

    When retrying a batch update of Active Directory agents, agents that had already been updated were marked as updates in progress in the email notification.

  • OKTA-657959

    When assigning users to a group using group rules, the group rule evaluation timed out, and users who matched the attributes weren't added to the group.

  • OKTA-661907

    Some users on Android 6 devices were erroneously granted access to Okta-protected resources despite the authentication policy rule.

  • OKTA-663893

    Users without API access management enabled saw a Create Authorization Server banner on the APIAuthorization Servers page.

  • OKTA-668142

    Third-party admin status couldn't be removed from an admin. This occurred when they belonged to a third-party admin group that no longer had admin privileges.

  • OKTA-672678

    Sometimes countdown messages weren't displayed when Admin Console sessions were close to expiring.

  • OKTA-675063

    RADIUS agent libraries contained internal security issues. Upgrade to version 2.20.0 to correct those issues.

  • OKTA-675938

    Google USB-C/NFC Titan Security Key (K52T) enrollment wasn't supported.

  • OKTA-679640

    Admins sometimes received an error when trying to access the Admin Console.

Okta Integration Network

App updates

  • The CodeSignal SAML app integration has a new description.
  • The HackerRank For Work SCIM app integration now supports user deactivation.
  • The Perimeter 81 SCIM app integration now supports group push.
  • The Symantec Secure Access Cloud app integration has been rebranded as Symantec ZTNA.
  • The WorkRamp app integration now supports EU locations.
  • The ZAMP OIDC app integration now has IdP-initiated support.

New Okta Verified app integrations