Okta Classic Engine release notes (2024)

Version: 2024.01.0

January 2024

Generally Available

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

Box
Google Workspace
Microsoft Office 365
Netsuite
Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

system.idp.key.create
system.idp.key.update
system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

OKTA-654000

Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.
OKTA-658796

The Brand name description on the Brand Settings page contained a typo.
OKTA-659305

The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.
OKTA-667066

Resetting MFA using support user permissions didn't generate a System Log event.
OKTA-673705

Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.
OKTA-674540

Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.
OKTA-679833

Some default attribute mappings for SuccessFactors were incorrect.
OKTA-683871

When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

The AcquireTM app integration has an additional redirect URI.
The CodeSignal app integration has a new logo.
The OneRange app integration has a new description.
The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
The Peakon SCIM app integration has a new base URL and help text.
The Qatalog app integration has a new logo.

New Okta Verified app integrations

Genian ZTNA (SAML)

App integration fixes

ADP mykplan.com (SWA) (OKTA-669875)
Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

2024.01.1: Update 1 started deployment on January 22

Fixes

OKTA-626684

The Security API menu and the Create token button didn't appear for some accounts with custom admin roles.
OKTA-638138

In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.
OKTA-642351

Group memberships from deleted apps still appeared in system logs.
OKTA-679051

No event was recorded in the System Log when active AD users initiated self-service unlock.
OKTA-686546

The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.

Okta Integration Network

App updates

The AcquireTM app integration has an additional redirect URI.
The CodeSignal app integration has a new logo.
The Experience.com app integration now supports IdP-initiated flows.
The OneRange app integration has a new description.
The Peakon SCIM app integration has a new base URL and help text.
The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
The Qatalog app integration has a new logo.

New Okta Verified app integrations

Arbolus (OIDC)
Authomize Identity Security (API service)
Bluescape (SAML)
eFlok (SAML)
Omni Analytics (SAML)
ShareCal (SAML)

App integration fixes

ADP mykplan.com (SWA) (OKTA-669875)
Fidelity401k (SWA) (OKTA-659323)

2024.01.2: Update 2 started deployment on February 5

Generally Available

Sign-In Widget, version 7.14.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

IP restrictions on tokens

Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.

Fixes

OKTA-637955

In some cases, custom admins were able to view pushed groups that weren't assigned to them.
OKTA-639335

When groups assigned to a deactivated app were removed from Okta, the groups remained assigned to the app.
OKTA-649640

Password rules weren't correctly translated in French.
OKTA-653740

Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.
OKTA-655791

The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.
OKTA-658530

Customized self-service account unlock email templates didn't display the UTC time zone for the {unlockAccountTokenExpirationDate} attribute.
OKTA-664370

Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.
OKTA-665347

No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.
OKTA-665377

Some authenticator actions done using the API didn't appear in the System Log.
OKTA-665903

In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.
OKTA-667063

Affected entity wasn't included in the System Log when temporary access was granted using the Support User.
OKTA-674218

System Log events for access token and ID token grants didn't include user attributes.
OKTA-679556

Group Push of large groups from Okta sometimes failed to push all members to downstream apps.
OKTA-679914

After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.
OKTA-684369

Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.
OKTA-686081

Some users weren't imported after being unassigned from a sourcing app.
OKTA-686801

Some Salesforce provisioning jobs entered a buffered state and didn't run.
OKTA-687812

An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.
OKTA-687814

An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.
OKTA-688020

In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.

Okta Integration Network

App updates

The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
The Flow of Work Co app integration has been rebranded as GoFIGR.
The OpsLevel app integration now has the group push, import users, and import groups functions.
The Saltalk app integration has been rebranded as WeBox.

New Okta Verified app integrations

App integration fixes

FaxSIPit (SWA) (OKTA-655845)
My Eaton (SWA) (OKTA-670410)

Version: 2024.02.0

February 2024

Generally Available

Sign-In Widget, version 7.15.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.1

This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.

Okta Active Directory agent, version 3.16.1

This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.

Okta MFA Credential Provider for Windows, version 1.4.2

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Seamless ISV experience

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.

This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.

DPoP support for Okta management API

You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.

Updated translations

Translations for password policy UI have been updated.

Reports field update

The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.

Dynamic user schema discovery now available

Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.

OIN connector support for Entitlement Management

The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.

App integration tile now available for Okta Workflows

Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.

Early Access Features

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.

Fixes

OKTA-649640

Password rules weren't correctly translated in French.
OKTA-668324

Email notifications that were sent when a password was reset by Okta Support didn't include Support information.
OKTA-669735

When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.
OKTA-678489

Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.
OKTA-680483

The self-service registration form accepted invalid input for the first and last name fields.
OKTA-681083

Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.
OKTA-681654

The option to add a custom email domain was unavailable on the default Okta brand page.
OKTA-682202

If an admin’s role had a conditioned permission, they couldn’t assign apps to users.
OKTA-688501

Users weren't redirected to the Okta Sign-In Widget for custom domain URLs that ended with okta.com.
OKTA-690143

Unicode characters deemed illegal for HTTP headers were being accepted.

Okta Integration Network

App updates

The Elba SSO app integration has new redirect URIs.
The Ermetic app integration has been rebranded as Tenable Cloud Security.
The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.

New Okta Verified app integrations

Weekly Updates

2024.02.1: Update 1 started deployment on February 20

Generally Available

Redesigned resource set pages

The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set. This feature is being re-released.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role. This feature is being re-released.

HTTP header filter

To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.

Fixes

OKTA-597892

In orgs configured to perform batch imports for all apps, small batch sizes resulted in slower than expected imports.
OKTA-673389

String attributes couldn't be set to an empty string.
OKTA-682104

Org2Org group push reset custom attributes to undefined.
OKTA-686922

An error occurred when admins deleted inactive Microsoft Office 365 app instances that were configured to use manual federation.
OKTA-688938

Admins whose custom role contained the Manage customizations permission couldn't preview email templates.
OKTA-690143

Illegal unicode characters were accepted for HTTP headers.
OKTA-695783

Users couldn't enter a period (.) in their first or last name during self-service registration.
OKTA-698353

Admins couldn't enable the Prevent new single-factor access to the Admin Console feature.

Okta Integration Network

New Okta Verified app integrations

2024.02.2: Update 2 started deployment on February 26

Generally Available

Cornerstone OnDemand now uses OAuth for authentication

Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.

Fixes

OKTA-491520

The Edit Filters dialog of the MFA Enrollment by User report didn't support the operator is set and is not set for the Authenticator type field.
OKTA-656265

Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error.
OKTA-663294

The issuer mode appeared blank on authorization servers when it was set to Custom URL.
OKTA-679870

Some preview org admins saw error messages while authenticating or org pages with no menu items.
OKTA-679978

Content Delivery Network (CDN) resources related to the Sign-In Widget didn't serve the Subresource Integrity (SRI) attributes.
OKTA-683026

Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment.
OKTA-686636

Admins couldn't automatically provision users to the Cornerstone OnDemand app.
OKTA-687439

The MFA Enrollment by User report displayed Group names instead of Groups in the Edit Filters dialog and in the Users table.

Okta Integration Network

App updates

The Recurly app integration now has group push functionality.

New Okta Verified app integrations

Mark AI (SAML)
NexHealth (SAML)
Payflows (SAML)
Rimo Voice (SAML)
Sendoso (SCIM)
Tradespace (SCIM)

Version: 2024.03.0

March 2024

Generally Available

Okta LDAP agent, version 5.20.0

This version of the agent includes the following:

Fixed an LDAP query used by the agent for retrieving group memberships using range attributes.
The Okta LDAP Agent service now automatically starts on boot for Red Hat and CentOS platforms.
Fixed an issue where some customers experienced slower than expected queries during LDAP authentication.
Security enhancements.

See Okta LDAP Agent version history.

Okta Hyperdrive agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperdrive agent version history.

Okta Hyperspace agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperspace Agent Version History.

Okta AD agent, version 3.17.0

This version includes fixes for signing executable and DLL files that come with the Active Directory agent. See Okta Active Directory agent version history.

Enhanced Disaster Recovery

This feature enables commercial customers in the North America region (excluding Compliance cells) to recover faster in the event of a disaster or regional outage. See Overview of enhanced disaster recovery.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Admin sessions bound to IP address

The Security General Organization Security page has a new IP binding for admin console setting that's enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. See General Security.

Verify Zoom users with Okta

Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

Improved password reset process for Active Directory-sourced users

The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.

Unknown devices detection using fingerprint

Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.

See Configure a password policy.

New requirement for email customizations

To prevent phishing attacks, Okta now requires orgs to have a custom domain to send customized emails. All customized emails currently sent from the Okta domain are disabled, and orgs that use the Okta domain can send default email templates only. This feature is currently enabled by default for new orgs only.

Enhanced System Log Event

The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.

Cornerstone OnDemand now uses OAuth for authentication

Styling change for Brands pages

The CustomizationsBrands section of the Admin Console now uses Odyssey UI components. There's no change to functionality, but some of the styling is different.

AAL values for Login.gov IdP

The Login.gov IdP configuration has been updated to include all allowed AAL values. See Create an Identity Provider in Okta.

New System Log information for password policy changes

System Log entries for password policy changes now display the policy settings before and after the update was made.

Improved System Log map view

The System Log map view now includes a reset button and left and right bounds on the zoom function.

New System Log information for MFA enrollment policy changes

System Log entries for MFA enrollment policy changes now display the policy settings before and after the update was made.

IP binding for Admin Console setting

The SecurityGeneralOrganization Security page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed-in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.

Additional operator for date filter

The date filter is now standardized across all reports and includes the in range operator.

Early Access

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.

Fixes

Sometimes group membership changes in a downstream app weren't reflected upon source app assignment in Okta. (OKTA-647132)
When users clicked the X in the upper-right corner of the Edit User Assignment page, the page wasn't restored to the default User Assignment view. (OKTA-651313)
The MFA Usage report sometimes displayed L10N_ERROR instead of the MFA factor. (OKTA-658326)
Office 365 user licenses were randomly removed. (OKTA-665130)
Importing large group membership data failed for orgs using ranged queries. (OKTA-672521)
The Jira On-Premises app authenticator didn't include a relay state parameter. (OKTA-673058)
On the Tasks page, the user search didn't return any results for deactivated users. (OKTA-677822)
Google licenses were missing from the Universal Directory profile. (OKTA-684513)
During LDAP authentication, orgs with large customer databases experienced slower-than-expected queries. (OKTA-686417)
Some links on the Admin Dashboard to Okta Documentation didn't work. (OKTA-693031)
Read-only admins could modify the IP restrictions of other users' tokens. (OKTA-700117)
Some text was truncated on the Recent Activity page. (OKTA-700858)
The policy list warning for protecting admin apps with MFA was not showing when certain policy rule configurations were applied. (OKTA-702122)
An inline hook secured by an OAuth 2.0 token that had no expiry value returned an HTTP 400 Bad Request error. (OKTA-702184)
The Cornerstone REST API rate limit wasn't honored. (OKTA-702729)

Okta Integration Network

Acronis Cyber Cloud (SCIM) has a new authorize endpoint, display name, SAML attribute, and icon.
Dashworks (OIDC) has a new integration guide. Learn more.
Dashworks (SCIM) has a new integration guide. Learn more.
Modal (SAML) is now available. Learn more.
NexHealth (SAML) has a new description and an additional SAML attribute.
Onyxia (SAML) is now available. Learn more.
Paved (OIDC) is now available. Learn more.
Reftab Discovery (API service) is now available. Learn more.
Resonance by spiderSilk (SAML) is now available. Learn more.
Semana (SAML) is now available. Learn more.
SpotDraft (SAML) is now available. Learn more.
Vansec (SCIM) is now available. Learn more.

Weekly Updates

2024.03.1: Update 1 started deployment on March 18

Fixes

The timeout warning for the End-User Dashboard displayed the remaining session time incorrectly. (OKTA-688731)
Admins couldn't edit a resource set if it was included in a deleted delegated flow. (OKTA-692981)
Custom admins with the Manage application settings permission could trigger privilege escalation. (OKTA-693765)
Admins couldn't create multiple group rules at the same time. (OKTA-702040)
Group and read-only admins could manage API tokens for other admins. (OKTA-702918)
The help link on the SettingsFeaturesOpen betas page was incorrect. (OKTA-704223)
The MFA Enrollment form didn't contain a filter value for smart card authenticators. (OKTA-704634)
Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)
Admins were unable to save sign-in page settings for the default brand when using the third-generation widget. (OKTA-712531)

Okta Integration Network

Adzact (OIDC) is now available. Learn more.
Andromeda Security (SAML) is now available. Learn more.
Backpac (SCIM) is now available. Learn more.
Brivo Identity Connector (EU) (SCIM) is now available. Learn more.
CardioCard (SAML) is now available. Learn more.
Coda (SAML) has a new integration guide and tenant ID label.
Coda (SCIM) has a new integration guide.
EasyLlama (SCIM) is now available. Learn more.
Flockjay (SAML) is now available. Learn more.
Indeed (SWA) was updated.
Island (SCIM) has an updated profile and field mappings.
Lasso Security (SAML) is now available. Learn more.
LeaveWizard (SAML) is now available. Learn more.
LeaveWizard (SCIM) is now available. Learn more.
NewZapp (OIDC) is now available. Learn more.
NexHealth (SAML) has an additional SAML attribute.
Office Depot (SWA) was updated.
Payflows (SAML) has an additional SAML attribute.
QReserve (SAML) has a new logo and integration guide.
Rotate (API service) is now available. Learn more.
SAP Concur Solutions (SWA) was updated.
Sauce Labs (SAML) is now available. Learn more.
senhasegura (SAML) is now available. Learn more.
Skippr OIDC for Organizations (SCIM) is now available. Learn more.
Spline (OIDC) is now available. Learn more.
Summize (OIDC) has a new redirect URI.
Summize (SCIM) is now available. Learn more.
Synqly Identity Connector (API service) is now available. Learn more.
Tamnoon (SAML) has a new logo.
Truckstop.com (SWA) was updated.
Whimsical (SAML) has a new logo and integration guide.

2024.03.2: Update 2 started deployment on April 1

Fixes

Timeouts occurred when fetching Workday prehires in large batches. (OKTA-497101)
User permission options were displayed for attributes created in an App User Profile. (OKTA-667672)
The Edit Rule page for sign-on policies sometimes displayed undefined instead of an Identity Provider name. (OKTA-672874)
Some preview org admins saw error messages while authenticating or End-User Dashboard pages with no menu items. (OKTA-679870)
An error occurred when an end user reset a factor nickname and left the name field empty in the End-User Dashboard. (OKTA-682875)
Users couldn't authenticate with Sign in with Okta FastPass when both a SAML Identity Provider (IdP) and SmartCard IdP were configured. (OKTA-688559)
No System Log entries were created for certain app users when they were assigned a status. (OKTA-690968)
Some network zone UI elements on the Create token page weren't rendered correctly. (OKTA-693688)
Users couldn't enroll in Okta Verify using a custom domain on Android devices. (OKTA-698916)
Client rate limiting configurations for the /login/login.htm endpoint were displayed incorrectly in the Rate Limit dashboard and were in an inconsistent state for some orgs. (OKTA-699914)
Some users encountered error messages when they tried to enroll FIDO2 security keys, Okta Verify, and the phone authenticator. (OKTA-700625)
A warning didn't appear when admins disallowed authentication methods that were required for phishing-resistant and hardware-protected authentication policies. (OKTA-700986)
Some deactivated admins continued to receive email notifications. (OKTA-702015)
The Japanese version of Reports used an inappropriate date selector format. (OKTA-702599)
In orgs that used granular authentication, users sometimes saw an error message at the inline enrollment prompt if User Verification was required and Security Question was allowed for authentication. (OKTA-702971)
Users received an error when trying to enroll the phone authenticator from the end user settings page. (OKTA-703248)
Regular expressions couldn't be used to define Allowed DB Groups for Amazon Redshift, which prevented large lists of groups from being defined. Select Use RegEx in Allowed DB Groups (Redshift) to use regular expressions when defining allowed groups. (OKTA-703940)
Realm searches started from the current page of results rather than the beginning of all results. (OKTA-704314)
When some orgs tried to publish changes to their customized sign-in page, all previous customizations were lost and it was restored to the default version. (OKTA-704885)
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment. (OKTA-705078)
Reactivation of the Profile Enrollment feature resulted in duplicate UI elements. (OKTA-706021)
Users were assigned a random role defined in Zendesk when custom role values were mapped to Zendesk users assigned No Custom Role in Okta. (OKTA-706468)
The Security Question warning didn't apply to passwordless multifactor authentication. (OKTA-706505)
When no agents were connected during scheduled incremental imports, an incremental to full import conversion event was incorrectly logged. (OKTA-706698)
The system selected outdated profile sources during the user creation process. (OKTA-709538)
In organizations with Realms enabled, custom admins with the Edit users' profile attributes permission also required the Manage users permission to update a user's profile. (OKTA-709725)
Some users could change their username on the Personal information page. (OKTA-711450)
The Settings page appeared blank for some users. (OKTA-711495)

Okta Integration Network

Akitra (OIDC) is now available. Learn more.
Cisco Identity Intelligence - Read-Only Management (API service) is now available. Learn more.
Cloud Auth (API service) is now available. Learn more.
Cloud Auth (OIDC) is now available. Learn more.
Covey (OIDC) is now available. Learn more.
CrashPlan (SAML) has a new integration guide. Learn more.
DeleteMe (SCIM) is now available. Learn more.
Growrk (SAML) is now available. Learn more.
incentX (OIDC) is now available. Learn more.
Infor EAM (SWA) was updated (OKTA-710635).
Jurnee (OIDC) is now available. Learn more.
Jurnee (SCIM) is now available. Learn more.
Loop & Tie (OIDC) is now available. Learn more.
Mailosaur (OIDC) is now available. Learn more.
Mailosaur (SAML) has a new integration guide. Learn more.
Mailosaur (SCIM) is now available. Learn more.
Mangopay (OIDC) is now available. Learn more.
Morgan Stanley at Work - Administrator (SAML) is now available. Learn more.
Mula Shops (OIDC) is now available. Learn more.
NetActuate Portal (SAML) is now available. Learn more.
Nudge Security (OIDC) is now available. Learn more.
Ordergroove (OIDC) is now available. Learn more.
PromoJukeBox (OIDC) is now available. Learn more.
Reco (API service) is now available. Learn more.
Salto Okta Adapter OAuth (OIDC) is now available. Learn more.
Schwab Advisors (SWA) was updated (OKTA-699789).
Secure Code Warrior (SCIM) is now available. Learn more.
Sirius XM (SWA) was updated (OKTA-693279).
SpotDraft (SCIM) is now available. Learn more.
Square 9 GlobalSearch (OIDC) is now available. Learn more.
Square 9 GlobalSearch (SCIM) is now available. Learn more.
Tabular (OIDC) is now available. Learn more.
WorkWhile (OIDC) is now available. Learn more.
Zscaler (OIDC) is now available. Learn more.
Zscaler (SCIM) is now available. Learn more.

Version: 2024.04.0

April 2024

Generally Available

Okta MFA Provider for ADFS, version 1.8.0

This release includes vulnerability fixes and a .NET Framework version upgrade.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they’ve opened. See Role permissions.

Okta Usage report enhancements

The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.

Customize Okta to use the telecommunications provider of your choice

While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.

The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Connect to an external telephony service provider.

New maximum number of connected AWS accounts

Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.

Improved date filter display in reports

The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.

Improved Admin Dashboard and Administrators page

The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.

Updated documentation links

Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.

End-User Dashboard and unsupported browsers

The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.

End-User Dashboard branding and accessibility enhancements

The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.

New target added to a System Log event

A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.

Authentication context System Log event

The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.

New DSSO user impersonation System Log event

A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.

Early Access

This release doesn't have any Early Access features.

Fixes

Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)
Admins could delete active network zones. (OKTA-691904)
No GovSlack attributes appeared for new app instances. (OKTA-693162)
Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)
When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)
When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)
App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)

Okta Integration Network

Alohi (SAML) is now available. Learn more.
Alohi (SCIM) is now available. Learn more.
Better Stack (SAML) has a new logo.
Candor (OIDC) is now available. Learn more.
FAX.PLUS (SAML) has a new logo, description, and display name.
Humi (OIDC) is now available. Learn more.
Jurnee (SCIM) is now available. Learn more.
UMA (OIDC) is now available. Learn more.

Weekly Updates

2024.04.1: Update 1 started deployment on April 15

Fixes

HTML was visible in some usernames in the Authenticator enrolled notification email. (OKTA-674629)
In the Okta Usage report, the date picker was in an incorrect date format for the US English language and the earliest possible date couldn't be selected. (OKTA-688574)

2024.04.2: Update 2 started deployment on April 22

Generally Available

Referrer-Policy HTTP header sends default value

The Referrer-Policy HTTP response header controls how much referrer header information should be included with requests. Okta currently doesn't send the Referrer-Policy response header. The default value for the header is strict-origin-when-cross-origin when it's not sent by Okta. Browsers use the current default value. With this change, Okta will send the Referrer-Policy response header with the default value of strict-origin-when-cross-origin. This feature will be gradually made available to all orgs.

Fixes

User.session.start events didn't appear in the System Log. (OKTA-713292)
Deactivation of a user from one Office 365 app instance led to the revocation of their license despite being actively assigned to another Office 365 app instance. This also solves the issue where license removal was not happening for assigned user being in Matched or Suspended state. (OKTA-718565)

Okta Integration Network

Backrightup (OIDC) is now available. Learn more.
Calendly (SWA) was updated (OKTA-713087).
Carbon Voice (OIDC) is now available. Learn more.
Carbon Voice (SCIM) is now available. Learn more.
Cisco Identity Intelligence (API service) now has the okta.roles.read and okta.schemas.read scopes.
Cloud Auth (API service) has a new integration guide.
Cloud Auth (OIDC) has a new integration guide.
Command Zero (API service) has a new integration guide.
Costco (SWA) was updated (OKTA-711710).
Hellotracks (OIDC) is now available. Learn more.
Hellotracks (SCIM) is now available. Learn more.
KaseyaOne (SAML) is now available. Learn more.
NetBird (OIDC) is now available. Learn more.
NetBird (SCIM) is now available. Learn more.
Omni Analytics (SCIM) is now available. Learn more.
The Training Arcade (SAML) is now available. Learn more.
Trova (SCIM) is now available. Learn more.
Truckstop.com (SWA) was updated (OKTA-709674).
Zscaler 2.0 (SAML) has a new display name, logo, and integration guide.

2024.04.3: Update 3 started deployment on May 6

Fixes

Okta Verify sometimes displayed the incorrect location when end users opened their app to approve a push notification. (OKTA-586788)
The Previous and Next buttons in the calendar picker weren't localized. (OKTA-658412)
The Sign-In Widget didn't render correctly if the Multiple Okta Verify Enrollment feature was enabled along with Factor Sequencing. (OKTA-680494)
Some System Log events for sign-in failures appeared in the end user's language instead of English. (OKTA-691118)
Admins couldn't edit or update the custom header value for the Telephony Inline Hook. (OKTA-694113)
Users were presented with a Page Not Found error when accessing Confluence On-Prem using IdP-initiated or SP-initiated flows. If you encounter this issue after updating Confluence On-Prem, contact Okta Support. (OKTA-704334)
Users couldn't register if their password contained part of their username. (OKTA-705109)
An unhelpful error message appeared when an admin attempted to push a nonexistent group or a group that was already pushed. (OKTA-711537)
User matching within the Smart Card IDP configuration didn't include the idpuser.issuerSnReverseByteOrder value in the IdP username dropdown list. (OKTA-720770)

Okta Integration Network

Contentstack (SCIM) is now available. Learn more.
Kunzapp (API service) is now available. Learn more.
NordLayer (OIDC) is now available. Learn more.
NordLayer (SCIM) is now available. Learn more.
Run by ADP (SWA) was updated (OKTA-719562).
SCIM 2.0 Test App (Basic Auth) now has SWA and SAML functionality.
United Health Care Member Login (SWA) was updated (OKTA-718468).