Okta Classic Engine release notes (Early Access)

Currently in Production

June 2024

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app’s profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user’s access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Workspace ONE Device Trust orgs using Classic Engine can now migrate to Identity Engine

Admins can now migrate their existing Workspace ONE Device Trust configurations to Identity Engine. This feature unblocks Classic Engine tenant migrations by allowing both the existing admin configuration and the end-user authentication flows to be migrated when previously integrated with our Workspace ONE Device Trust feature. See Migrate Workspace ONE SAML-based mobile device trust.

May 2024

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console.

April 2024

This release doesn't have any Early Access features.

March 2024

Realms for Workforce

Realms allows you to unlock greater flexibility in managing and delegating management of your distinct user populations within a single Okta org. See Manage realms.

Google Workspace 1-click federation

Admins can set up SSO to Google Workspace using a simplified integration experience that saves time and reduces the risk of errors.

New HealthInsight task

HealthInsight now includes a recommendation to apply MFA for access to the Admin Console.

February 2024

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.

Network zone allowlists for SSWS API tokens

Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.

November 2023

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.

October 2023

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.

September 2023

This release doesn't have any Early Access features.

July 2023

Admin Console Japanese translation

When you set your display language to Japanese, the Admin Console is now translated. See Supported display languages.

June 2023

This release doesn't have any Early Access features.

May 2023

Event hook filters

You can now filter individual events of the same event type based on custom business logic hosted in Okta. These filters reduce the amount of events that trigger hooks, removing an unnecessary load on your external service.

This feature includes an improved creation workflow for event hooks and a new Filters tab that you can use to create event filters with direct Expression Language statements or with a simple UI format.

Using event hook filters significantly reduces the amount of event hook requests and the need for custom code on your respective services. See Edit an event hook filter.

April 2023

Import users to Office 365 using Microsoft Graph API

This feature allows Okta to process imports using the Microsoft Graph API. This background process doesn’t change existing procedures and makes imports more scalable, supporting Microsoft 365 tenants with larger numbers of users, groups, and group memberships. See Import users to Office 365 using Microsoft Graph API.

January 2023

AWS region support for EventBridge Log Streaming

EventBridge Log Streaming now supports all commercial AWS regions.

November 2022

Log Stream event structure update

For consistency the report structure for Log Stream events is now the same as that for System Log events. The following fields are changed and might need updating for any monitoring scripts in use:

Under devices, osPlatform is now platform.
The ipChain array is now correctly nested under request instead of client.
The extraneous field insertionTimestamp is removed.

October 2022

Passkey Management

Apple passkeys may be synchronized across multiple devices, including on unmanaged ones, and stored in Apple’s data centers. This may impact organizations whose security policies require that credentials never leave the device, or that only managed devices be allowed to connect. Okta now allows admins to block the enrollment of passkeys in their orgs. With the new Passkey Management feature, customers can ensure that security policies continue to be enforced, and potentially compromised devices can be kept from connecting. Existing passkey enrollments aren’t affected by turning this feature on.

New column for the User app access report

The User app access report now includes the Recently Accessed column. This allows you to view when the user accessed the app in the last 90 days.

September 2022

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

July 2022

This release doesn't have any Early Access features.

June 2022

Run delegated flows from the Admin Console

With delegated flows, admins can be assigned the ability to run Okta Workflows directly from the Admin Console. Flows that are delegated to an admin appear on the Delegated Flows page where they can be invoked without signing in to the Workflows Console. This gives super admins more granular control over their admin assignments. See Delegated flows.

May 2022

New permissions for custom admin roles

Super admins can now assign these new permissions to their custom admin roles:

Manage authorization server
View authorization server
Manage customizations
View customizations

The authorization server permissions can be scoped to all or to a subset of the org’s authorization servers. With these new permissions, super admins can now create custom admin roles with more granular permissions for managing their org’s customizations and authorization servers. See Role permissions.

April 2022

This release doesn't have any Early Access features.

March 2022

Automatically update public keys in the Admin Console

Using private_key_jwt as your app's client authentication method requires that you upload public keys to Okta and then use the private keys to sign the assertion. Then, you must update the client configuration each time you rotate the key pairs. This is time-consuming and error-prone. To seamlessly use key pairs and rotate them frequently, you can now configure private_key_jwt client authentication in the Admin Console for OAuth clients by specifying the URI where you store your public keys. See Manage secrets and keys for OIDC apps.

Incremental Imports for the Org2Org app

Okta now supports incremental imports for the Org2Org app. Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import. See Okta Org2Org.

February 2022

Additional Okta username formats for LDAP-sourced users

Three additional Okta username formats are now available for LDAP-sourced users. In addition to the existing options, admins can now select Employee Number, Common Name, and Choose from schema to form the Okta username. These new options allow admins to use both delegated authentication and Just-In-Time (JIT) provisioning with LDAP directory services. With these new provisioning options, it is now easier for admins to integrate their LDAP servers with Okta. See Configure LDAP integration settings.

Okta Epic Hyperspace agent, version 1.3.2

This EA version of the agent contains security enhancements. See Okta Hyperspace Agent Version History.

November 2021

Manage email notifications for custom admin roles

Super admins can configure the system notifications and Okta communications for custom admin roles. Configuring the email notifications helps ensure admins receive all of the communications that are relevant to their role. See Configure email notifications for an admin role.

August 2021

Third-Party Risk

Okta Risk Eco-System API / Third-Party Risk enables security teams to integrate IP-based risk signals to analyze and orchestrate risk-based access using the authentication layer. Practitioners can step up, reduce friction or block the user based on risk signals across the customer’s security stack. Apart from improving security efficacy, this feature also enhances the user experience by reducing friction for good users based on positive user signals. See Risk scoring.

February 2021

Enhanced Admin Console search

Admins can now search for end user email addresses in the Spotlight Search field in the Admin Console. You can also view the user's status in the search results when you search by username and email address. This robust global search helps you find what you need in the Admin Console quickly, thereby, saving time and increasing productivity. See Admin Console search.

January 2021

Workplace by Facebook Push AD Manager functionality

Admins can choose to disable Push AD Manager functionality using this self-service Early Access feature. This enables admins to control the manager attribute using Okta Expression Language syntax to avoid being dependent on AD for the field. See Workplace by Facebook.

Skip to Content improvements

End users can now click Skip to Content on the new Okta End-User Dashboard to navigate directly to the Add Apps page.

Options relocation

The Recent Activity tab, End-User preferences, Admin View, and Sign Out options are now displayed in the user drop down menu on the Okta End-User Dashboard.

December 2020

One Time Use Refresh Token

One Time Use Refresh Token, also called Refresh Token Rotation, helps a public client to securely rotate refresh tokens after each use. A new refresh token is returned each time the client makes a request to exchange a refresh token for a new access token. See Refresh Token Rotation.

October 2020

Custom IdP factor authentication with OIDC support

Custom IdP factor authentication now supports OpenID Connect. See Custom IdP factor.

Optional Display Preferences for new Okta End-User Dashboard

Users can now set Display Preferences on the new Okta End-User Dashboard. They can enable or disable the Recently Used section and organize their dashboard as a grid or a list. See End-user experience.

September 2019

Quick Access tab on the Okta Browser Plugin available through EA feature manager

Quick Access tab on the Okta Browser Plugin is now available through the EA feature manager.

MFA for Oracle Access Manager

With Okta MFA for Oracle Access Manager (OAM), customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For more information, see MFA for Oracle Access Manager.

Factor Sequencing

Admins can now provide end users with the option to sign in to their org using various MFA factors as the primary method of authentication in place of using a standard password. See MFA Factor Sequencing.

August 2019

Custom Factor Authentication

Custom Factor Authentication allows admins to enable an Identity Provider factor using SAML authentication. For more information, see Custom IdP factor.

Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices

The Okta + VMware integration is a SAML-based solution that combines the power of Okta Contextual Access Management with device signals from VMware Workspace ONE to deliver a secure and seamless end-user experience. For details, see Integrate Okta Device Trust with VMware Workspace ONE for iOS and Android devices.

July 2019

Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices

Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices allows you to prevent unmanaged Android devices from accessing enterprise services through browsers and native applications.

Note: This feature requires Okta Mobile 3.14.1 for Android (or later). For details, see Enforce Okta Device Trust for Native Apps and Browsers on MDM-managed Android devices.

June 2019

System Log event for Agentless Desktop SSO configuration updates

When changes are made to the Agentless DSSO configuration, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure Agentless Desktop SSO.

System Log event for Kerberos realm settings

When changes are made to the Kerberos realm settings, the System Log tracks the action as shown below. This event also indicates the initiator of the event and the current setting for Kerberos Realm. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.

System Log event for Agentless Desktop SSO redirects

When Agentless Desktop SSO redirects to the IWA SSO agent or the default Sign In page, the System Log tracks the action as shown below. For more information on Agentless Desktop SSO, see Configure agentless Desktop Single Sign-on.

March 2019

Review prompt on Okta Mobile for iOS

End-users using Okta Mobile on iOS are prompted to provide an App Store rating for the app. When they provide a rating in the app and click Submit, they are taken to the App Store page for the Okta Mobile app to provide more optional feedback about the app. They can click Not now to dismiss the option. For more information, see About Okta Mobile.

OIN Manager supports multiple application submissions

When submitting a new application integration for review by Okta, the OIN Manager now supports multiple concurrent application submissions (for new orgs only).

February 2019

MFA for ePCS

Okta provides multifactor authentication for the Electronic Prescribing for Controlled Substances (ePCS) system with its integration to Epic Hyperspace, which is the front-end software that launches ePCS. For more information, see MFA for Electronic Prescribing for Controlled Substances - Hyperspace

Inline MFA Enrollment for RADIUS Apps

Admins can now either allow or prohibit end users to access resources protected by RADIUS to enroll in MFA while authenticating. For more information, see RADIUS applications in Okta.

January 2019

Multi-forest support for Windows Device Trust enrollment

IWA web app version 1.12.2 supports cross-forest/cross-domain Windows device trust enrollment. Now an IWA web app running in one forest can detect and assess the trust posture of Windows desktop devices located in another trusted forest and then allow these devices to enroll in Windows Device Trust. For more about Windows Device Trust, see Enforce Okta Device Trust for managed Windows computers.

Okta collecting product feedback from end users

Admins can allow Okta to collect feedback from end users. If this feature is turned on, end users will see a prompt on their Okta dashboard requesting feedback about our products and services. You can opt out of Okta User Communication in Settings > Customization > General. For more information, see End User Communication.

Web Authentication for U2F as a Factor

Admins can enable the factor Web Authentication for U2F, where U2F keys are authenticated using the WebAuthn standard. For more information, see Web Authentication for U2F.

2018 and prior

FIPS-mode encryption enhancement

We have updated the Okta Verify configuration UI label for the FIPS-Mode encryption setting. For more information, see Enabling FIPS-mode encryption.

Social Authentication configuration UI update

We have removed UI elements supporting account link and provisioning Callouts when configuring social authentication.

Note that Callouts are still supported via the APIs. See Identity Provider API reference documentation for more details.

FIPS-mode encryption for Okta Verify

Okta has added a new setting to enable FIPS-mode encryption for all security operations using the FIPS 140-2 standards. For more information about this feature, refer to Using Okta Verify.

Password reverification time interval to update personal information is changed

Okta end users need to reverify their password if they want to update their personal information in Okta five minutes after a successful login. For more information about letting end users manage their personal information in Okta, see Configure whether user passwords and personal information are managed by Okta or externally.

Desktop Device Trust System Log enhancement

For Desktop Device Trust Authentication flows, the System Log now reports the CredentialType as CERTIFICATE.

Global default redirect

This feature enables you to customize where Okta will redirect your users when they visit your org URL directly and the specific app they are attempting to use is unknown. For more details, see Redirect end users to a specific app when the target app is unknown.

Desktop Device Trust System Log enhancement

The System Log now reports when Windows Device Trust certificates are revoked during certificate renewal (pki.cert.revoke).

Proxy IP Usage Reports

Admins can generate a report of proxy IP addresses that have been used by end users who have signed in to Okta. This feature is Generally Available for new orgs that have the Geolocation for Network Zones feature and is available with either of the following Early Access Features:

For more information on Proxy IP Usage Reports, see Reports.

Desktop Device Trust System Log enhancement

Windows and macOS Device Trust certificate issuance and renewal failures are now reported in the System Log.

Desktop Device Trust System Log enhancement

Windows Device Trust certificate renewals are now reported in the System Log by event type pki.cert.renew. This new event type allows you to distinguish certificate renewal events from certificate issue events (pki.cert.issue).

Inline MFA enrollment for RADIUS apps

Users logging into a RADIUS app will now be prompted to enroll in MFA factors if they have not already enrolled. Admins can configure a specific RADIUS app to enable the inline MFA enrollment for the app. For more information, see RADIUS applications in Okta.

Update to Okta Plug-in for IE

In Okta Plug-in version 5.23.0 for IE, the popover now scales properly to correspond to the window's zoom level. For version history, see Okta Plugin Version History.

Single line MFA prompt is the default for RADIUS apps

When configuring RADIUS applications, the Single line MFA prompt is the default in the Advanced RADIUS Settings section for new RADIUS and VPN app instances. This option controls whether all MFA prompts are displayed on a single line. For more information, see Configuring RADIUS applications in Okta.

Display all RADIUS application prompts on a single line

You can configure RADIUS applications to show prompts on a single line with no line breaks in MFA prompts.

Update a username from the Sign On tab

Okta has added an Update Now button that allows admins to update a username from the app’s Sign On tab. For more details, see Overriding the app username.

Test Custom Email Templates

Admins can send themselves a test email to see how their custom email templates will look and function. This allows them to validate macro attributes and translations in the customized template and to see how the template will render in different email environments. This eliminates the need to create a real end-to-end workflow to test customization. The test email will be sent to the primary email address of the admin initiating the test email. For more information, see Email Options.

Update to Multiple Smart Card/PIV Identity Providers

Improved IdP lookup when Multiple PIV IdPs are enabled by using the client certificate Issuer to identify the signing certificate, if the Authority Key Identifier property cannot be used. For more details see Identity Providers.

Android Keystore for Okta Verify

A new security feature provides admins with an option to require user data storage in the Android hardware-backed keystore. Enabling this feature offers additional security based on the Federal Identity, Credential, and Access Management architecture.

For more information, see Using Okta Verify.

Applications Access Audit reports update

As a result of reports optimization efforts, our Applications Access Audit reports (Early Access) are now by default ordered by appUserId rather than lastName. For more information about these reports, see Applications Access Audit report.

Sign Up link option in Self Service Registration feature

In Self Service Registration settings you can now select an option to add a Sign Up link in your Okta hosted Sign-In page. This eliminates the need to configure the link via JavaScript in the Custom Sign In page editor. For more information, see Okta Self-Service Registration.

IdP Discovery Application selection improvement

Improved configuration of the applicable applications in the IdP policy routing rule in the Identity Provider Discovery EA feature. The application selection is enhanced to show app logos to differentiate between apps and app instances more clearly. For more information see Identity Provider Discovery.

Dynamic mapping of multiple accounts/roles within AWS

This feature allows dynamic mapping of multiple accounts/roles within AWS by using group assignments from Okta. By using the App Filter and Group Filter, we can specify which account and role the user will use to login into AWS.

Improved enrollment flow for 3rd-party iOS Device Trust

The enrollment flow for 3rd-party iOS Device Trust is improved for end users who are not enrolled in an MDM solution and do not have Okta Mobile installed. In cases where Okta cannot automatically redirect these end users to the admin-provided enrollment link configured in Okta, end users can now copy the link to the clipboard and paste it into Safari.

For more about 3rd-party iOS Device Trust, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.

Time zone-based user deactivation support for Workday

Workday users can be deactivated based on the time zone of their location.

For more information about our Workday integration see our Workday Provisioning Guide.

Enhanced App Catalog Search

We have enhanced OIN app catalog search, extending search capabilities to include partial matches and more attributes of the application metadata.

Enhanced Device Trust enrollment flow for 3rd-party iOS devices

The enrollment flow for 3rd-party iOS Device Trust is improved for unenrolled end users accessing certain native clients such as Outlook. End users can now copy a link to their organization's enrollment instructions and paste it into Safari. For details about this Device Trust solution, see Configure Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices.

Login detection based on geography and login time

This feature expands on existing behavior detection feature for user logins. Close successive user login attempts that are far apart geographically are detected and flagged as suspicious behavior. For more information, see Security Behavior Detection.

OMM enrollment restrictions

Are you tired of end users utilizing "Jaibroken" or "Rooted" devices to access sensitive apps? Admins will be pleased to hear that admins can now deny enrollment to compromised devices and/or any specific OS versions. Compliant users can enroll new devices or retain their current enrollments. See Restrictions based on Device Status and Operating System.

MFA bypass popup removed

A popup that informs users when a policy allows access without MFA, is removed.

System Log API (/logs)

The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems.

The Okta System Log API provides near real-time read-only access to your organization’s system log and is the programmatic counterpart of the System Log user interface.

Often the terms “event” and “log event” are used interchangeably. In the context of this API, an “event” is an occurrence of interest within the system and “log” or “log event” is the recorded fact.

Notes:

The System Log API contains much more structured data than the Events API.

The System Log API supports additional SCIM filters and the q query parameter, because of the presence of more structured data than the Events API.

Salted SHA256 algorithm support

Okta supports salted SHA256 algorithms for password import.

Not Trusted option for Okta Device Trust

Okta Device Trust for Native Apps and Safari on OMM managed iOS devices now supports use of the Not trusted option in Sign-On policy rules. This allows mobile admins to do the following:

Configure a Not Trusted + MFA rule so that users with untrusted iOS devices must MFA in order to access protected resources.
Configure a Not Trusted + Deny rule so that users with untrusted iOS devices are redirected to OMM enrollment in order to access protected resources.

This update requires Okta Mobile 5.14 for iOS, available in the App Store. For more information, see Configure Okta Device Trust for Native Apps and Safari on OMM managed iOS devices.

Support for MFA on Windows servers with an RDP client

The Okta Windows Credential Provider prompts users for MFA when signing in to supported Windows servers with an RDP client. It supports all Okta-supported MFA factors except Windows Hello and U2F tokens. For details and setup instructions, see Okta Windows Credential Provider.

Incremental Imports for the Workday app

Okta now supports incremental imports for the Workday app.

Incremental imports improve performance by only importing users that were created, updated, or deleted since your last import.

PIV attribute matching enhanced

Admins can choose from a list of custom attributes to use for matching when using a personal identity verification (PIV) card. Note: This is an enhancement to our support for PIV smart card feature (EA), for more information, see Add a PIV Card.

Add App Notes improvements

The Add Notes screen has design improvements to improve the workflow. For details, see Add Notes to an App (an Early Access feature).

Support for MFA on Windows servers with an RDP client

Revoke end user Device Trust certificates from the Okta Certificate Authority

You can now revoke an end user's certificate(s) for Okta Device Trust for managed Windows computers through their Applications tab. This is recommended if an end user's Windows computer is lost or stolen. For details, see Revoke Device Trust certificates from the Okta Certificate Authority.

System Log tracking for OMM Device Trust for iOS devices

Okta Mobile user and device authentication events for OMM Device Trust for managed iOS devices are now written to the System Log.

JIRA and Confluence apps enhanced

The JIRA and Confluence apps now make use of a unique identifier during Atlassian API calls for profile updates instead of username. This allows users to be renamed.

Federation Broker Mode support for OIDC apps

Along with custom SAML Wizard apps, Federation Broker Mode now allows for OIDC apps. For details about this feature, see Federation Broker Mode.

Configure OMM Device Trust for managed iOS devices

OMM Device Trust for managed iOS devices allows you to prevent unmanaged iOS devices from accessing enterprise services through browsers and native applications. For details, see Configure OMM Device Trust for managed iOS devices.

The security question is an optional factor in the password recovery flow

The security question in the password recovery flow is now an optional factor. This feature requires the use of a group password policy. For more information, see Account Recovery.

Unsuspend users during Inbound SAML authentication

During inbound SAML authentication, you can configure the JIT settings for a SAML identity provider (IdP) to unsuspend Okta users. For more information, see the Identity Providers API.

Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices

Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices lets you:

Configure the iOS mail app to use certificates instead of passwords to allow OMM-enrolled users to authenticate to Microsoft Office 365 Exchange ActiveSync.
Configure the Microsoft Office 365 client access policy to prevent unmanaged devices from accessing Microsoft Office 365 Exchange ActiveSync.

For details, see Configure Okta Device Trust for Microsoft Office 365 Exchange ActiveSync for iOS devices.

Certificate-based authentication for iOS devices

Okta's Office 365 Exchange ActiveSync certificate-based authentication (CBA) for iOS devices allows users enrolled in Okta Mobility Management (OMM) to authenticate to iOS native apps without entering their credentials. For details, see Configure Office 365 EAS certificate-based authentication for iOS devices.

System Log enhancement

We’ve enhanced our System Log to take advantage of our new Network Zones feature. Admins can now hover over an IP address that's part of an event and navigate through the series of menus to add that IP address to either the gateway or proxy list of IP addresses.

User reactivation

We now support reactivation of users in the following cases:

During Just in Time provisioning (JIT), if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.
During imports, if a user is reactivated in a master app (for example, LDAP, AD), then the user is reactivated in Okta.