Okta Classic Engine release notes (Preview)

Version: 2024.06.0

June 2024

Generally Available

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

Breached password protection

Protect your organization from the impact of passwords that have been compromised. If Okta determines that an Okta username and password combination has been compromised based on the data collected by our internal threat intelligence pipeline, Okta records a System Log event, expires the user's credentials, and requires the user to update their password before they can use their password to sign in again. See Breached password protection.

View System Logs for Office 365 authentication events

You can now view authentication events in the System Log when using WS-Fed to authenticate through Office 365 active (WS-Trust-1.2) and username13 (WS-Trust-1.3) endpoints.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. See Protected actions in the Admin Console.

New maximum session lifetime for SAML apps

Users can now configure the maximum app session lifetime for SAML apps.

New Manage API tokens admin role permission

The new Manage API tokens permission lets admins view, revoke, and update the principle rate limit for a token. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges.

Active Directory Bidirectional Group Management

Bidirectional Group Management for Active Directory (AD) allows you to manage AD groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration. It's also not possible to manage users and groups that are outside the organizational unit's scope for the integration using this feature. See Bidirectional Group Management with Active Directory.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

Rate limit update for using Okta fallback telephony provider

Orgs that use an active telephony inline hook now have a heavy rate limit for the Okta fallback mechanism.

Federation Broker Mode has been removed from OAuth Service Clients

The Federation Broker Mode option has been removed from OAuth Service Clients.

DPoP available when creating OIDC apps

You can now require the Demonstrating Proof of Possession (DPoP) condition when you create an OIDC app. Previously, this option was only available after you create the app. This streamlines the process of creating and securing OIDC apps.

Increase to Inline Hooks

The maximum number of inline hooks an org can create is now 100. The previous maximum was 50. See Add an inline hook .

Support for migration to Microsoft Graph

You can now migrate your existing Office 365 WS-Fed Manual app instances to Microsoft Graph by using the migration banner on the app dashboard.

Early Access

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app’s profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user’s access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Workspace ONE Device Trust orgs using Classic Engine can now migrate to Identity Engine

Admins can now migrate their existing Workspace ONE Device Trust configurations to Identity Engine. This feature unblocks Classic Engine tenant migrations by allowing both the existing admin configuration and the end-user authentication flows to be migrated when previously integrated with our Workspace ONE Device Trust feature. See Migrate Workspace ONE SAML-based mobile device trust.

Fixes

  • The list of languages in Customizations SMS wasn't translated. (OKTA-626381)

  • For custom SWA and SAML apps, the help links on the ApplicationProvisioning tab were incorrect. (OKTA-661972)

  • When an admin attempted to create a profile with a username that contained invalid characters, an unhelpful error message appeared in orgs using a custom character restriction for usernames. (OKTA-680557)

  • Users could bypass admin approval from the import screen to sign in to Okta when Active Directory Just-In-Time provisioning was disabled. (OKTA-706392)

  • The Disable Force Authentication option was ignored for org2org apps using the SAML sign-in mode and AMR claims mapping. (OKTA-711957)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-729735)

  • Admins couldn't enable the Enforce MFA to access the Admin Console feature in some orgs. (OKTA-730170)

  • New Dropbox Business instances were missing a profile attribute. (OKTA-733503)

  • The Provisioning tab wasn't saved when admins created Office 365 applications, and Japanese translations of the Session Lifetime for SAML apps feature didn't appear. (OKTA-735840)

Okta Integration Network

  • candidate.fyi (OIDC) is now available. Learn more.
  • Edify (OIDC) now has sign-in URLs.
  • KiteSuite (SAML) is now available. Learn more.
  • ParkZapp (W) (OIDC) is now available. Learn more.
  • ShareThis (SWA) was updated. (OKTA-723868)
  • Umbrella Faces (SCIM) is now available. Learn more.

Weekly Updates

2024.06.1: Update 1 started deployment on June 20

Generally Available

Sign-In Widget, version 7.19.4

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Some text on the Reset Password for a user page in the Admin Console wasn't translated. (OKTA-613937)

  • WebEx replaced the API used to retrieve session types with a REST API, which requires the integration to use OAuth for authentication. (OKTA-701227)

  • Clicking Sync Entitlements on the Governance tab displayed an error. (OKTA-720049)

  • Sometimes, concurrent Agentless Desktop SSO JIT operations for a user broke app assignments, which required admin intervention to correct. (OKTA-722648)

  • When admins manually confirmed users imported from a SCIM app, they were assigned apps that they weren't authorized to access. (OKTA-724859)

  • Opening a profile in a new tab from the Profile Editor displayed a list of profiles instead. (OKTA-725640)

  • The System Log didn't record the Network Zone of the IP at the time of global sign-on policy evaluation. (OKTA-727200)

  • Sometimes, when users who hadn't enrolled in On-Prem MFA attempted to sign in using an RSA SecurID passcode in the New PIN Mode, the passcode verification failed. (OKTA-727554)

  • Processing GeneralizedTime attributes while confirming new users imported from LDAP to Okta resulted in an error. (OKTA-728398)

  • Users could reuse their temporary password. (OKTA-729189)

  • When the display language was set to Japanese, some role permissions weren’t translated on the Admin role assignments screen. (OKTA-730832)

  • When the display language was set to Japanese, some text on the Administrators pages wasn’t translated. (OKTA-730834)

  • Some customers signing in to Okta-hosted custom domains with the first or second-generation Sign-In Widget received communications from Monotype Imaging Inc. about licensing for the Proxima Nova font. (OKTA-731216)

  • When an admin clicked Show more on the Administrator assignment by role page, additional admins with the super admin role didn’t appear. (OKTA-731416)

  • Some Group Push operations for ServiceNow failed due to timing out. (OKTA-731707)

  • Workday writeback operations failed when area codes were included in the request. (OKTA-733361)

  • The End User Browser Plugins pane on the Downloads page used an outdated icon for Chromium Edge. (OKTA-733813)

  • The security.breached_credential.detected System Log event had a typo. (OKTA-736552)

  • The Okta RADIUS Server Agent was updated for a security fix. Upgrade to version 2.22.0. (OKTA-737441)

  • Sometimes, Group Assignments involving the Everyone group failed because of a non-performant query. (OKTA-742083)

  • Full imports for OIG-enabled apps sometimes caused users to be unexpectedly deprovisioned. (OKTA-742996)

Okta Integration Network

  • Accend (OIDC) has a new icon and description.
  • Actioner (OIDC) is now available. Learn more.
  • Aerofiler (SAML) is now available. Learn more.
  • Aerofiler (OIDC) has a new icon and OIDC endpoints.
  • Aiven (SAML) is now available. Learn more.
  • Aiven (SCIM) is now available. Learn more.
  • Amazon WorkDocs by Aquera (SCIM) has a new icon.
  • Amazon WorkMail by Aquera (SCIM) has a new icon.
  • Autotab (OIDC) is now available. Learn more.
  • Bright Breaks (SCIM) is now available. Learn more.
  • Brivo Identity Management (SCIM) has a new display name, base URL, integration guide, app profile, and mappings.
  • Codefresh by Aquera (SCIM) has a new icon.
  • Cyolo SRA (SAML) is now available. Learn more.
  • Descope (OIDC) is now available. Learn more.
  • Descope (SCIM) is now available. Learn more.
  • Detexian SSPM (API service) is now available. Learn more.
  • Docker (SAML) is now available. Learn more.
  • DOTS (SAML) is now available. Learn more.
  • Elastic Agent (API service) is now available. Learn more.
  • Favro (SCIM) is now available. Learn more.
  • Floqast (SAML) is now available. Learn more.
  • GitHub Enterprise Managed User - ghe.com (SAML) is now available. Learn more.
  • GitHub Enterprise Managed User - ghe.com (SCIM) is now available. Learn more.
  • goFLUENT (SAML) is now available. Learn more.
  • JazzHR by Aquera (SCIM) supports profile sourcing.
  • Lark (SCIM) is now available. Learn more.
  • Lattice HRIS (SCIM) is now available. Learn more.
  • Manopay (OIDC) has a new integration guide and supports IdP-initiated flows.
  • Obsidian Security (API service) is now available. Learn more.
  • PerimeterX (SCIM) is now available. Learn more.
  • Plumm (SCIM) has a new integration guide.
  • ProdPad by Aquera (SCIM) has a new icon and support URL.
  • Prowler (SAML) is now available. Learn more.
  • Rezonate Security (API service) can now read network zones data.
  • Scrut Automation (OIDC) is now available. Learn more.
  • Select Admin (OIDC) is now available. Learn more.
  • ShareCal (SAML) has a new ACS URL.
  • SmarterSends (SAML) is now available. Learn more.
  • SwaggerHub by Aquera (SCIM) has a new icon and support URL.
  • TriNet by Aquera (SCIM) supports profile sourcing.
  • Trotto Go Links (SAML) has a new icon and integration guide.
  • UKG HR Service Delivery by Aquera (SCIM) has a new icon.
  • WebWork Time Tracker (SAML) is now available. Learn more.
  • WonderProxy (SAML) is now available. Learn more.
  • Workable Recruiting by Aquera (SCIM) supports profile sourcing and has a new icon, description, and support URL.
  • Wundergraph Cosmo (SCIM) is now available. Learn more.
  • Xakia (SCIM) has a new icon and supports group push.
  • Xero by Aquera (SCIM) has a new icon and support URL.

2024.06.2: Update 2 started deployment on July 2

Generally Available

Sign-In Widget, version 7.19.6

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • The help links on the Downloads page weren’t localized. (OKTA-614688)

  • Admins without the View agents permission could see the Agents page. (OKTA-651508)

  • Setting the locale to Japanese resulted in some issues when working with CSV directories. An error string appeared when scheduling weekly imports and there was insufficient space to enter which hour the import should be performed. (OKTA-656418)

  • Group Push failed for Samanage when group names contained spaces. (OKTA-668498)

  • Password reset token expiration time was not localized for some orgs. (OKTA-673386)

  • Self-service unlock with email didn't work if a user's AD account was locked but their Okta account was unlocked. (OKTA-720267)

  • The notification email contained the modified IP address when X-Forwarded-For Header was modified. (OKTA-722815)

  • The oauth2/instrospect endpoint hit rate limits without logging it in the System Log. (OKTA-726680)

  • During JIT reactivation through IdP, group app assignment reconciliation wasn't processed asynchronously, which caused an unexpected delay in the sign-in process. (OKTA-729103)

  • Attempting to unassign a Google Workspace license from a user who didn't have that license resulted in an error message. (OKTA-731570)

  • When an app was created by an API call with an existing clientId in the request payload, this didn't match the way an app was created in the UI. This resulted in the wrong app rate limit displayed in the rate limit dashboard. (OKTA-736117)

  • On the Edit resource to a standard role page, resources with long names were cut off. (OKTA-736821)

  • When an admin uploaded a file while configuring an app, the dates that appeared on the page weren't translated. (OKTA-736916)

  • The Okta provisioning API didn't accept user IDs that contained a backslash (\) character when users were provisioned to Org2Org instances. (OKTA-737258)

  • NetSuite imports failed for new app instances that had Governance Engine enabled if users had an inactive department, location, or class. (OKTA-737844)

  • Sometimes a group owner wasn't resolved correctly and an invalid error was displayed on the Group Owner tab for the group. (OKTA-738426)

  • Gemini licenses for Google Workspace were unavailable. (OKTA-739005)

  • The wrong font was used for text in the Sign-In Widget. (OKTA-742100)

  • Full imports for OIG-enabled apps sometimes caused users to be unexpectedly deprovisioned. (OKTA-742996)

Okta Integration Network

  • Authomize Identity Security (API service) has a new icon, display name, description, website, integration guide, and okta.policies.read scope.
  • Cisco Identity Intelligence - Read-Write Management (API service) is now available. Learn more.
  • Feishu (SCIM) is now available. Learn more.
  • Forethought Dashboard (SCIM) is now available. Learn more.
  • Funnel.io (SAML) has a new icon and integration guide.
  • Klue (SAML) is now available. Learn more.
  • Klue (SCIM) is now available. Learn more.
  • KSOC (OIDC) is now available. Learn more.
  • Medicat One (OIDC) is now available. Learn more.
  • Okta Identity Security Posture Management (API service) is now available. Learn more.
  • Own (SAML) is now available. Learn more.
  • Rewind Backups (API service) is now available. Learn more.
  • Seculio (SAML) is now available. Learn more.
  • Thoropass (SAML) is now available. Learn more.
  • TriNet Zenefits by Aquera (SCIM) is now available. Learn more.
  • WINN.AI (OIDC) is now available. Learn more.
  • Workshop (SAML) is now available. Learn more.
  • Zip (SCIM) now has the approvalLevel attribute.

Sign in with duplicated email authenticators

Previously, users couldn’t sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

New App Drawer

The updated app settings panel on the Okta End-User Dashboard allows end users to see all app details in a single view without having to expand multiple sections. End users can quickly differentiate between SWA apps where they have set a username and password and SAML / OIDC apps that are admin-managed with no additional user settings. The updated app settings panel also provides accessibility improvements with better screen reader support and color contrast. See View the app settings page.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org’s apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. See Manage Federation Broker Mode.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature. See Edit app provisioning settings.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Null values for SCIM provisioning

Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management. See Manage profiles.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

End-User Dashboard and Plugin redesign

The Okta End-User Dashboard and Okta Browser Plugin have been redesigned with a modern look and feel that includes new sidebar navigation, fuzzy search, and sections that replaces tabs.

Admins can enable this new design all at once or by groups. The new experience is 50% faster, more intuitive to use, and more responsive to smaller screens. Design changes also improve accessibility and app discovery for end users.

See Create sign-on policies with Okta Applications.

This feature will gradually be made available to all Preview orgs.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See Enforce Okta Device Trust for managed Windows computers and Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision applications.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.