Okta Classic Engine release notes (Production)

Okta MFA Provider for ADFS, version 1.8.0

This release includes vulnerability fixes and a .NET Framework version upgrade.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they’ve opened. See Role permissions.

Okta Usage report enhancements

The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.

Customize Okta to use the telecommunications provider of your choice

While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.

The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Connect to an external telephony service provider.

New maximum number of connected AWS accounts

Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.

Improved date filter display in reports

The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.

Improved Admin Dashboard and Administrators page

The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.

Updated documentation links

Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.

End-User Dashboard and unsupported browsers

The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.

End-User Dashboard branding and accessibility enhancements

The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.

New target added to a System Log event

A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.

Authentication context System Log event

The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.

New DSSO user impersonation System Log event

A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.

Okta LDAP agent, version 5.20.0

This version of the agent includes the following:

• Fixed an LDAP query used by the agent for retrieving group memberships using range attributes.

• The Okta LDAP Agent service now automatically starts on boot for Red Hat and CentOS platforms.

• Fixed an issue where some customers experienced slower than expected queries during LDAP authentication.

• Security enhancements.

See Okta LDAP Agent version history.

Okta Hyperdrive agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperdrive agent version history.

Okta Hyperspace agent, version 1.4.0

This version includes bug fixes and an upgrade of the .NET Framework to version 4.8. See Okta Hyperspace Agent Version History.

Okta AD agent, version 3.17.0

This version includes fixes for signing executable and DLL files that come with the Active Directory agent. See Okta Active Directory agent version history.

Enhanced Disaster Recovery

This feature enables commercial customers in the North America region (excluding Compliance cells) to recover faster in the event of a disaster or regional outage. See Overview of enhanced disaster recovery.

Admin sessions bound to Autonomous System Number (ASN)

When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.

Admin sessions bound to IP address

The Security General Organization Security page has a new IP binding for admin console setting that's enabled by default. This setting associates all of the admin sessions in your org with the device IP address. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. This setting can be disabled, but Okta recommends keeping it enabled as a security best practice. See General Security.

Verify Zoom users with Okta

Zoom users can now attest and verify a user’s identity between two independent parties using Okta-signed tokens.

Permission conditions for profile attributes

You can now apply conditions to the View users and their details and Edit users' profile attributes custom admin role permissions. Permission conditions help you limit the scope of a role by including or excluding admins' access to individual profile attributes. This gives you more granular control over your custom admin roles and helps meet your org’s unique security needs. See Permission conditions.

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

Improved password reset process for Active Directory-sourced users

The password reset process sends password update and verification requests to the same Active Directory agent to avoid replication delay.

Unknown devices detection using fingerprint

Admins can now configure how unknown devices are treated based on the presence of a device fingerprint.

See Configure a password policy.

New requirement for email customizations

To prevent phishing attacks, Okta now requires orgs to have a custom domain to send customized emails. All customized emails currently sent from the Okta domain are disabled, and orgs that use the Okta domain can send default email templates only. This feature is currently enabled by default for new orgs only.

Enhanced System Log Event

The policy.evaluate_sign_on System Log event now shows the assurance policy factor requirement and a list of the available authentication factors for the sign-on event.

Cornerstone OnDemand now uses OAuth for authentication

Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.

Styling change for Brands pages

The CustomizationsBrands section of the Admin Console now uses Odyssey UI components. There's no change to functionality, but some of the styling is different.

AAL values for Login.gov IdP

The Login.gov IdP configuration has been updated to include all allowed AAL values. See Create an Identity Provider in Okta.

New System Log information for password policy changes

System Log entries for password policy changes now display the policy settings before and after the update was made.

Improved System Log map view

The System Log map view now includes a reset button and left and right bounds on the zoom function.

New System Log information for MFA enrollment policy changes

System Log entries for MFA enrollment policy changes now display the policy settings before and after the update was made.

IP binding for Admin Console setting

The SecurityGeneralOrganization Security page has a new IP binding for Admin Console setting. When you enable this setting, all of the admin sessions in your org are associated with the system IP address that they signed-in from. If the IP address changes during the session, the admin is signed out of Okta, and an event appears in the System Log. See General Security.

Additional operator for date filter

The date filter is now standardized across all reports and includes the in range operator.