Okta Classic Engine release notes (Production)

Version: 2024.09.0

September 2024

Note: This release will be deployed to the OK14 cell on September 19, 2024 at 3:00 PM PT.

Generally Available

Okta Active Directory Password Sync agent, version 1.6.0

This version of the agent includes security enhancements.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Admin Console Japanese translation

When this feature is enabled, all admin users in the org who use Japanese as their display language will see the Admin Console in Japanese. See Supported display languages.

Deprecating App Password Health report

The App Password Health report has been deprecated. Use the Sign On Mode filter in the User App Access report to view SWA application password reset dates. The capability to ask users to reset SWA passwords has been removed.

Deprecating Recent Unassignments report

The Recent Unassignments report has been deprecated.

  • Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.
  • Use the User App Access report to identify users currently assigned to applications. See User App Access report.

Updates to App Usage report

The Application Usage report has been updated.

  • The maximum number of rows in a CSV is increased to five million.
  • The date range field uses the user's local time zone when determining results.
  • The report downloads automatically when possible.

Improved JIT performance for directory integrations

JIT-enabled directory integrations now have improved response times for JIT requests.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console. This feature will be gradually made available to all orgs.

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from an Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized communications are sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce.

IP session restrictions for Okta Workflows

Okta super admins can now enable IP session restrictions for Okta Workflows. This feature ensures that all Workflows requests in a session use the same IP address that was logged when the session was created. If the IP address doesn't match any request, the session is terminated and the Workflows admin must sign in again.

Improved security for Microsoft Office 365

Microsoft Office 365 provisioning now eliminates the need for admin credentials by using a secure and modern OAuth-based authentication flow. This update will be gradually made available to all orgs.

Partial Universal Logout indicator in the OIN

The OIN catalog now indicates which apps support partial Universal Logout.

Changes to role permissions that handle API tokens

The following changes have been made to the permissions that handle API tokens:

  • The View users and their details permission now includes the View API tokens permission.
  • The Edit users' lifecycle states, Suspend users, and Clear users' sessions permissions now include the Manage API tokens permission.
  • To view or manage tokens, use the Manage API tokens permission.

See Role permissions.

OIN connector support for Entitlement Management

The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Provisioning-enabled apps

New System Log events for flow and table changes

The workflows.user.flow.move and workflows.user.table.move Okta Workflows events have been added to the System Log to record the changes that occur due to reorganization of folder-level resources.

New System Log entries for sign-in events

The following new System Log events have been created:

  • user.authentication.auth_via_IDP: This event records occurrences of unknown users attempting to sign in through an Identity Provider.
  • user.authentication.auth_via_inbound_SAML: This event records occurrences of unknown users attempting to sign in through the SAML protocol.

System Log event update

The user.authentication.auth_unconfigured_identifier System Log event now appears when a user signs in without an admin-configured identifier.

Support for migrating Office 365 apps to Microsoft Graph

You can now migrate your Office 365 Single Sign-On app (WS-Fed Auto) instances to a secure OAuth-based consent flow using Microsoft Graph. See Configure Single Sign-On for Office 365.

Improved API documentation

Our API documentation has a new look and feel! API content in the References section of the Developer Documentation website will be moved after September 30, 2024.

Early Access

IdP selection for admin resources

This feature gives customers the ability to select and manage the Identity Providers (IdPs) that they want to associate with an admin role. This enhances security by providing granular permissions to roles. See Create a resource set.

Fixes

  • HealthInsight showed GitLab as supporting SAML when it only supports SCIM. (OKTA-706224)

  • When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • When an admin selected the Group push mappings encountered errors task for an AD integration, they were directed to a blank tab. (OKTA-753485)

  • Users couldn't launch the ShareFile app. (OKTA-756155)

  • Users were stuck in an infinite loop when accessing an app that required MFA in the App Sign On Policy. The user couldn't enroll MFA factors because they were either disabled for the org or the enrollment policy didn't allow the enrollment. (OKTA-797575)

  • When creating or updating a profile, user first or last names that contained a dot (last.name) triggered malformed field error messages. (OKTA-798884)

  • When the Allow multiple identities matching the criteria option was enabled for Smart Card IdP, suspending a Smart Card/PIV user resulted in an error on the sign-in page. (OKTA-798997)

  • When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared. (OKTA-799642)

  • The Okta Usage and Application Usage reports date range selector used 3 months instead of 90 days as the earliest available date. (OKTA-801212)

  • Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)

  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

  • AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)

Okta Integration Network

  • Briefly AI (OIDC) is now available. Learn more.
  • CAASS (SAML) is now available. Learn more.
  • Cork (API service) is now available. Learn more.
  • Everykey Integration (API service) is now available. Learn more.
  • Heropa (SAML) is now available. Learn more.
  • kickflow (SAML) is now available. Learn more.
  • Nulab Pass (Backlog Cacoo Typetalk) (SAML) has a new integration guide.
  • Obsidian Security (SAML) has a new region URL.
  • Seismic Learning (SAML) has updated endpoints.
  • Seismic Learning (SCIM) has an updated base URL.
  • ShareFile (SWA) was updated. (OKTA-756155)
  • Spiral (SAML) is now available. Learn more.
  • Valence Okta Connector (API service) is now available. Learn more.
  • VASTOnline (SAML) is now available. Learn more.
  • Visily (SAML) is now available. Learn more.
  • WideField Security - Detect (API service) is now available. Learn more.
  • Wirespeed (API service) is now available. Learn more.

Weekly Updates

2024.09.1: Update 1 started deployment on September 24

Generally Available

Sign-In Widget, version 7.23.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Fixes

  • Search OUs configured for an Active Directory instance weren't updated in Okta when the corresponding OUs were deleted in AD. (OKTA-686217)

  • Full group names weren't displayed in search results on the Push Groups tab. (OKTA-710044)

  • On the Realm assignment form, the Profile Source and Realm assignment dropdown failed to display the list of available options. (OKTA-710761)

  • Users assigned to an AD or LDAP instance where delegated authentication wasn't enabled had their user login set incorrectly after enabling delegated authentication. (OKTA-711676)

  • Some admins couldn't filter the MFA Enrollment by User report by group. (OKTA-743062)

  • Users who already had the Google Authenticator enrolled saw an unclear error message if they tried to enroll it again. (OKTA-747092)

  • When a user requested a new app from the End-User Dashboard, the action wasn't recorded in the System Log. (OKTA-755410)

  • The Okta Expression Language string evaluation failed when creating a custom attribute in Universal Directory with the variable name timeZone. (OKTA-756071)

Okta Integration Network

  • Breezy HR by Aquera (SCIM) is now available. Learn more.
  • Ceretax (OIDC) is now available. Learn more.
  • DBSnapper (OIDC) is now available. Learn more.
  • Envoy (SCIM) has updated endpoints.
  • Focal (OIDC) is now available. Learn more.
  • Kickbox (OIDC) is now available. Learn more.
  • Okta ISPM (API Service) has a new logo.
  • Security Journey (SCIM) is now available. Learn more.
  • StrongDM now has an AIP for the SCIM/OIDC URL.
  • Teamup Calendar (OIDC) is now available. Learn more.
  • Vanta (SAML) has updated endpoints.
  • Wirespeed (API Service) has an updated description.

2024.09.2: Update 2 started deployment on September 30

Fixes

  • When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)

  • An outdated Windows logo appeared for various downloads, such as agents. (OKTA-731993)

  • Single Logout (SLO) was unavailable for Salesforce instances in Preview orgs. (OKTA-805013)

  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

  • AD imports sometimes failed when Slack had group push mappings configured as the downstream app. (OKTA-806301)

  • In the SecurityAdministrators page, the user details incorrectly appeared in the search bar. (OKTA-806750)

Okta Integration Network

  • Bumblebee Networks (SAML) is now available. Learn more.
  • Go1 (SCIM) is now available. Learn more.
  • IDrive e2 (SAML) is now available. Learn more.
  • Iris by Cro Metrics (OIDC) is now available. Learn more.
  • Okta Identity Security Posture Management SSO (OIDC) is now available. Learn more.
  • Nightfall AI (API Service) is now available. Learn more.
  • NordLayer (OIDC) has an additional redirect URI.
  • StrongDM has an AIP for the SCIM/OIDC URL.
  • Syntinels (OIDC) is now available. Learn more.
  • WINN.AI (OIDC) was updated. (OKTA-806820)

Version: 2024.08.0

August 2024

Generally Available

IWA Agent, version 1.17.0

This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org. See Enhanced dynamic zones.

New View client credentials admin role permission

The new View client credentials permission lets admins view OAuth client secrets. The View applications and their details permission no longer includes this privilege. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges. This feature will be gradually made available to all orgs.

ADSSO authentication parameters

When a state token is used, Okta removes the fromURI parameter from the ADSSO authentication POST request.

View System Logs for Office 365 authentication events

You can now view authentication events in the System Log when using WS-Fed to authenticate through Office 365 active (WS-Trust-1.2) and username13 (WS-Trust-1.3) endpoints.

Updates to the Suspicious Activity report

The Suspicious Activity report has been updated to a System Log report. Use the System Log query to search and filter for unusual activities in your org. The query allows you to filter events with more precision and provides more information about each event than what the previous report provided. This information can help you better determine the validity of user actions. See Suspicious activity events.

Updates to Deprovisioning Details report

The Deprovision Details report has been updated to a System Log report. Use the System Log query to search and filter for deprovisioned users with more context and precision than the previous report. See Deprovision Details report.

Deprecating Current Assignments report

The Current Assignment report has been deprecated. Use the User App Access report to identify users currently assigned to applications. See User App Access report. Use the System Log event application.user_membership.remove to identify users who have been unassigned from an application. See Recently unassigned users.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature will be gradually made available to all orgs.

System Log enhancement

Certain system log events now contain a new property called changeDetails in the target. When this property is populated, it reflects new, changed, or removed attributes of the target resource that has been modified. See changeDetails property.

System Log event updates

The following System Log events are now available:

  • application.provision.group_push.deactivate_mapping
  • system.agent.register
  • security.attack_protection.settings.update
  • system.self_service.configuration.update
  • user.behavior.profile.reset
  • system.identity_sources.bulk_upsert
  • system.identity_sources.bulk_delete
  • system.import.schedule
  • system.import.user_match.confirm
  • system.import.user_match.unignore
  • system.import.user_match.update
  • The application.lifecycle.update event now has the sessionIdleTimeoutMinutes and sessionMaxLifetimeMinutes fields. These fields add more session details to the event.

See Event types.

System Log event updates for Universal Directory

The following System Log events are now available:

  • Linked object created
  • Linked object deleted
  • User profile updated
  • Group owner updated
  • Group owner removed

Identity Provider external names

Okta now warns admins if an Identity Provider (IdP) with custom attributes has an empty externalName field. Admins must now update the custom attribute through the API or delete it from the Admin Console and re-add it with the externalName field defined. This ensures that Okta receives the custom attribute when users enroll through Just-In Time provisioning scenarios.

Request throttling for jwks_uri

Okta has decreased the frequency at which it reloads JWKs from a customer's jwks_uri.

Rate limit for telephony inline hook

Okta now enforces by default a rate limit for the telephony inline hook to protect your org from toll-fraud attacks. See Connect to an external telephony service provider.

Enforce an email verification when a user's email changes

Each time that a user attempts to update their email, Okta sends an email to verify that their primary or secondary email address is up to date.

Authorization server default access policy deprecation

The authorization server default access policy is no longer provided in child orgs that are generated from APIs. Users can click Add New Access Policy to add policies. See Create access policies.

Early Access

Require MFA for accessing Identity Governance admin apps

If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps:

  • Okta Access Certifications
  • Okta Entitlement Management
  • Okta Access Requests Admin

If you have auto-enabled Early Access features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.

OAuth 2.0 security for invoking API endpoints

Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint. See Invoke a flow with an API endpoint.

Fixes

  • When the display language was set to Japanese, some text on the Upgrade Okta Verify with Push window wasn’t translated. (OKTA-658461)

  • Some Identity Providers didn't share custom attributes with Okta when the externalName field was empty. (OKTA-713526)

  • The Sign-In Widget didn't display the correct client ID when a customized client ID was used. (OKTA-722623)

  • Users with a custom admin role that included the View Directory permission were unable to view the Directory Integration page in the Admin Console. (OKTA-733030)

  • In some cases, an Okta org edition couldn't be changed. (OKTA-741688)

  • Admins couldn't edit IP restrictions for tokens created by agents. (OKTA-745048)

  • Some Android, iOS, and iPadOS users couldn't enroll with Okta Verify when the Higher security methods enrollment option was enabled. (OKTA-745318)

  • In some instances, a rate limit was reached when assigning entitlements to a user. (OKTA-746095)

  • The Universal Logout endpoint (oauth2/v1/global-token-revocation) used the incorrect OAuth 2.0 scope. (OKTA-747477)

  • Some users couldn't sign in if the global session policy that applied to them was deleted. (OKTA-754352)

  • System Log events weren't produced when admins changed an app's Radius Authentication Protocol settings. (OKTA-755604)

  • Admins received report emails with links to empty CSV exports. (OKTA-756393)

Okta Integration Network

  • BRM (OIDC) is now available. Learn more.
  • Getty Images (SAML) now has additional ACS endpoints.
  • GitHub Enterprise Server is now called GitHub Enterprise Server (legacy).
  • Haystack (SAML) is now available. Learn more.
  • IBM AS/400 by Aquera (SCIM) is now available. Learn more.
  • INCRMNTAL (OIDC) is now available. Learn more.
  • Kuggar (OIDC) is now available. Learn more.
  • Pmovel (OIDC) is now available. Learn more.
  • Salesforce Social IdP was updated (OKTA-733640).
  • UKG Ready by Aquera (SCIM) is now available. Learn more.
  • Vinkey (OIDC) is now available. Learn more.
  • WebWork Time Tracker (SCIM) is now available. Learn more.
  • Wiz (API service) is now available. Learn more.

Weekly Updates

2024.08.1: Update 1 started deployment on August 19

Generally Available

Enforce MFA for Identity Governance admin apps update

The Enforce MFA for Identity Governance admin apps feature is available as a self-service Early Access feature only if the Enforce MFA to access the Admin Console feature is enabled.

Fixes

  • When admins viewed an OAuth client's secrets, Okta didn't trigger a System Log event. (OKTA-692600)

  • The Identity Providers filter was missing from the Profile Editor page for some users in orgs that had the Enable Custom Admin Roles for Identity Providers feature turned on. (OKTA-724750)

  • Super admins who were assigned permissions through a group assignments couldn't see the Password Hash Export option even when it was enabled in the org. (OKTA-736079)

  • The Allow Unknown Devices button wasn't visible on the user's profile page. (OKTA-746893)

  • Two Session timeout warning modals appeared when a user's session was about to expire. (OKTA-748766)

  • Admins couldn't search for AuthenticatorContext in the user.authentication.auth_via_mfa event in the System Log. (OKTA-750669)

  • The activation link in the Welcome email didn't always work. (OKTA-752981)

  • On the Roles, Resources, and Admins tabs on the Administrators page and in the Edit resources to a standard role dialog, admins couldn't use an ampersand (&) in their search. (OKTA-753904)

  • When a user verified or deleted a mobile phone number, it wasn't recorded in the System Log. (OKTA-790334)

Okta Integration Network

  • Anzenna has a new icon.
  • Brainier LMS by Aquera (SCIM) is now available. Learn more.
  • Cezanne (SCIM) is now available. Learn more.
  • CloudAcademy has been rebranded as QA.
  • DeleteMe (SCIM) now supports creating and updating users.
  • dscout (SCIM) is now available. Learn more.
  • Floqast has a new icon.
  • IBM AS 400 by Aquera has been rebranded as IBM OS/400 on AS/400 (IBM i on Power Systems) by Aquera.
  • Jellyfish (SCIM) has two new default user roles for the roles attribute.

2024.08.2: Update 2 started deployment on August 26

Fixes

  • Custom Boolean fields appeared as a checkbox instead of a dropdown. (OKTA-185091)

  • When two or more OIDC Identity Providers (IdPs) were configured in an org, one of the IdPs' authorization codes could be processed by another IdP. (OKTA-672676)

  • A blank warning message appeared when a report was blocked by a browser's pop-up blocker. (OKTA-692566)

  • Some admins couldn't view the Edit profile and mappings button on the Edit IdP page when the identity provider custom admin role was enabled. (OKTA-747255)

  • Some group admins couldn't use the CSV uploader. (OKTA-756654)

  • When a user verified a recovery factor, the event wasn't logged in the System Log. (OKTA-790370)

  • Sometimes when a user changed their password, the change wasn't logged in the System Log. (OKTA-791175)

Okta Integration Network

  • Acsense (API service) is now available. Learn more.
  • Backupta (OIDC) is now available. Learn more.
  • Cisco User Management Connector Gov (SCIM) is now available. Learn more.
  • Clutch Security (API service) now has the okta.oauthIntegrations.read scope.
  • Figma (SCIM) is now available. Learn more.
  • Greenhouse Onboarding by Aquera (SCIM) is now available. Learn more.
  • myComply (OIDC) is now available. Learn more.
  • Pendo (SAML) has a new integration guide.
  • Reftab Discovery (API service) now has the okta.logs.read scope.
  • Supernormal (SAML) is now available. Learn more.
  • Syncly, Inc (OIDC) is now available. Learn more.

2024.08.3: Update 3 started deployment on September 3

Generally Available

Sign-In Widget, version 7.21.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Improved event reporting

The IP reputation data is now reported more frequently in System Log events. You can find this information in the DebugData or SecurityContext sections of the event.

Fixes

  • Admins couldn't create routing rules using the Policy API due to a cache issue. (OKTA-712397)

  • Group membership changes in Okta were sometimes incomplete in ServiceNow when Group Push was used. (OKTA-716692)

  • When the display language was set to Japanese, some text on the Create new resource set page wasn't translated. (OKTA-742653)

  • Okta didn't check whether operating system versions were greater than or equal to a required version. (OKTA-743658)

  • Provisioning of a user from a source to a target org failed in some Org2Org configurations because the user in the target org was still activating. (OKTA-747231)

  • When multiple PIV user identities were enabled, active identities with an expired password didn't show up as an option when a user signed in. (OKTA-791790)

  • When a user entered the wrong password to sign in to an org using delegated authentication to LDAP, the login cache was cleared.(OKTA-799642)

Okta Integration Network

  • Adyen by Aquera (SCIM) is now available. Learn more.
  • CloudAcademy (SAML) has a new logo, display name, support for additional endpoints.
  • Command Zero (API service) now has additional scopes.
  • Currents (SCIM) is now available. Learn more.
  • DeleteMe now has SCIM functionality.
  • Experience.com (OIDC) now has additional redirect URIs.
  • TerraTrue (SCIM) now supports group push.
  • Summize (SCIM) now has the openid scope.

Version: 2024.07.0

July 2024

Generally Available

Okta Provisioning agent, version 2.1.0

This release of the Okta Provisioning agent contains vulnerability fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.18.0

This release of the Okta Active Directory agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history.

New maximum session lifetime for SAML apps

Users can now configure the maximum app session lifetime for SAML apps.

Improved JIT performance for directory integrations

JIT-enabled directory integrations now have improved response times for JIT requests.

New Manage API tokens admin role permission

The new Manage API tokens permission lets admins view, revoke, and update the principle rate limit for a token. This enhancement lets admins assign more granular permissions and reduce the risk of creating roles with too many privileges.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. See Protected actions in the Admin Console and MFA for protected actions in the Admin Console. This feature will be gradually made available to all orgs.

Active Directory Bidirectional Group Management

Bidirectional Group Management for Active Directory (AD) allows you to manage AD groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. It isn't possible to manage users and groups that weren't imported through AD integration. It's also not possible to manage users and groups that are outside the organizational unit's scope for the integration using this feature. See Bidirectional Group Management with Active Directory.

MyAccount Management scopes

The MyAccount Management scopes are no longer added to custom authorization servers by default when an authorization server is created.

Enhanced System Log events table

The value of a client IP address, if present, is now shown below the actor in the events table.

Network Zones and API token restrictions

You can no longer update network zones so they're invalid for use with an API token. This applies only to network zones that are used as restrictions to API tokens. You can update network zones if you first remove them from the API token restriction. These zones can't be deactivated, deleted, blocklisted, or made anything other than an active IP zone.

Event hook limit increased

The limit on active event hooks per org has been increased from 10 to 25. See Create an event hook and Workflows System limits.

New System Log events for Workflows subfolder actions

Improved folder organization gives admins the flexibility to drag and drop folders into other folders or move them up to become a top-level folder. See Move a folder into another folder. When this action happens, the new workflows.user.folder.move event type appears in the System Log. See the Event Types API.

Additional System Log event information

The user.account.privilege.grant System Log event now includes information about the assigned role and target, and indicates if it was a group or individual role assignment.

Early Access

Entitlement Management with Okta Provisioning Agent with SCIM 2.0 support

This agent supports Entitlements Management for app integrations that have enabled Governance Engine. This allows the provisioning of entitlements between Okta and on-premises apps.

Fixes

  • System Log events for API token management didn't include the token's network restriction information in the debug context. (OKTA-724469)

  • When editing a user's assignments, roles with numeric values appeared in the wrong position in the Role dropdown menu. Selecting Not mapped set the role to 629. (OKTA-729800)

  • The enrollment instructions on the Google Authenticator page incorrectly mentioned barcode instead of QR code. (OKTA-735775)

  • Errors appeared on a token's page when a network zone that was used by a token was deleted. (OKTA-736539)

  • Push Group jobs that included deleting group memberships failed if their execution time exceed one minute. (OKTA-741405)

  • The Back to Settings button wasn't visible on the End User Settings page. This occurred when managing the user's authenticators if the user completed MFA using a Smart Card or IdP authenticator. (OKTA-743091)

  • The Okta logo was missing from email notifications for protected actions. (OKTA-743776)

  • The Generated Password Health report was incomplete. (OKTA-746008)

  • The number of group members returned from the /api/v1/groups/<group_id>/users API call was inconsistent with the database query count of the same group. (OKTA-747426)

Okta Integration Network

  • Aiven (SCIM) now has sync password support.
  • Lever by Aquera (SCIM) is now available. Learn more.
  • RICOH Smart Integration (SCIM) is now available. Learn more.

Weekly Updates

2024.07.1: Update 1 started deployment on July 22

Generally Available

New IP service categories added

Additional IP service categories have been added to the enhanced dynamic zones IP service category list. See Supported IP service categories.

Fixes

  • Some text strings on the General Settings page for custom OIDC apps weren't translated. (OKTA-739262)

  • When an admin clicked Show more on the Administrator assignment by role page, additional admins with the super admin role didn't appear. (OKTA-743378)

  • When a user tried to access OneDrive from the app on the Okta End-User Dashboard, an error occurred if there was an active Office 365 session. (OKTA-744748)

  • When the display language was set to Japanese, some text on the Deactivate People page wasn't translated. (OKTA-745642)

  • The Reset Password modal had a grammatical error. (OKTA-747866)

  • If an API request in Preview contained any malformed syntax within the query string, the request was still processed. (OKTA-748246)

  • The EAP-TTLS option wasn't available for all RADIUS app integrations. (OKTA-750253)

Okta Integration Network

  • Call2Action (OIDC) is now available. Learn more.
  • ClickUp (SCIM) is now available. Learn more.
  • Clutch Security (API service) is now available. Learn more.
  • Cortex (SCIM) is now available. Learn more.
  • Exaforce (API service) is now available. Learn more.
  • LiveEdge Cloud (SAML) is now available. Learn more.
  • MangoApps (SAML) now has configurable domain support for endpoints.
  • MangoApps (SCIM) is now available. Learn more.
  • NinjaOne (SCIM) is now available. Learn more.
  • Pendo (SAML) has a new integration guide.
  • SGNL (CAEP Hub) (API service) is now available. Learn more.
  • Teamgo Visitor Sign-in (SAML) is now available. Learn more.
  • UKG Pro by Aquera (SCIM) is now available. Learn more.
  • Vanta (SCIM) is now available. Learn more.
  • Wundergraph Cosmo (SCIM) is now available. Learn more.

2024.07.2: Update 2 started deployment on August 5

Fixes

  • When the display language was set to Japanese, some text on the Delegated Authentication page wasn’t translated. (OKTA-658397)

  • Some users were redirected to the End-User Dashboard instead of the application they tried to access. (OKTA-717246)

  • Some customers signing in to Okta-hosted custom domains with the first or second-generation Sign-In Widget received communications from Monotype Imaging Inc. about licensing for the Proxima Nova font. (OKTA-731216)

  • When the Assign and revoke super admin role protected action was enabled and an admin revoked the super admin role from the Admins tab, they weren’t prompted for additional MFA. (OKTA-733379)

  • If API provisioning was enabled without enabling Update User Attributes, Docusign app usernames were set to the users' full names rather than email addresses. (OKTA-742584)

  • When the display language was set to Japanese, some text on the Sign on tab for the Google Apps instance wasn’t translated. (OKTA-742635)

  • When the display language was set to Japanese, some text on the Create new resource set page wasn’t translated. (OKTA-742653)

  • Some of the help links on the Downloads page weren’t correct. (OKTA-744866)

  • The SAML single logout URL wasn't embedded in the iFrame after the correct trusted origin was configured. (OKTA-744874)

  • When users tried to create SSWS tokens, Enhanced Dynamic Zones appeared in the list but users couldn't select them. (OKTA-745607)

  • The right-click menu didn't work in the Admin Console. (OKTA-745918)

  • No Profile Update event was added to the System Log when an AD-sourced user signed in to Okta for the first time. (OKTA-747439)

  • Users without the Okta Access Requests Admin app couldn't view any app instance pages. (OKTA-748462)

  • The protected actions email notification sometimes contained a broken link. (OKTA-749232)

  • In orgs using delegated authentication with either AD or LDAP, attempting to sign in when the username contained a wildcard character (*) resulted in an HTTP 500 error. (OKTA-749548)

Okta Integration Network

  • Cisco User Management for Secure Access (SCIM) is now called Cisco User Management Connector.
  • Clockwise (SCIM) now has Bookmark mode.
  • CoderPad has new SAML and SCIM integration guides, and the SWA app was updated.
  • Databricks has a new icon.
  • Exaforce (API service) has updated scopes.
  • getregistered (SAML) is now available. Learn more.
  • Nulab Pass (Backlog Cacoo Typetalk) (SCIM) is now available. Learn more.
  • Opensurvey Dataspace (OIDC) now supports IdP-initiated SSO.
  • Pleo (SCIM) is now available. Learn more.
  • Prowler (SAML) has a new icon.
  • Retail Zipline (SAML) now supports Single Logout (SLO) and has a new integration guide and icon.
  • Staircase AI (SCIM) is now available. Learn more.
  • WebWork Time Tracker (SCIM) is now available. Learn more.
  • Wiz (API service) is now available. Learn more.
  • Zip has an updated API.