Okta Classic Engine release notes (Production)

Current release status

Current Upcoming
Production 2024.02.2 2024.03.0 Production release is scheduled to begin deployment on March 11
Preview 2024.02.2 2024.03.0 Preview release is scheduled to begin deployment on March 7

February 2024

2024.02.0: Monthly Production release began deployment on February 12

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.15.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.1

This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.

Okta Active Directory agent, version 3.16.1

This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.

Okta MFA Credential Provider for Windows, version 1.4.2

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

Assign admin roles to an app

Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.

Seamless ISV experience

Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.

This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.

DPoP support for Okta management API

You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.

LDAP real-time synchronization

With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.

Updated translations

Translations for password policy UI have been updated.

Reports field update

The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.

Dynamic user schema discovery now available

Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.

OIN connector support for Entitlement Management

The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.

App integration tile now available for Okta Workflows

Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.

Early Access Features

Okta Personal for Workforce

Okta Personal for Workforce is a set of features that allows admins to separate their users' work data from non-work data. Admins can now offer their end users a free Okta Personal account to store personal data, allow them to switch between accounts, and migrate personal apps from Okta enterprise tenant to Okta Personal. When Okta Personal for Workforce is enabled, personalized comms will be sent to the end users encouraging them to use Okta Personal for personal data and Okta enterprise for work data. See Okta Personal for Workforce User Experience.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

Protected actions in the Admin Console

The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. SeeProtected actions in the Admin Console.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Detect and block requests from anonymizing proxies

Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.

Network zone allowlists for SSWS API tokens

Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.

Fixes

  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-668324

    Email notifications that were sent when a password was reset by Okta Support didn't include Support information.

  • OKTA-669735

    When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.

  • OKTA-678489

    Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.

  • OKTA-680483

    The self-service registration form accepted invalid input for the first and last name fields.

  • OKTA-681083

    Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.

  • OKTA-681654

    The option to add a custom email domain was unavailable on the default Okta brand page.

  • OKTA-682202

    If an admin’s role had a conditioned permission, they couldn’t assign apps to users.

  • OKTA-688501

    Users weren't redirected to the Okta Sign-In Widget for custom domain URLs that ended with okta.com.

  • OKTA-690143

    Unicode characters deemed illegal for HTTP headers were being accepted.

Okta Integration Network

App updates

  • The Elba SSO app integration has new redirect URIs.
  • The Ermetic app integration has been rebranded as Tenable Cloud Security.
  • The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.

New Okta Verified app integrations

Weekly Updates

January 2024

2024.01.0: Monthly Production release began deployment on January 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See About role permissions.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Box
  • Google Workspace
  • Microsoft Office 365
  • Netsuite
  • Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

  • system.idp.key.create
  • system.idp.key.update
  • system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-654000

    Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.

  • OKTA-658796

    The Brand name description on the Brand Settings page contained a typo.

  • OKTA-659305

    The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.

  • OKTA-667066

    Resetting MFA using support user permissions didn't generate a System Log event.

  • OKTA-673705

    Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.

  • OKTA-674540

    Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.

  • OKTA-679833

    Some default attribute mappings for SuccessFactors were incorrect.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The OneRange app integration has a new description.
  • The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

December 2023

2023.12.0: Monthly Production release began deployment on December 11

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Sign-In Widget, version 7.13.1

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta LDAP agent, version 5.19.0

This version of the agent contains:

  • Security enhancements.
  • Configurable fipsMode setting. Users can now enable or disable FIPS-supported encryption algorithms.

Note: To revert to an older version of the agent, Linux agent users must uninstall version 5.19.0 and then reinstall the older version. See Okta LDAP Agent version history.

Okta MFA Credential Provider for Windows, version 1.4.0

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.

MFA enrollment by user report

Use this report to view the types and counts of authenticators that users in your org have enrolled. This can improve the security posture of your org by enabling you to understand the adoption of strong authenticators like Okta Verify. See MFA Enrollment by User report.

Demonstrating Proof-of-Possession

OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is a security feature that adds an extra layer of protection to OAuth 2.0 access tokens. It enables the client to demonstrate that it possesses a particular key or secret associated with the access token. OAuth 2.0 DPoP can help prevent certain attacks, such as token theft or token replay attacks, where an attacker intercepts a legitimate access token and uses it to gain unauthorized access to a protected resource. See Create OIDC app integrations.

Responsive Admin Dashboard layout

When you resize the Admin Console to 600 x 751 pixels or smaller, the dashboard widgets now stack vertically instead of horizontally.

Improved Product Offers dashboard widget

The appearance and readability of the Product Offers dashboard widget have been improved to provide a better user experience.

Copy System Log events

A copy button is now available for each event listed in the System Log.

New attributes available for Smart Card username

Issuer and Serial Number attributes are now available when you configure the IdP username for the Smart Card Identity Provider.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-419477

    There was a typographical error on the Active Directory Import page.

  • OKTA-633914

    Active AD users who initiated self-service unlock were emailed recovery instructions instead of a message that their account was already unlocked.

  • OKTA-636211

    The footer message in User Activation email templates contained an inaccurate email link.

  • OKTA-642341

    During an SP-initiated sign-in flow, an interstitial page didn't appear in the browser's configured language.

  • OKTA-650686

    Memory cache errors sometimes occurred when admins performed imports on orgs with a large number of app assignments.

  • OKTA-655084

    Some AD provisioning events that failed were shown as successful in the System Log.

  • OKTA-657022

    Setting the group owner in Okta sometimes failed when the ManagedBy field from Active Directory was used.

  • OKTA-661574

    When an administrator signed in to the Okta Dashboard, and then attempted to access the Admin Console, they weren't prompted for MFA.

  • OKTA-661797

    When a user clicked an app tile on the Okta Dashboard, the Safari browser opened apps in a new window without user interface controls instead of a new tab.

  • OKTA-664847

    Application assignments sometimes failed in orgs that use custom admin roles.

  • OKTA-668354

    An incorrect warning appeared on the Administrator assignment page when a custom admin role was assigned with granular directory permissions and an Active Directory resource set.

  • OKTA-670388

    Admins sometimes couldn't modify app sign-on policy rules in Classic Engine orgs that were prepared for upgrade to Identity Engine.

Okta Integration Network

App updates

  • The BombBomb app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • Bank of America CashPro (SWA) (OKTA-668979)
  • Delta Dental (SWA) (OKTA-664057)
  • HelloFax (SWA) (OKTA-657466)
  • MacStadium (SWA) (OKTA-662973)
  • SendGrid (SWA) (OKTA-657094)
  • Team Gantt (SWA) (OKTA-663418)
  • Unity Ads (SWA) (OKTA-658284)
  • ZipCar (SWA) (OKTA-657448)
  • Zurich Adviser Portal (SWA) (OKTA-662671)

Weekly Updates