Okta Classic Engine release notes (2024)
Version: 2024.01.0
January 2024
Generally Available
Okta On-Prem MFA Agent, version 1.7.4
This version includes security enhancements. See Okta On-Prem MFA agent version history.
Read-only permission for admin role assignments
Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.
Operating system in the Okta Verify push challenge
The Okta Verify app now displays the correct operating system when the push challenge is initiated.
OIN connector support for Entitlement Management
The following connectors have been updated to support Entitlement Management:
- Box
- Google Workspace
- Microsoft Office 365
- Netsuite
- Salesforce
System Log events for IdP keystore operations
New System Log events are generated for IdP keystore operations:
- system.idp.key.create
- system.idp.key.update
- system.idp.key.delete
System Log event for GET an IdP
A new System Log event is generated for GET /api/v1/idps[/{idpId}.
Application Entitlement Policy
Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Google Workspace system roles
Okta now supports Google Workspace system roles.
Updated RADIUS authentication prompts
RADIUS authentication prompts are updated to be clearer.
Early Access Features
Early Access features from this release are now Generally Available.
-
OKTA-654000
Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.
-
OKTA-658796
The Brand name description on the
page contained a typo. -
OKTA-659305
The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.
-
OKTA-667066
Resetting MFA using support user permissions didn't generate a System Log event.
-
OKTA-673705
Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.
-
OKTA-674540
Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.
-
OKTA-679833
Some default attribute mappings for SuccessFactors were incorrect.
-
OKTA-683871
When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The OneRange app integration has a new description.
- The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
- The Peakon SCIM app integration has a new base URL and help text.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Genian ZTNA (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity 401k (SWA) (OKTA-659323)
Weekly Updates
Fixes
-
OKTA-626684
The Create token button didn't appear for some accounts with custom admin roles.
menu and the -
OKTA-638138
In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.
-
OKTA-642351
Group memberships from deleted apps still appeared in system logs.
-
OKTA-679051
No event was recorded in the System Log when active AD users initiated self-service unlock.
-
OKTA-686546
The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The Experience.com app integration now supports IdP-initiated flows.
- The OneRange app integration has a new description.
- The Peakon SCIM app integration has a new base URL and help text.
- The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Arbolus (OIDC)
- Authomize Identity Security (API service)
- Bluescape (SAML)
- eFlok (SAML)
- Omni Analytics (SAML)
- ShareCal (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity401k (SWA) (OKTA-659323)
Generally Available
Sign-In Widget, version 7.14.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
IP restrictions on tokens
Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.
Fixes
-
OKTA-637955
In some cases, custom admins were able to view pushed groups that weren't assigned to them.
-
OKTA-639335
When groups assigned to a deactivated app were removed from Okta, the groups remained assigned to the app.
-
OKTA-649640
Password rules weren't correctly translated in French.
-
OKTA-653740
Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.
-
OKTA-655791
The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.
-
OKTA-658530
Customized self-service account unlock email templates didn't display the UTC time zone for the {unlockAccountTokenExpirationDate} attribute.
-
OKTA-664370
Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.
-
OKTA-665347
No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.
-
OKTA-665377
Some authenticator actions done using the API didn't appear in the System Log.
-
OKTA-665903
In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.
-
OKTA-667063
Affected entity wasn't included in the System Log when temporary access was granted using the Support User.
-
OKTA-674218
System Log events for access token and ID token grants didn't include user attributes.
-
OKTA-679556
Group Push of large groups from Okta sometimes failed to push all members to downstream apps.
-
OKTA-679914
After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.
-
OKTA-684369
Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.
-
OKTA-686081
Some users weren't imported after being unassigned from a sourcing app.
-
OKTA-686801
Some Salesforce provisioning jobs entered a buffered state and didn't run.
-
OKTA-687812
An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.
-
OKTA-687814
An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.
-
OKTA-688020
In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.
Okta Integration Network
App updates
- The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
- The Flow of Work Co app integration has been rebranded as GoFIGR.
- The OpsLevel app integration now has the group push, import users, and import groups functions.
- The Saltalk app integration has been rebranded as WeBox.
New Okta Verified app integrations
- ActivityInfo (OIDC)
- Bedrock Security (SAML)
- Clockwise (SCIM)
- CrunchyBridge (OIDC)
- ESKER (SAML)
- Inigo GraphQL (OIDC)
- MockFlow (SCIM)
- Netskope Admin Console (SAML)
- OCCAM Razor (OIDC)
- OPSWAT MetaDefender IT-OT Access (SAML)
- Tradespace (SAML)
- UKG HR Service Delivery (SCIM)
App integration fixes
- FaxSIPit (SWA) (OKTA-655845)
- My Eaton (SWA) (OKTA-670410)
Version: 2024.02.0
February 2024
Generally Available
Sign-In Widget, version 7.15.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta LDAP agent, version 5.19.1
This version of the agent fixes the expiring signature error that prevented agents from auto-updating to the newest LDAP agent version. See Okta LDAP Agent version history.
Okta Active Directory agent, version 3.16.1
This version of the agent fixes an expiring signature error that prevented agents from auto-updating to the newest Active Directory agent version. See Okta Active Directory agent version history.
Okta MFA Credential Provider for Windows, version 1.4.2
This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows Version History.
Assign admin roles to an app
Orgs can now assign admin roles to their custom API Service Integrations. Apps with assigned admin roles are constrained to the permissions and resources that are included in the role assignment. This helps ensure that apps only have access to the resources that are needed to perform their tasks, and improves orgs' overall security. See Work with the admin component.
Seamless ISV experience
Okta now provides a seamless ISV experience to optimize the Okta Integration Network (OIN) submission experience for SAML and OIDC integrations. This new experience enables independent software vendors (ISVs) to build and manually test their integration metadata before submission. This reduces the time needed for the OIN team to review and validate that the integration functions as intended, which shortens the time to publish in the OIN.
This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See Publish an OIN integration overview and Submit an SSO integration with the OIN Wizard guide.
DPoP support for Okta management API
You can now use OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) access tokens to access Okta management APIs. See Configure OAuth 2.0 Demonstrating Proof-of-Possession.
LDAP real-time synchronization
With real-time synchronization, user profiles, groups, and group memberships can now be updated when LDAP-sourced users sign in to Okta, or when they refresh their People page. Admins no longer need to perform full or incremental imports of user attributes, and user profiles, groups, and group memberships are always up to date. Real-time synchronization also reduces the burden on system resources because user attributes are imported and updated individually and not in large groups. See Manage your LDAP integration. This feature is being re-released.
Updated translations
Translations for password policy UI have been updated.
Reports field update
The operator field of the Reports Edit Filters dialog shows the selected item in the dropdown menu.
Dynamic user schema discovery now available
Dynamic user schema discovery is now available for SCIM app integrations that support user entitlements and Identity Governance.
OIN connector support for Entitlement Management
The PagerDuty and Zendesk connectors have been updated to support Entitlement Management. See Provisioning-enabled apps.
App integration tile now available for Okta Workflows
Users who are assigned to the Okta Workflows app integration now have a dedicated tile on their End-User Dashboard to launch the Okta Workflows Console. See Workflows Console.
Early Access Features
Protected actions in the Admin Console
The protected actions feature provides an additional layer of security to your org. It prompts admins for authentication when they perform critical tasks in the Admin Console and helps ensure that only authorized admins can perform these tasks. Super admins can configure the authentication interval for their org. SeeProtected actions in the Admin Console.
Detect and block requests from anonymizing proxies
Orgs can now detect and block web requests that come from anonymizers. This helps improve the overall security of your org.
Network zone allowlists for SSWS API tokens
Admins can now specify a network zone allowlist for each static (SSWS) API token. These allowlists define the IP addresses or network ranges from where Okta API requests using SSWS API tokens can be made. This restricts attackers and malware from stealing SSWS tokens and replaying them outside of the specified IP range to gain unauthorized access.
Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. There's no impact to any existing rules that allow single-factor access.
-
OKTA-649640
Password rules weren't correctly translated in French.
-
OKTA-668324
Email notifications that were sent when a password was reset by Okta Support didn't include Support information.
-
OKTA-669735
When an admin was removed from a group that was imported from an app, their user profile still displayed the admin assignments that were granted through the group’s membership.
-
OKTA-678489
Voice call to some destinations didn't work when a 7 digit phone number with a 3 digit extension was entered.
-
OKTA-680483
The self-service registration form accepted invalid input for the first and last name fields.
-
OKTA-681083
Voice calls for MFA challenges were not completely translated in Vietnamese when the user's locale was set to Vietnam.
-
OKTA-681654
The option to add a custom email domain was unavailable on the default Okta brand page.
-
OKTA-682202
If an admin’s role had a conditioned permission, they couldn’t assign apps to users.
-
OKTA-688501
Users weren't redirected to the Okta Sign-In Widget for custom domain URLs that ended with okta.com.
-
OKTA-690143
Unicode characters deemed illegal for HTTP headers were being accepted.
Okta Integration Network
App updates
- The Elba SSO app integration has new redirect URIs.
- The Ermetic app integration has been rebranded as Tenable Cloud Security.
- The Ermetic JIT app integration has been rebranded as Tenable Cloud Security JIT.
New Okta Verified app integrations
- Bedrock Security (SAML)
- Boomerang by BuyerAssist.io (OIDC)
- Codefresh by Aquera (SCIM)
- Handoffs (OIDC)
- Procyon (OIDC)
- Procyon (SCIM)
- ProdPad by Aquera (SCIM)
- SwaggerHub by Aquera (SCIM)
- TallyFi (SAML)
- TriNet by Aquera (SCIM)
- Xero by Aquera (SCIM)
Weekly Updates
Generally Available
Redesigned resource set pages
The Create new resource set and Edit resource set pages that are displayed when an admin creates or edit a resource set now provide a simpler, more intuitive user experience. See Create a resource set. This feature is being re-released.
Redesigned admin role pages
The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role. This feature is being re-released.
HTTP header filter
To improve the security of your org, Okta now filters and encodes any illegal unicode characters for outgoing HTTP headers.
Fixes
-
OKTA-597892
In orgs configured to perform batch imports for all apps, small batch sizes resulted in slower than expected imports.
-
OKTA-673389
String attributes couldn't be set to an empty string.
-
OKTA-682104
Org2Org group push reset custom attributes to undefined.
-
OKTA-686922
An error occurred when admins deleted inactive Microsoft Office 365 app instances that were configured to use manual federation.
-
OKTA-688938
Admins whose custom role contained the Manage customizations permission couldn't preview email templates.
-
OKTA-690143
Illegal unicode characters were accepted for HTTP headers.
-
OKTA-695783
Users couldn't enter a period (.) in their first or last name during self-service registration.
-
OKTA-698353
Admins couldn't enable the Prevent new single-factor access to the Admin Console feature.
Okta Integration Network
New Okta Verified app integrations
- Amazon WorkDocs by Aquera (SCIM)
- Amazon WorkMail by Aquera (SCIM)
- Mailosaur (SAML)
- Smartsheet v2 (SAML)
Generally Available
Cornerstone OnDemand now uses OAuth for authentication
Cornerstone OnDemand replaced the previous authentication method with OAuth authentication to improve security for provisioning. Create a new Cornerstone OnDemand app instance and configure it to use Oauth credentials. See Configure provisioning for Cornerstone OnDemand.
Fixes
-
OKTA-491520
The Edit Filters dialog of the MFA Enrollment by User report didn't support the operator is set and is not set for the Authenticator type field.
-
OKTA-656265
Sometimes, an OAuth 2.0-secured inline hook that contained a custom domain authorization server in the token URL returned a null pointer exception error, instead of an appropriate error.
-
OKTA-663294
The issuer mode appeared blank on authorization servers when it was set to Custom URL.
-
OKTA-679870
Some preview org admins saw error messages while authenticating or org pages with no menu items.
-
OKTA-679978
Content Delivery Network (CDN) resources related to the Sign-In Widget didn't serve the Subresource Integrity (SRI) attributes.
-
OKTA-683026
Okta sometimes incorrectly returned an Invalid Phone Number error during SMS factor enrollment.
-
OKTA-686636
Admins couldn't automatically provision users to the Cornerstone OnDemand app.
-
OKTA-687439
The MFA Enrollment by User report displayed Group names instead of Groups in the Edit Filters dialog and in the Users table.
Okta Integration Network
App updates
- The Recurly app integration now has group push functionality.
New Okta Verified app integrations
- Mark AI (SAML)
- NexHealth (SAML)
- Payflows (SAML)
- Rimo Voice (SAML)
- Sendoso (SCIM)
- Tradespace (SCIM)