Okta Classic Engine release notes (2024)

Version: 2024.01.0

January 2024

Generally Available

Okta On-Prem MFA Agent, version 1.7.4

This version includes security enhancements. See Okta On-Prem MFA agent version history.

Read-only permission for admin role assignments

Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.

Operating system in the Okta Verify push challenge

The Okta Verify app now displays the correct operating system when the push challenge is initiated.

OIN connector support for Entitlement Management

The following connectors have been updated to support Entitlement Management:

  • Box
  • Google Workspace
  • Microsoft Office 365
  • Netsuite
  • Salesforce

See Provisioning-enabled apps.

System Log events for IdP keystore operations

New System Log events are generated for IdP keystore operations:

  • system.idp.key.create
  • system.idp.key.update
  • system.idp.key.delete

System Log event for GET an IdP

A new System Log event is generated for GET /api/v1/idps[/{idpId}.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Google Workspace system roles

Okta now supports Google Workspace system roles.

Updated RADIUS authentication prompts

RADIUS authentication prompts are updated to be clearer.

Early Access Features

Early Access features from this release are now Generally Available.

Fixes

  • OKTA-654000

    Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.

  • OKTA-658796

    The Brand name description on the Brand Settings page contained a typo.

  • OKTA-659305

    The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.

  • OKTA-667066

    Resetting MFA using support user permissions didn't generate a System Log event.

  • OKTA-673705

    Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.

  • OKTA-674540

    Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.

  • OKTA-679833

    Some default attribute mappings for SuccessFactors were incorrect.

  • OKTA-683871

    When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The OneRange app integration has a new description.
  • The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity 401k (SWA) (OKTA-659323)

Weekly Updates

Fixes

  • OKTA-626684

    The Security API menu and the Create token button didn't appear for some accounts with custom admin roles.

  • OKTA-638138

    In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.

  • OKTA-642351

    Group memberships from deleted apps still appeared in system logs.

  • OKTA-679051

    No event was recorded in the System Log when active AD users initiated self-service unlock.

  • OKTA-686546

    The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.

Okta Integration Network

App updates

  • The AcquireTM app integration has an additional redirect URI.
  • The CodeSignal app integration has a new logo.
  • The Experience.com app integration now supports IdP-initiated flows.
  • The OneRange app integration has a new description.
  • The Peakon SCIM app integration has a new base URL and help text.
  • The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
  • The Qatalog app integration has a new logo.

New Okta Verified app integrations

App integration fixes

  • ADP mykplan.com (SWA) (OKTA-669875)
  • Fidelity401k (SWA) (OKTA-659323)

Generally Available

Sign-In Widget, version 7.14.2

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

IP restrictions on tokens

Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.

Fixes

  • OKTA-637955

    In some cases, custom admins were able to view pushed groups that weren't assigned to them.

  • OKTA-639335

    When groups assigned to a deactivated app were removed from Okta, the groups remained assigned to the app.

  • OKTA-649640

    Password rules weren't correctly translated in French.

  • OKTA-653740

    Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.

  • OKTA-655791

    The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.

  • OKTA-658530

    Customized self-service account unlock email templates didn't display the UTC time zone for the {unlockAccountTokenExpirationDate} attribute.

  • OKTA-664370

    Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.

  • OKTA-665347

    No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.

  • OKTA-665377

    Some authenticator actions done using the API didn't appear in the System Log.

  • OKTA-665903

    In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.

  • OKTA-667063

    Affected entity wasn't included in the System Log when temporary access was granted using the Support User.

  • OKTA-674218

    System Log events for access token and ID token grants didn't include user attributes.

  • OKTA-679556

    Group Push of large groups from Okta sometimes failed to push all members to downstream apps.

  • OKTA-679914

    After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.

  • OKTA-684369

    Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.

  • OKTA-686081

    Some users weren't imported after being unassigned from a sourcing app.

  • OKTA-686801

    Some Salesforce provisioning jobs entered a buffered state and didn't run.

  • OKTA-687812

    An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.

  • OKTA-687814

    An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.

  • OKTA-688020

    In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.

Okta Integration Network

App updates

  • The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
  • The Flow of Work Co app integration has been rebranded as GoFIGR.
  • The OpsLevel app integration now has the group push, import users, and import groups functions.
  • The Saltalk app integration has been rebranded as WeBox.

New Okta Verified app integrations

App integration fixes

  • FaxSIPit (SWA) (OKTA-655845)
  • My Eaton (SWA) (OKTA-670410)