Okta Classic Engine release notes (2024)
Version: 2024.01.0
January 2024
Generally Available
Okta On-Prem MFA Agent, version 1.7.4
This version includes security enhancements. See Okta On-Prem MFA agent version history.
Read-only permission for admin role assignments
Super admins can now assign the View roles, resources, and admin assignments permission to their delegated admins. This permission gives admins a read-only view of the admin roles, resource sets, and admin assignments in the org. See Role permissions.
Operating system in the Okta Verify push challenge
The Okta Verify app now displays the correct operating system when the push challenge is initiated.
OIN connector support for Entitlement Management
The following connectors have been updated to support Entitlement Management:
- Box
- Google Workspace
- Microsoft Office 365
- Netsuite
- Salesforce
System Log events for IdP keystore operations
New System Log events are generated for IdP keystore operations:
- system.idp.key.create
- system.idp.key.update
- system.idp.key.delete
System Log event for GET an IdP
A new System Log event is generated for GET /api/v1/idps[/{idpId}.
Application Entitlement Policy
Admins can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Google Workspace system roles
Okta now supports Google Workspace system roles.
Updated RADIUS authentication prompts
RADIUS authentication prompts are updated to be clearer.
Early Access Features
Early Access features from this release are now Generally Available.
-
OKTA-654000
Users authenticating with Okta FastPass could sign in with authenticators that weren't phishing-resistant even though it wasn't allowed by authentication policies.
-
OKTA-658796
The Brand name description on the
page contained a typo. -
OKTA-659305
The IdP Routing Rule page became unresponsive when multiple apps were added to a rule.
-
OKTA-667066
Resetting MFA using support user permissions didn't generate a System Log event.
-
OKTA-673705
Admins couldn’t condition permissions to include or exclude attributes from multiple user profiles.
-
OKTA-674540
Users couldn't access Confluence On-Prem using IdP-initiated or SP-initiated flows.
-
OKTA-679833
Some default attribute mappings for SuccessFactors were incorrect.
-
OKTA-683871
When the User verification as a possession constraint feature was activated, the If Okta FastPass is used section disappeared from the Authentication policy rule page when admins selected the Any 1 factor type option in User must authenticate with.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The OneRange app integration has a new description.
- The Peakon SAML app integration has a new display name, logo, website, description, doc link, and endpoints.
- The Peakon SCIM app integration has a new base URL and help text.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Genian ZTNA (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity 401k (SWA) (OKTA-659323)
Weekly Updates
Fixes
-
OKTA-626684
The Create token button didn't appear for some accounts with custom admin roles.
menu and the -
OKTA-638138
In the System Log, the operating system was displayed as Unknown mobile if a user approved an Okta Verify push notification from an iOS device.
-
OKTA-642351
Group memberships from deleted apps still appeared in system logs.
-
OKTA-679051
No event was recorded in the System Log when active AD users initiated self-service unlock.
-
OKTA-686546
The Connector Configuration form was missing the Edit button in orgs with the App settings permissions for custom admin roles feature enabled.
Okta Integration Network
App updates
- The AcquireTM app integration has an additional redirect URI.
- The CodeSignal app integration has a new logo.
- The Experience.com app integration now supports IdP-initiated flows.
- The OneRange app integration has a new description.
- The Peakon SCIM app integration has a new base URL and help text.
- The Peakon SAML app integration has a new logo, website, description, doc link, and new endpoints.
- The Qatalog app integration has a new logo.
New Okta Verified app integrations
- Arbolus (OIDC)
- Authomize Identity Security (API service)
- Bluescape (SAML)
- eFlok (SAML)
- Omni Analytics (SAML)
- ShareCal (SAML)
App integration fixes
- ADP mykplan.com (SWA) (OKTA-669875)
- Fidelity401k (SWA) (OKTA-659323)
Generally Available
Sign-In Widget, version 7.14.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
IP restrictions on tokens
Admins can specify allowlisted and blocklisted network zones for static, Single Sign-On Web System (SSWS) API tokens. This strengthens org security by letting them control where calls to Okta APIs can originate from. It also restricts attackers and malware from stealing SSWS tokens or replaying them outside of their IP range to gain unauthorized access.
Fixes
-
OKTA-637955
In some cases, custom admins were able to view pushed groups that weren't assigned to them.
-
OKTA-639335
When groups assigned to a deactivated app were removed from Okta, the groups remained assigned to the app.
-
OKTA-649640
Password rules weren't correctly translated in French.
-
OKTA-653740
Custom admins could access several Active Directory and LDAP agent-related API endpoints without having the correct admin permissions.
-
OKTA-655791
The User App Access report didn't display the Group Name, Group Source, and Group Membership columns for users that were assigned an app through an AD imported group.
-
OKTA-658530
Customized self-service account unlock email templates didn't display the UTC time zone for the {unlockAccountTokenExpirationDate} attribute.
-
OKTA-664370
Product System Log events for the access token, ID token, and user SSO grants didn't include externalSessionId.
-
OKTA-665347
No System Log event was generated when a user's password was expired using the API. When an admin used the API to expire a user's password, no System Log event was generated.
-
OKTA-665377
Some authenticator actions done using the API didn't appear in the System Log.
-
OKTA-665903
In some cases, where a group was unassigned from an app, members of that group were still provisioned to the app.
-
OKTA-667063
Affected entity wasn't included in the System Log when temporary access was granted using the Support User.
-
OKTA-674218
System Log events for access token and ID token grants didn't include user attributes.
-
OKTA-679556
Group Push of large groups from Okta sometimes failed to push all members to downstream apps.
-
OKTA-679914
After an org's ISO region codes were updated, their policies prevented users from signing in from Telangana, India.
-
OKTA-684369
Users were sometimes not unassigned from applications after being removed from groups on orgs that had application entitlement policy enabled.
-
OKTA-686081
Some users weren't imported after being unassigned from a sourcing app.
-
OKTA-686801
Some Salesforce provisioning jobs entered a buffered state and didn't run.
-
OKTA-687812
An error with expiring signatures prevented agents from updating to the newest version of the LDAP agent. The issue has been resolved in version 5.19.1.
-
OKTA-687814
An error with expiring signatures prevented agents from updating to the newest version of the Active Directory agent. The issue has been resolved in version 3.16.1.
-
OKTA-688020
In some orgs, users observed a timeout and error when authenticating with AWS Account Federation.
Okta Integration Network
App updates
- The Digitail app integration has new custom_location_attribute, department, and role SAML attributes.
- The Flow of Work Co app integration has been rebranded as GoFIGR.
- The OpsLevel app integration now has the group push, import users, and import groups functions.
- The Saltalk app integration has been rebranded as WeBox.
New Okta Verified app integrations
- ActivityInfo (OIDC)
- Bedrock Security (SAML)
- Clockwise (SCIM)
- CrunchyBridge (OIDC)
- ESKER (SAML)
- Inigo GraphQL (OIDC)
- MockFlow (SCIM)
- Netskope Admin Console (SAML)
- OCCAM Razor (OIDC)
- OPSWAT MetaDefender IT-OT Access (SAML)
- Tradespace (SAML)
- UKG HR Service Delivery (SCIM)
App integration fixes
- FaxSIPit (SWA) (OKTA-655845)
- My Eaton (SWA) (OKTA-670410)