Okta Classic Engine release notes (Early Access)
Early Access Features
Enforce MFA for Identity Governance admin apps
The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.
OU moves for LDAP-provisioned users
When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.
Network restrictions for OIDC token endpoints is EA in Preview
You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.
Okta Hyperspace agent, version 1.5.1
This version includes security enhancements.
On-prem Connector for Oracle EBS
On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.
Okta Integration IdP type is EA in Preview
The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.
Breached Credentials Protection
Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.
This feature is following a slow rollout process beginning on May 15.
DirSync group imports for Active Directory
For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.
RingCentral uses new default phone number logic
The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.
System Log event for monitoring LDAP Agent config file changes
A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.
OAuth 2.0 provisioning for Org2Org with Autorotation
Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.
Manage Active Directory accounts in Okta Privileged Access
This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts
App Switcher for Okta first-party apps
The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.
Universal Directory map toggle
The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.
New System Log event
The policy.evaluate_sign_on event has a new DebugData item: IdpVerifiedFactorMode. This new item indicates whether a user authenticated with one or two factors with their identity provider when they signed in through a service provider. See System Log.
Enhancement to a System Log event
The IdpVerifiedFactorMode item has been added to the policy.evaluate_sign_on event. It appears when claims sharing is enabled in the org and indicates whether the identity provider verified the user's authentication factors. See System Log.
On-prem Connector for SAP Netweaver ABAP
On-prem Connector for SAP NetWeaver ABAP provides an out-of-the-box solution that connects SAP on-premises apps with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (roles) directly in Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and by streamlining entitlement management.
New attributes in Universal Sync
The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.
Block syncable passkeys
You can now block syncable passkeys during authentication. Previously, you could only block them during enrollment. This enhances the security of your org by preventing users from presenting such passkeys to attempt to enroll new, unmanaged devices.
Self-service toggle for Deactivate App Users
Admins can now use the self-service toggle to change what happens to an Okta user's individual app assignments upon deactivation. If enabled, the user's individual app assignments deactivate instead of suspend. If a user is reactivated in Okta, the individual app assignments don't reactivate.
Entitlement support for disconnected apps
Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta.
Force rematching of imported users
This feature enforces a rematch for unconfirmed users imported from a profile source, whether through full or incremental imports. It attempts to match these imported users with existing Okta users. When this feature is enabled, every import re-evaluates matches for unconfirmed users.
New skipping of entitlement sync during import of a user Systems Log event
The following System Log event has been added: Sync skipping of entitlement during import of a user
Okta-to-Okta claims sharing enhancement
Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org.
On-prem Connector for SAP Netweaver ABAP supports more attributes
Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.
Secure Partner Access for external partners
Secure Partner Access provides a secure way for external business partners to access your org's resources. It streamlines your partner management tasks, reduces IT workload, and simplifies the process of configuring your org's security requirements. See Secure Partner Access.
Require MFA for accessing Identity Governance admin apps
If your org uses Okta Identity Governance, you can require MFA for admins who access these first-party apps: Okta Access Certifications, Okta Entitlement Management, Okta Access Requests Admin. If you have auto-enabled EA features in your org, MFA is automatically enforced for those apps. See Enable MFA for the Admin Console.
OAuth 2.0 security for invoking API endpoints
Okta Workflows users can now securely invoke API endpoints using OAuth 2.0 protocols and their Okta org authorization server. Compared with the existing token authorization option, this Early Access feature is more secure while also being easier to implement. Add the okta.workflows.invoke.manage scope to any new or existing app integration to make it eligible to invoke your API endpoint.